Zero Day Hole In Samsung Smart TVs Could Have TV Watching You 249
chicksdaddy writes with news of a remote exploit in Samsung Smart TVs, and a warning for those who got one with a built-in camera. From the article: "The company that made headlines in October for publicizing zero day holes in SCADA products now says it has uncovered a remotely exploitable security hole in Samsung Smart TVs. If left unpatched, the vulnerability could allow hackers to make off with owners' social media credentials and even to spy on those watching the TV using built-in video cameras and microphones. In an e-mail exchange with Security Ledger, the Malta-based firm said that the previously unknown ('zero day') hole affects Samsung Smart TVs running the latest version of the company's Linux-based firmware. It could give an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV. And, in a Orwellian twist, the hole could be used to access cameras and microphones attached to the Smart TVs, giving remote attacker the ability to spy on those viewing a compromised set."
In before Soviet Russia jokes (Score:4, Informative)
Re: (Score:3)
And 1984 was 28 years ago.
Re: (Score:3)
Re: (Score:3)
Re: (Score:3)
What do you mean? Ghost busters was out in 1984. Or were you in Russia and it didn't get there for a year?
Re:In before Soviet Russia jokes (Score:5, Informative)
actually, that 1984 happens in 1984 is a common misconception.
1984 is the year winston writes in the first diary entry, but he isn't completely certain that that year is accurate.
"He sat back. A sense of complete helplessness had descended upon him. To begin with, he did not know with any certainty that this was 1984. It must be round about that date, since he was fairly sure that his age was thirty-nine, and he believed that he had been born in 1944 or 1945; but it was never possible nowadays to pin down any date within a year or two."
Yes, but .... (Score:5, Funny)
Re: (Score:2)
Well, yeah, we don't need no facts because Slashdot.
Watching people watch TV? (Score:2)
Down at the Twist and Shout (Score:2)
Being a KGB agent must be awfully boring these days.
Yeah, it seems that everyone in the KGB is already someone's 2-step partner by now [kissthisguy.com].
So basically (Score:2)
Re: (Score:2)
If someone wants to know if I'm home, they can peek through the curtains and determine if that's really me dancing in the living room, or if it's a cardboard cutout moving around on a toy train. Or maybe they can just notice that there are no cars and the lights haven't changed for a while.
Re: (Score:2)
Standby != Off.
To be fair I haven't read the article and don't know the details of the exploit, but if the TV can be connected to remotely I wager it has some sort of 'Wake on activity' function as well.
TVs that lose their memory after a power outage (Score:2)
I think the GP might have a strip to shut off all power to all devices connected
Unless the TV is misdesigned such that it needs to rescan channels after a power outage.
Re: (Score:2)
Its Samsung, so it is probably misdesigned in some other fashion
(e.g. our Samsung media player cannot play video recorded with our Samsung camera).
Call me dumb but (Score:2, Interesting)
Why in the name of god would any TV have a camera and/or a microphone?
Re:Call me dumb but (Score:4, Insightful)
Because it would be really hard to use skype without them?
Video Chat (Score:5, Informative)
Re: (Score:2)
Since 90% of users use Skype for that purpose.
Re: (Score:2)
Re: (Score:2)
live porn.
This proves the evils of capitalism (Score:2, Funny)
Samdung has intentionally put this "feature" into the idiot boxes commonly known as TVs. They want to track the sheeple to sell to advertisers so they can eventually receive a larger profit. Capitalism is all about maximizing profit at the expense of the weak. The solution to all of this is simple, communism. Since there is no profit involved in communism there is no motive for spyware to be added to anything.
Re: (Score:2)
So you think I'm blonde, eh?
Comment removed (Score:4, Funny)
Re: (Score:2)
That only muffles the built-in microphone a little bit. Most of the sound still gets through. Or did I miss part of your plan?
Re: (Score:2)
What about mic(rophone)s?
Could Be (Score:2)
Is this a feature brought to us by the wonderful engineers at the NSA?
Galactica (Score:3)
Adama snarls "There will be no networked computers on this ship while I'm still in command" or words to that effect
Another reason to own a dumb TV (Score:4, Insightful)
Am I the only one who prefers "dumb" TVs anymore? (Score:5, Insightful)
Re: (Score:2)
Just give me a basic 42-50 inch monitor with speakers, a few HDMI ports and an ATSC tuner.
