Security researchers at Avast have demonstrated a number of vulnerabilities and potential attacks against Vizio smart TVs, including intercepting data that displays a person’s viewing habits.
Under the wide umbrella of the Internet of things and smart homes, Avast began to pull apart the security of a Vizio smart TV and found that it was susceptible to man-in-the-middle attacks due to HTTPS certificates that were not being validated.
Avast discovered that the TV was constantly accessing tvinteractive.tv, a website run by a company called Cognitive Networks. The service appears to gather a timestamp that reports what someone is watching and when, and then sends that info to the content provider or advertisers. Avast even discovered that the TV would accept a forged certificate when connecting to the site as it does not fully validate the HTTPS certificate. Instead it just validates the checksum at the end of the data being transferred.
Carrying out a man-in-the-middle attack in which it impersonated the tvinteractive.tv with forged HTTPS credentials, Avast was able to crack the data that was being sent and view it.
The data is more like a snapshot of pixels rather than a clear view of what you are watching. Here’s an example from Avast. Vizio has a way of deactivating this tracking through the following commands: Menu -> Reset & Admin -> Smart Interactivity -> OFF.
Avast has dubbed its discovery as a possible attack vector into a person’s home network. It’s just the latest evidence that shows how a smart TV can make your local network vulnerable, and Avast claims that it could be a possible means to display content remotely on someone else’s TV.
“Further investigation is needed to demonstrate a proof of concept; however, this appears to be a potential attack vector for remotely displaying unwanted material on a person’s TV,” said Avast.
Vizio has patched these vulnerabilities and says the update will install automatically, but there is still no report on whether this update has been successfully delivered to all TV owners yet.