Samsung and Roku smart-TV systems are vulnerable to flaws that would allow for control by third parties, according to findings from Consumer Reports. The flaws were found during comprehensive security and privacy testing of smart TVs and their companion mobile apps from a number of vendors.
The issue with the TVs from Samsung and Roku were that researchers were able to control televisions remotely (no pun intended), including cycling through channels, turning the volume up to unbearable levels, removing the TV from a Wi-Fi network and opening up unsettling content in the YouTube app.
This is more mischief than hazard -- someone standing outside of a window with a universal remote could do similar things -- but it shows how yet another device in our home is now potentially open to threats from outside forces.
While the Roku-powered TV tested was a TCL, the flaw could occur on other TVs with Roku's platform, such those sold by RCA, Sharp, Insignia, Philips and more, as well as Roku's own media players. The issue is due to an unsecured remote-control application programming interface (API).
"To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code," Consumer Reports writes.
So a user would have to open a scam email or visit a website with malicious code. The External Control setting can be turned off, but that also keeps you from controlling a Roku-based TV with its own app. Roku told Consumer Reports that there is "no security risk."
The Samsung hack is a bit harder to accomplish. A TV owner would have to use a remote-control app on his or her phone and then open a malicious website on the same device, which would authorize others to control the television. Samsung told Consumer Reports that this flaw would be patched sometime in 2018.
It's unclear from the reports just how far away attackers can be to take advantage of these flaws -- if they have to be on the same Wi-Fi networks, or can be abused from miles away. It's also unclear whether it's the TVs themselves being hacked, or the smartphones running remote-control apps that control the TVs. If it's the latter, the attacks might not work if a smartphone was offline or powered down.
Consumer Reports implied that the TVs could be controlled "over the web." Samsung and Roku have mobile apps that let you control your TV with your smartphone, and there are many third-party apps in Google Play that claim to do the same. But both systems require that the smartphone be connected to the same Wi-Fi network as the TV being controlled.
To protect yourself, avoid installing remote control apps on other devices, as that's where most of the attacks seem to be occurring. Additionally, you can disable Wi-Fi on your TV, but then you won't be able to use internet-enabled features. Alternatively, if you can find one, just buy a dumb TV (if you can find one. Most TVs on the market these days have smart features).
The report also explains how your TV can track you to serve ads, so it's worth a read to see the best practices to make sure you're not tracked. You can read the full story here.