This, this, this.
Hell, you can even keep the crappy speakers, I have surround sound.
Re: (Score:2)
And you can keep the ATSC tuner, as well. I just want what amounts to a gigantic computer monitor.
Re: (Score:3)
Completely agreed. For the last 10 years or so, my 'TV' is basically functioning as a dumb monitor.
The speakers are permanently muted, and it's just displaying whatever my amplifier is telling it to. It doesn't change channels, it just displays an image as sent to it via a single HDMI cable.
It's not downloading from netflix, it's not getting me weather updates, and I'm not surfing the web with it. I simply don't see
Re: (Score:2)
To this I would add: act as a pure computer monitor. When I hook up a computer to a TV via a DVI-to-HDMI cable and it looks like crap because of overscan [dreamwidth.org] I get all stabby.
But other than that, yeah, make it as dumb as possible. My parents' TVs lasted DECADES. I don't want to have to get a new one every five years because DivX/Zune Store/PlaysForSure*/Hulu/Netflix is gone.
* best. name. ever.
Re: (Score:2)
Skip the speakers and the tuner. I can put a tuner in my PC, and I can hook my HiFi up to my sound card with SPDIF. Hell, you can skip the HDMI and just use DVI for all I care.
Re: (Score:2)
i miss the days when a TV was just a TV, and phones were just phones (and cars were just cars..... etc etc etc)
Re: (Score:2)
Re: (Score:3)
In a way, it makes sense. If you take apart a rear projection or LCD HDTV, you'll find
Re: (Score:2)
Re: (Score:2)
Which they will hopelessly break in a firmware update six months later and then will never get around to fixing before they EOL the product.
TV and Blu-Ray player vendors are truly at the bottom of the barrel when it comes to writing software. To be fair, they always have been, but it just didn't matter as much when devices were dumb as dirt.
Called It! (Score:2)
Re: (Score:2)
I don't remember seeing your earlier post the first time around, but coincidentally I was in the electronics store just yesterday, and I saw one of these Samsung TVs with the marketing junk covered with stuff about the integrated camera/mic. I actually joked with the guy from the store that Samsung had imported someone from north of the border who still thought 1984 was a reference manual. And then today I log onto Slashdot and find this...
'Smart' devices ... (Score:4, Insightful)
I've always been leery about everything wanting to have internet access.
Partly because I don't see any benefit from the features of having my TV connect to the internet, and partly because I don't trust that vendors have any clue about security.
If you're going to run things like this, you should definitely have a firewall to keep the outside world at bay. The fact that Samsung has no fix for this tells me there's probably loads of devices like this which will prove to be insecure.
I've never even plugged my Blu Ray player into the network, and I'm getting close to the point of disconnecting my XBox from the network because I don't use any of the on-line features and the ads which have started showing up in games is annoying.
If you need an internet connection for me to play a game on a console ... well, I simply won't buy your product. And I didn't buy the box to be marketed to.
Re: (Score:2)
Re: (Score:2)
To give an idea of how ridiculous this is, there are currently web-enabled toasters that allow you to take an image off the Internet and burn it into a piece of toast. I'm glad that I'm not the only one thinking "Why would you ever remotely want to do that?" rather than "Cool, I can put pictures on toast!"
Re: (Score:2)
LOL, but if you burn an image of Jesus or The Virgin Mary [bbc.co.uk] onto toast you can sell it for a fortune, right?
But, yes, a web-enabled toaster sounds monumentally pointless. As would a fridge, a toilet, a chair, or my stove.
At a certain point, this is just adding internet support for the sake of saying you have it. I'm sure someone out there is going "ZOMG, but it's an internet enabled toaster", and they can spend their money on it -- I on the other hand will stick with the boring old toaster I have now, it ev
Porn anyone? (Score:2)
A word to the wise: (Score:2)
Re: (Score:2)
A modern TV is just a big computer monitor.
Many people even have computers attached to them. For those less technically inclined I could see something like this being convenient. Why would I not want to use my nice big TV and sit in the comfort of the couch with my family while we skype with friends and relatives in other locations?
