Smart home devices are useful, but are they leaving us vulnerable to attack? A new demonstration of Smart TVs suggests yes.
Your smart TV may know exactly what Netflix show you want to watch at the end of a long day, but it could also be letting hackers know more than you want them to about … well, you. As first reported by Ars Technica, there’s a new hack whose proof of concept suggests that terrestrial radio signals could be used to take control of a large swath of Smart TV sets without having actual physical access to any one of them.
In the demonstration of the hack, security consultant Rafael Scheel of Oneconsult AG used a cheap transmitter to embed malicious commands into a rogue TV signal, Ars reports. When that signal is broadcast to devices in the vicinity, it’s able to gain access to the televisions. The key to the attack is the exploitation of two documented security flaws in the Web browsers that run in the background of the TV models used in the test, both manufactured by Samsung. But that doesn’t mean that other sets are immune — if the attack were engineered to target other browser bugs, it would likely be just as effective.
“Once a hacker has control over the TV of an end user, he can harm the user in a variety of ways,” Scheel told Ars. “Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV’s camera and microphone.” Indeed, in Scheel’s demonstration, he was able to remotely control the TV, and even rebooting and resetting the device didn’t lock him out of the smart appliance.
Perhaps the most terrifying aspect of Scheel’s proof of concept is that a hacker wouldn’t need any physical access to any of the devices. That means one could control a much larger number of smart TVs, too. And as an increasing number of concerns are raised about smart home devices overall, this demonstration certainly serves to underscore our vulnerability.
“This research is significant because TVs are used by a fundamentally different demographic than computers,” Yossef Oren, a security researcher told Ars. “People who use TVs don’t know/care about security, they aren’t used to getting security prompts from their TVs, they don’t have the discipline of installing security updates, and so on.”