If you have a Sony Bravia smart TV, you're probably familiar with its Photo Sharing Plus functionality. This innocuous app lets you share photos from your phone or computer directly to your television so that you can delight (hopefully) your friends and family without having to hunch over a tiny screen.
Unfortunately, Photo Sharing Plus is also a way for an inventive cybercriminal to potentially compromise your entire TV — unless you apply a patch ASAP.
Fortinet, an enterprise security firm in Sunnyvale, California, did some research on Sony Bravia TVs earlier this year and found three alarming flaws. The first allowed an attacker to crash the app; the second allowed an attacker to browse every file on the TV. The third, however, was the most threatening, as it let an attacker execute remote code with root privileges — in other words, to completely take over your smart TV and possibly draft it into a botnet or force it to mine cryptocurrency.
How to fix this
Luckily, the fix for these flaws is extremely simple, and most of it should happen automatically. Sony put out a security advisory in late July and August for owners of Bravia R5C, WD75, WD65, XE70, XF70, WE75, WE6 and WF6 models, informing them that there's already a patch available. Bravia TVs receive software updates by default, so all you should have to do is turn on your TV and make sure it's connected to the internet. The rest should take care of itself.
MORE: Best Smart TVs
You can also check for software updates in the TV's menu, although exact instructions for how to do this depend on your model. There are links to this effect on Sony's advisory page. If both of those methods fail, Sony also provides firmware fixes in .ZIP files, which you can apply via USB thumb drives. Check the advisory for further instructions.
(Sony claims these updates will happen automatically, while Fortinet claims they require user authorization to be installed. Whatever the case, just be aware that you may have to click "OK" or "I agree" at some point during the process.)
The flaws
The bugs themselves are interesting, although they require quite a bit of effort to leverage. The first, CVE-2018-16595, allows a user to overflow Photo Sharing Plus's stack buffer with an extremely long URL. This will cause the whole app to crash. Annoying, but not catastrophic.
The second bug, CVE-2018-16594, lets an attacker name a file in a certain way, then upload said file to the TV through the app. This lets the attacker browse every file stored on the television. This could threaten your privacy, particularly if (for whatever reason) you store sensitive information on your TV, but the most compromising thing an attacker could find is your Wi-Fi network information — which would not be especially helpful, since he or she would have to be on your network already in order to launch the attack.
CVE-2018-16593 is the serious vulnerability among the three. By misnaming an uploaded media file, an attacker can gain root privileges over the TV, then run whatever kind of remote code he or she wants. The easiest way to compromise a TV in this manner would be to draft it into a botnet, although you could theoretically mine cryptocurrency on a TV. (TVs have fairly robust GPUs, although the processing power and storage pale in comparison to even a half-decent computer.)
With root access to the TV, you could also theoretically compromise other network devices, like a router or a computer. But again, you have to be logged into a network before attacking the TV anyway, and at that point, there are easier ways to steal personal information. There's also no indication that these attacks have ever been present out in the wild.
In other words: Apply the patch, and don't sweat it too much. Your Sony Bravia TV may just show you the same reruns of How I Met Your Mother over and over, but that's probably its worst crime.