Re: (Score:2)
A modern TV is just a big computer monitor.
With poor resolution and a crap computer permanently attached to it.
Re: (Score:2)
Most Computer monitors these days max out at 1920x1080 which is the same as my TV, TVs go up to 4k. I was not aware my custom HTPC was a crap computer. Is a Core 2 quad not enough, should I go get an i7?
Re: (Score:3)
Most Computer monitors these days max out at 1920x1080
No, those are TVs rebranded as monitors.
Re: (Score:2)
Not, at all true. The panels I am speaking about are meant for use as computer monitor only.
Even if they were TV panels, they are the vast majority of computer monitors.
Big ugly tower (Score:2)
Why would I not want to use my nice big TV and sit in the comfort of the couch with my family while we skype with friends and relatives in other locations?
You might want to use it, but most people aren't Slashdot-reading geeks. I'm told most people don't want a big ugly tower in the living room, a keyboard and mouse that you need to put on a TV tray to launch anything, and all the complexity of maintaining a PC.
Re: (Score:2)
There is no visible tower in my living room. Nor keyboard and mouse, and surely no TV trays. I was not aware that running updates when it asks for it was complex.
Of course you could just buy those SmartTVs this article talks about if you are so inclined. Some of my relatives do that.
Re: (Score:2)
I have a computer in an HTPC case in the entertainment center - looks just like the amplifier near it. I use a remote control for almost everything. Once in a while, I get out the mouse and keyboards for maintenance.
But everything - even launching and exiting emulators is done by remote control. Then the wireless controllers are used for playing the emulated games.
Re: (Score:2)
Don't bother, tepples will just say "most people" would be confused by an amplifier or a remote with more than 4 buttons or some other silly thing.
If your solution is not suitable for a drooling moron he is will complain.
If you have a smartphone, doing without mouse and keyboard even for maintenance is easy.
HTPCs are underpromoted (Score:2)
Don't bother, tepples will just say "most people" would be confused by an amplifier or a remote with more than 4 buttons or some other silly thing.
True, some people are confused by a remote with more than four buttons, but most people aren't. My point is that most people are unaware of the home theater PC use case because neither TV commercials nor major brick-and-mortar PC sellers promote it. I don't see bundles of a PC and an affordable remote control advertised. I went into a Best Buy, asked about home theater PCs, and was told I could a PlayStation 3 console was a better choice for home entertainment on a TV monitor. This underpromotion has led t
Re: (Score:2)
Just make it pretty. I'm planning a new gaming PC for the living room to intimidate the X360 and PS3, and it's going to have all sorts of LED lighting crap in it. It'll look like Christmas every day! Ah, the advantages of being an unloved misanthrope who lives alone! :-)
I'm an odd duck in that I feel KB and mouse are more *accurate*, but I find a dual analog controller more *fun*, so I can just go with my existing X360 controllers. There's menu programs for launching games. Maintaining is no worse than any
Re:The end (Score:5, Insightful)
The main problem with 'smart' TVs is that you end up with a TV that(barring ghastly shoddiness) will last for several years; but the 'smart' part of it will be lucky to receive a firmware update or two, generally delivered by a team of crack programmers who previous job was providing horribly malformed DDC information...
If it's a discrete computer, or some dinky Roku stick or whatever, you can upgrade it when the streaming service of the month goes out of business, or the manufacturer loses interest in you.
Re: (Score:2)
I totally agree and that is why I do have an HTPC.
Some folks do not want to go through that little bit of work.
Re: (Score:3)
I can definitely understand the HTPC-is-too-much-work position(especially since prebuilt options are rather thin on the ground), I'm just struck by how dire the shit baked in to TVs is even compared to the little $50-$100 puck appliances and streaming boxes.
In magical pony fantasyland, It'd be nice if the TV people could standardize an 'appliance socket' that provides, say, an HDMI port with CEC and a specified amount of power to work with in a defined slide-in chassis size. Then you could still replace the
Re: (Score:2)
There are now android PCs that sit in the HDMI socket. I prefer something more akin to a regular computer so hulu and their ilk don't deny my ability to play their media because I am using a tv.
Re: (Score:2)
that's not a smart TV issue. The idea of a Smart TV is a good one. I'ts a support issue.
