back to article Smart TV boffins hit the Red Button, trigger mayhem

The standards body behind a broadband-powered television system has downplayed talk of dramatic attacks on the security of tens of thousands of smart TVs. Top boffins at Columbia University's Network Security Lab say the "Red Button" exploit could involve drones and roof-mounted aerials deployed to silently target tellies, …

COMMENTS

This topic is closed for new posts.
  1. Busby

    Until someone manages to create a botnet of TV's mining for digital currency I don't see the issue.

    That's assuming most people are like me and have completely ignored all the"smart" features of the TV hence no data to harvest.

    As it's unlikely hacks will yield anything useful such as bank log in details what's the point in targeting TV's?

    1. Barry Tabrah

      Smart TVs don't need smart users

      Just because Smart TVs aren't configured by the user doesn't mean that they can't be reconfigured by a malicious source. This article demonstrates an industry more focused on profit than security, with a disregard for any security issues that would cause them to spend money to fix.

      The less educated the end user is about the devices they are using like Smart TVs, the more likely they are to miss any malicious activity before it's too late.

      And with the tendency moving towards activating these features out of the box there's going to be a lot of features turned on that most users don't even know about.

    2. adnim

      Most people are not like you

      They are consumers and love new fangled toys.. "Look I got farcebook on my TV" and why should I get up off my ass and power up another device to buy product on line or access a bank account when this remote thingy is already in my hand? People will use TV's to access the Internet.

      I am like you, I will never use a smart TV to access the Internet, not because I don't trust them, which I don't. It's because I don't need one, I don't have one and I don't want want one. I expect that I am in a minority.

      I won't connect a device to my LAN if I cannot get to the underlying OS of the device and control ingress, egress to and from that device. I expect all devices to be set up for convenience first with security as an after thought. Am I paranoid? I was beginning to think so several years ago but the simple fact is if one doesn't control what the Internet connected devices one uses are doing or talking to, who does? And can they be trusted?

      I consider smart Internet TV's as a beach head to ones home network. A point of entry whereby the local networks whole IP space can be accessed. They are computers not just TV's. Consumers see a simple and easy way to watch video streaming services, browse the Internet and buy stuff.

      1. gv

        Re: Most people are not like you

        I feel the same way, which is why I would put it into its own sandbox network with no access to my intranet.

        1. ElReg!comments!Pierre

          Re: Most people are not like you

          In a similar* vein, the "smart" in my TV is a Raspberry Pi hooked up on an unconnected viewing device (in my case a projector, but could be a flat panel or whatever else can take video input). No "black box" firmware -or software- with flaky security.

          *but much more fun, if you ask me

      2. Dan 55 Silver badge

        Re: Most people are not like you

        Considering that some LGs were caught connecting to network shares on the LAN, reading directories, and uploading the file list to the mothership then it's probably not paranoid to isolate a smart TV from everything else. In general TV manufacturers (or the megacorp's TV manufacturing division) are pretty new to this computing and network security business.

  2. Matt Bryant Silver badge
    WTF?

    Overpower broadcast signal?

    ".....drones and roof-mounted aerials deployed to silently target broadcasting towers...." OK, so how does that work? Does the drone have to have such a powerful transmitter that it can swamp out the signal from the transmitter? That wouldn't be a drone, it would be a large helicopter! And how does that help with cable services that don't use a radio or satellite signal? Sounds a bit scaremongery to me, TBH.

    1. Phil O'Sophical Silver badge

      Re: Overpower broadcast signal?

      You wouldn't have to overpower an existing signal, most digital TV systems are watching for new channels, and will pop up a "new channels found" box when they see one. You can usually turn it off, but by default it's on. Call it "free porn" or "lottery channel" and there'll always be someone who'll switch to it, just to see what it is. That would be enough to download & run an embedded app. Cable systems would require injection into a head-end somewhere, but that's unlikley to be too difficult.

      1. mRtIN

        Re: Overpower broadcast signal?

        I have a few of theses 'smart' tvs. None of them scans for channels automatically, Although being in a low signal area the methods described in the paper are quite alarming. I am somewhat concerned with the security of them though, I have them on a separate network within my home, I would hope thats enough to keep my sh*t secure...

    2. Vic

      Re: Overpower broadcast signal?

      Does the drone have to have such a powerful transmitter that it can swamp out the signal from the transmitter?

