Smart TVs are a beautiful way to bypass the hassle of a set-top box and to get content delivered directly to your television. It's also a new and exciting way for cybercriminals to invade your home and steal your personal information. A new proof-of-concept experiment proves that smart TVs are just as susceptible to hijacking as computers and mobile devices, and that a skilled hacker could extract some pretty compromising information.
The research comes by way of Security Response, a company blog run by Mountain View, California-based security firm Symantec. Candid Wueest, a Symantec security researcher, performed a series of experiments on his Android TV-based set, and argued cogently that similar attacks could occur on any of the major smart-TV platforms (Tizen, webOS 2.0, Firefox OS and so forth).
Wueest explained that the two simplest ways to infect a smart TV would be to either insert a USB stick full of malware into one of the set's ports, or to hide an infected app in one of the major marketplaces. (Infected apps do sneak into Google Play now and then, so it's not hard to believe that a TV app marketplace could let a few slip through.)
Of course, either methods has limitations, since you would need to physically access a TV for the former, and the latter would probably not get to stay online for long.
Other methods of compromising smart TVs include man-in-the-middle attacks in which an interloper manipulates legitimate data before it reaches the TV (TVs generally have poorer encryption than computers and mobile devices), exploiting software vulnerabilities (this is simple, as most smart TVs have Web browsers) and taking advantage of old vulnerabilities (smart TVs get updates much less frequently than other systems, which means that older bugs still work just fine). To test his ransomware hypothesis, Wueest made use of the first method.
Wueest found that the gaming app on his Android TV did not encrypt its communications with its corresponding Web server. From there, he was able to redirect the TV into installing a piece of malware when it was supposed to install a game. The malware in question was a nasty bit of ransomware, which demanded money in exchange for unlocking the TV. Until the user paid up (and, possibly, even afterward), the TV would not function as promised. Say what you will about cathode-ray tube sets, but this wasn't a problem back when they ruled the market.
Worse still, removing ransomware from a smart TV could be even more difficult than getting rid of it on a computer or mobile device. The window between the TV starting up and the ransomware opening was too short for Wueest to perform a factory reset, and he eventually had to use an Android command-line tool to excise the ransomware from his system. Most smart-TV users would lack the technical know-how to perform a similar repair.
It's very obvious how ransomware could compromise a TV experience, but that's not the only way malware can ruin a smart TV owner's day. Because smart TVs often run for hours at a time, they are attractive targets for botnets, as well as for digital-currency mining and click-fraud scams. Depending on individual app security, an attacker could also get ahold of what you've been watching, which might not be ideal if the answer is "anything compromising."
Since smart-TV ransomware is, at present, only a proof-of-concept, there's not much risk to users out in the wild. But if smart TV manufacturers do not step up their security games, your best bet, as always, is to keep your TV updated as frequently as possible, and to avoid potentially shady apps in the marketplaces.