Re: (Score:2)
Which is the only way I see apple doing well with this.
They can sell the iPad guts hooked to a 55" display and call it iTV. So long as they leave the guts largely the same support costs are not as much of an issue.
TVs have been such a race to the bottom that there is no money to pay for updates built into their prices.
Re: (Score:2)
It's not even the less technically inclined who want it. I would rather have a tv that can do this than a computer whirring away in my living room as it doesn't go with the decor.
I am running 9 fullblown computers of various OS in the house (4 in a VM Lab)
Re: (Score:2)
You could go silent and hide it or, since you already have 9 computers just get a nice long HDMI cable.
Re: (Score:2)
So you bought a crappy TV/Monitor, what does that have to do with it?
But you have to manage updates, these things are for people that do not want to do that.
I also manage them myself, but many older folks refuse to learn about anything invented after the VHS.
Re: (Score:2)
You can probably turn the overscan off....
Re: (Score:2)
TV is dying, being replaced by computers (I'm including phones that are basically small computers)/the internet as the main source of entertainment. People want streaming, interactiveness, to not have to buy separate devices to do things that can easily be done on one device. (Instead, they want to keep buying the new version of that one device.) Very few people of the main electronics buying ages w
Re: (Score:2)
Not happening fast enough, though. I don't even watch a lot of stuff, but I need basic satellite with Tivo, iTunes, and Netflix streaming with 1 DVD out at a time to watch what I want when I want it. If someone could get everything into one account and one interface and 100% streamed I'd be ecstatic.
Re: (Score:2)
Computers generally have a light associated with the webcam that cannot be disabled through software or firmware. And computers tend to be used actively. TVs tend to be used passively, so a light might not be enough to get your attention. Also, webcams on computers are at least moderately useful. Webcams on TVs are not, unless you want to be tethered to a single room while using video chat or some
Re: (Score:2)
Re: (Score:3)
Except well, computers are hard. This you can get your grandparents as a gift, then gather the family around the TV to say hello (rather than a cramped laptop where no one can fit their head entirely in the sc
Re: (Score:2)
These TVs aren't for just face chatting between people, but for families to chat with each other, or for more well, dramatic chats between people.
[ ... Imagining several families/people I know ... ]
Please don't say "porn"... please don't say "porn"...
Re: (Score:2)
Thanks for telling us how to live...jack ass.
oh, and use a 'real' computer. wtf is that, your majesty?
Dick.
Re: (Score:2)
Nothing a little epoxy, wire cutters, and/or a Dremel can't solve.
Or if you don't want to lower the resale value, insist on buying a TV with an external microphone jack that is hardware-switched. Plug in a dummy plug. Attach electric tape over the camera.
Re: (Score:2)
Re: (Score:2)
No Windows or Macs in my house, and wireless is on its own separate net. The internet goes through a Sonicwall. They're full of crap if they think they're going to get anything out of my TV without physically breaking into the house.
Re: (Score:2)
I see postl ike that, it makes me pine for the days when I did security work. I would here shit like that from people in all kinds of environment. Then and them a stack of account numbers, or a video of my updating their firmware version from my car.
Re:D'oh! (Score:5, Insightful)
Black tape. Try finding a zero day hole in that biatch!
Re:D'oh! (Score:5, Funny)
According to slashdot Security through obscurity doesn't work!
Re:D'oh! (Score:4, Informative)
"More critically: there is no software update capability, meaning that the exploitable hole can’t be patched without “voiding the device’s warranty and using other exploits,” ReVuln said."
Re: (Score:2)
Nice misquote. Here is what he actually said.
More critically: there is no independent software update capability, meaning that, barring a firmware update from Samsung, the exploitable hole can’t be patched without “voiding the device’s warranty and using other exploits,” ReVuln said.
In other words, there is a software update capability, it's just not an independent one (whatever that means).
Re: (Score:2)
How the hell they gonna fix this? Can you download patches into your TV?
Of course you can. Either directly (if connected to the network) or by copying the necessary files on an USB stick and plugging that into the tv.
Re: (Score:2)
I doubt very much if Samsungs can download patches for the OS itself. They do routinely download new app versions.
Re:the software is open source (Score:4, Insightful)
"It's open source, just patch it yourself."