      Given the 1/r^2 nature of broadcast TV, that's not actually that much power from close range - particularly if your transmitting antenna is not omnidirectional.

      Vic.

    3. Kumar2012

      Re: Overpower broadcast signal?

      Have you ever driven by another car whose occupants are using one of those old school FM tuned music players? You happen to be on the same station that they have their player set to...well it doesn't take much for that little player to briefly overwhelm the actual broadcast signal and I start hearing whatever they are listening to in the car next to me. Same concept here, the drone will be closer and therefore a weaker signal is more than sufficient to drown out the one from the broadcast tower.

  3. Bronek Kozicki
    Joke

    the service went ...

    tits up

  4. dan1980

    The problem behind this and pretty much every similar vulnerability is that industry pushes full steam ahead with anything they think will bring in the dollars but, as they care not a fig for their consumers, they would much rather get their products to market (and bringing in revenue) quickly than ensure that their valued customers are secure.

    The reason they are allowed to push ahead with so little concern is that every time someone floats the idea of regulations, these companies make sure they never come to pass. Whether it's impassioned pleas of not blocking innovation and thereby stifling the economy, handwringing over the terrible burdens that will of course result in higher prices for the dear consumer or good old-fashioned crossed-finger promises propped-up by outright lies - one way or another, proposed measures to force them to respect their customers end up shelved.

    And so you have 'Smart' TVs shipped with cheesecloths for network protection, Blu-Ray players built on old versions of Java, fridges running un-patched installs of PHP and NAS boxes sporting 6 year-old Samba. You've got routers where the company with their name on the box has never even seen the source code, internet-accessible home automation system that don't force you to change the default login and baby monitors that don't auto-apply important firmware updates.

    The 'Internet of Things' indeed. Fucking nightmare waiting to happen if you ask me.

    1. Phil O'Sophical Silver badge

      The 'Internet of Things' indeed. Fucking nightmare waiting to happen if you ask me.

      The only possible saving grace is than when TVs get infected due to poor security, the resultant class action suit could have millions of adherents. At even $100/head that should make the suppliers take notice.

  5. IglooDude
    Joke

    And suddenly, the folks trying to shoot down drones with rifles and shotguns go from "whackjob tinfoil hat types" to "networking enthusiasts pursuing proactive layered defense strategies".

    1. Anonymous Coward
      Anonymous Coward

      Rifles, shotguns? No, I can do better than that. Literally all the pieces are there in the maker movement.

      I still like the notion of Amazon drones being skeet with prizes.

  6. Anonymous Coward
    Unhappy

    Well then..

    So nice to know, but what is the solution for those who want to use these things? Security Apps? router fire-wall? Amazon takeover?

    Security by not-using-anything is sooo depressing.

  7. Bob H

    These TVs haven't been hacked, some researches have created an unlikely amplification attack which relies on a series of unlikely events.

    1) TVs don't retune to signals which aren't signalled by the existing broadcast data tables. 'New channels available' is usually when the TV notices a change in the BAT.

    2) If they swamped out an existing multiplex they would have to do a MitM attack involving receiving the existing signal, altering and rebroadcasting it (without creating a feedback loop).

    3) The transmissions would have to be powerful and virtually undistorted without saturating the receiver. This is very difficult and I am told by a reliable party that the '$200' modulator they talk about has poor noise and distortion (amplification of it sucks).

    4) The only result is that you can send traffic to known targets, you might use it for amplification in a DDoS but the impact will be minimal

    5) The viewer would have to tolerate the disruption and wrong time/event or black screen.

    A vulnerability perhaps, a serious issue requiring every news agency in the world to proclaim a vast hole in every hybrid TV? No. Wish I had the time to show why this is impractical, but paid work prevails.

  8. KrisM

    Sooo, if you don't plug your new Smart TV into an aerial and instead use SKY or Virgin (but TV is plugged into your network), then your safe?

    Important to know as hopefully getting my first smart(ish?) TV in the next week or so...

    1. Jamie Jones Silver badge

      ... depends upon how much you trust the TV makers (through either intentional maneuvering or buggy code)

      If I had a home network I considered secure, I'd sandbox/firewall any foreign device that uses it. If it was just a consumer network, then meh - most potential abuses I see are going to be distributed attacks/spamming the internet not the local network. Besides, I use ssh and secure setup on my local lan too!

This topic is closed for new posts.

Other stories you might like