If there ever was a sentence to describe the elitist attitude of open-source nerds, this is it.
Re: (Score:2, Troll)
> "It's open source, just patch it yourself."
>
> If there ever was a sentence to describe the elitist attitude of open-source nerds, this is it.
If ever there was a post to capture the hubris of those who do not understand that we all must take control of our own information flows or be subjugated, this is it.
Useless advice (Score:2)
"It's open source, just patch it yourself."
If you can patch the code yourself, there is probably a high chance nobody wants to watch you watching TV in your underwear anyway.
Re: (Score:3)
just patch it yourself
all the smart TV's i've seen, the smart part of the TV runs open source software
All the cars I've seen, the car parts are "open source."
Just repair it yourself.
See the logical flaw in your reasoning yet?
Re: (Score:2)
Re: (Score:2)
Your not fixing the engineering behind it, you replacing a defective part dummy!
A) Coding != Engineering. Otherwise CIS degrees would have an "E" in there somewhere. Not to mention, if patching defective code is not analogous to replacing defective car parts, I don't know what analogous is (Hint: I do).
B) Even if it coding did == engineering, that doesn't fix the logical flaw in OP's reasoning. Heck, if anything, it makes him seem that much more of an elitist prick, expecting everyone who owns a TV to understand how it's engineered.
3) As a professionally trained mechanic with 20 y
Re: (Score:2)
Tivoized or not?
Re: (Score:2)
There's a problem with their printers as well
http://www.computerworld.com/s/article/9234079/Samsung_printers_contain_hardcoded_backdoor_account_US_CERT_warns [computerworld.com]
Re: (Score:3)
"you deserve what you get."
no. That is a crappy attitude. You deserve to live in a world where you don't have to worry about it. You deserve to live in a world where you can leave you windows open.
You are making it the victims fault. Stop it.
Re: (Score:2)
Not only is your point entirely fair, but the GP post was optimistic anyway. If this device is network enabled for legitimate reasons (streaming catch-up TV services, say) but also phones home for firmware updates and/or permits installable apps that actually change the software running internally, that's going to be non-trivial to firewall against abuse even if you have some idea what you're doing.
Put me in the camp that wants a TV to be a TV, without including an ad hoc, informally-specified, bug-ridden,
Re:It was built this way, really... (Score:4, Insightful)
I read it that way initially and nearly wrote off the comment, but then I thought about it further. TVs could contain cable modems, but it isn't necessary. They're decoding digital data streams all day. Half the buffer overflow exploits I've seen in the past few years have involved image/video decompression, usually in the area of embedded tag parsing or some other similarly esoteric bit of functionality. Within a DVB bitstream, you have lots of side channels for things like program listings, CC data, etc. Any code that works with any of those pieces of data could contain bugs. And then some portion of your TV is 0wn3d.
Although the notion that such backdoors are intentional seems a little paranoid, the GP actually makes a good point about TVs being complex digital devices with no real firewall between them and potentially malicious data streams. The fact that there's no middleman for the malicious data—anybody anywhere on your local loop could potentially overpower the legitimate data and provide malicious data in its place—is just the icing on the cake.
That said, attacking smart TVs over the Internet (after exploiting bugs in the firewall) is probably a more straightforward attack approach. Network-attached smart TVs with cameras and any sort of network connectivity are pretty much a porno video waiting to happen. Anybody who says otherwise is kidding him/herself.
Re: (Score:2)
What other frequencies? I'm talking about data embedded in the channel you are watching.
When your TV decodes a digital bitstream for a particular channel, that data stream contains many unrelated pieces of data multiplexed together. A single ATSC stream for channel 7, for example, might contain video streams for subchannels 7.1 and 7.2 (each of which contains closed-captioning data), three audio-only streams, a stream containing guide data about upcoming programming, etc.
So what happens when somebody cap
Re: (Score:2)
If you're just using it for control purposes, it is possible to do so in a way that is relatively safe. Use two separate computers—one containing the DSP hardware and access to the camera, providing as its output only a series of control messages containing gesture events, and a second one that is the actual Internet-connected brain. Make sure the camera-connected device accepts only signed firmware updates.
If the Internet-connected device needs access to the camera, though, you're pretty much at t
Re: (Score:2)