Tag Archives: smart tv

Security News for the Week Ending June 21, 2019

Asus Was Not Alone

I wrote about the Asus supply chain attack in March (search for Asus in the blog search box).  Attackers, somehow, compromised the development environment, injected malware and allowed the system to compile, digitally sign and distribute it through the software update process.  Hundreds of thousands of clients were infected as a result.

Now we are learning that Asus was not alone.  Kaspersky Labs, the Russian antivirus firm that the U.S. Government loves to hate, says that there were more.

In all cases, the development process was compromised and infected software was distributed – including:

  • game maker Electronics Extreme
  • Innovative Extremist, a web and IT company
  • Zepetto
  • Plus at least three other companies

All of these companies are current or former game makers and all had their internal development environments compromised to the level that hackers were able to get them to distribute digitally signed malware.  Source: Kaspersky.

 

Samsung warns Users To Check Their TVs for Viruses – Then Unwarns

Last Sunday Samsung put out a notice on Twitter:

“Scanning your computer for malware viruses is important to keep it running smoothly,” the message warned. “This also is true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how:”

Then they deleted the message as if someone figured out that if users thought their TVs were breeding grounds for bad stuff, they might not buy  new TV.  When Samsung was asked about it, the reporter got no reply.

YOU DO scan your smart TV for malware every few weeks, don’t you?  Source: The Register

 

The Consequences of A Data Breach

By now everyone is aware of the data breach reported by Quest Labs and Labcorp, among others.  But there is another part of the story.

As I have reported, the source of the breach was a third party vendor – American Medical Collection Agency –  the vendor cyber risk management problem.

Now that the breach has become public, customers are fleeing from AMCA like the proverbial rats and the sinking ship.

As a result of that, the lawsuits already filed and to be filed and the regulators snooping around, AMCA’s parent company, Retrieval-Masters Creditors Bureau, Inc. ,has filed for bankruptcy.

It seems the company’s future is pretty cloudy.  Source: CNN.

 

Your Tax Dollars At Work

A Florida city has taken the opposite tactic that Baltimore did and decided to pay a hacker’s ransom demand instead of rebuilding from scratch.

Rivieria Beach, Florida, population 34,000, was hit by a ransomware attack three weeks ago.  Like many cities and towns, Riveria Beach likely didn’t prioritize IT spending very high and crossed it’s fingers.

The Baltimore hacker asked for about $95,000, which the city refused to pay.  They have now agreed to implement a number of IT projects that have been ignored for years and spending $18 million.

In this case, the hacker was bolder, asking for $600,000, which if the city has typically poor IT practices, was the only way to get their data back.

The reason why we hear about all of these attacks on cities is that their budget project is legally much more public.  If a private company pays a ransom, there is, most of the time, no legal requirement to disclose it.  Source: CBS.

 

Consumer Reports Says Smart TVs Vulnerable to Hacking

Consumer Reports says that Smart TVs by Samsung and multiple brands that are powered by Roku are vulnerable to hacking.

While this particular hack won’t empty your bank account, it will allow the hacker to change the channel, volume and other settings.

What is even more interesting was the two vendor’s response to being contacted by Consumer Reports.

Samsung said that they would fix the problem as soon as technically feasible.

Roku said that it was feature;  that they published an interface to allow third party developers to control your TV and it didn’t compromise your Roku account on their server (which no one said it did).

Then they went further to say that you could disable that feature by clicking on SETTINGS, then ADVANCED SYSTEM SETTINGS, then EXTERNAL CONTROL, then DISABLED.

Call me dumb, but why wouldn’t you ship the system with that feature disabled and then allow the small minority that want to allow hackers or other third parties to control their TV to turn it on?

Separately, Consumer Reports said that all these TVs raise privacy concerns by collecting very detailed information.

Besides collecting all your viewing data and selling it, many have microphones and collect audio all the time.

Vizio paid a multi-million dollar fine last year for failing to disclose that feature.  Now Vizio says, in the manual, do not discuss anything sensitive in the same room as the TV.  Nice.

Consumer reports does say that you can limit the data collected by the TV by disabling the features you paid extra for when you bought a smart TV.  In other words, if you turn the smart TV into a dumb TV, it won’t collect data.  Or be very smart.

You could replace your iPhone with a rotary dial land line to improve security also, but that kind of misses the point.

Information for this post came from CNET.

 

Smart TVs And Your Privacy

 

Samsung made some news last week.   As we know, some smart TVs are always listening to the talking in the room.  The way the software works is that it captures all voice and looks for the trigger words.  Samsung, in it’s privacy policy, said

“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

So if you talk about your health, marital situation, a terrorist plot or anything else, that will be sent to Samsung and to the third parties that they use.

After the freak out ended, Samsung attempted to clarify what happens by saying this:

“If you enable Voice Recognition, you can interact with your Smart TV using your voice. To provide you the Voice Recognition feature, some interactive voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service provider (currently, Nuance Communications, Inc.) that converts your interactive voice commands to text and to the extent necessary to provide the Voice Recognition features to you.”

It is not clear that this “clarification” made anyone feel any better.

So who does Samsung share your information with?

  • Affiliates – Samsung owned companies
  • Business partners
  • Service Providers
  • Law Enforcement

We don’t know what other TV makers do with your voice, but it is likely similar.

In addition, that data may be kept forever.  Their policy doesn’t say how long they keep it.

If we shift the conversation to the fight between Apple and the Department of Justice, maybe we need to ask if the San Bernadino shooter had a smart TV.

Likely, as in other Patriot Act warrants, the TV makers would not be allowed to tell you that the Feds want your conversations.  In very general terms, they could tell everyone about the range of the number of warrants they have received, after the fact.

There is a simple solution of course – don’t buy a smart TV or don’t enable the voice feature on it.

 

Information for this post came from SecureWorldExpo.

Are You Watching Your TV? It May Be Listening To You!

Samsung’s Smart TV voice recognition works just like the voice recognition on your Android or iPhone – with one big difference and CNN is reporting on this today.

On all of these devices, the device captures your voice, sends it over the internet and gets the text back the same way.

It is not clear whether any of these vendors encrypt the traffic, but if I were taking bets, I would bet that it is not.

Samsung uses a third party – whom they have not named – to do the conversion.  It is unknown whether Apple and Google outsource it or do it internally.

Here is the difference.  On your phone, you tell it when you want it to perform speech to text conversion – you press the microphone icon or ask Siri.

Because the television never knows when you are going to ask it to change the channel or find a new program, it is always listening.

So, if you are plotting to rob a bank, maybe you should not do it in front of your smart TV.

What is not clear is whether something occurred to bring this to the forefront today.

Samsung claims they neither sell the data nor keep it.  They did not answer the question as to whether the third party keeps the data.

Your first inclination after reading this is to turn off the voice recognition feature.  Go ahead.  Of course, if you do that then you can’t yell at your TV to change the channel – you will have to do it the old fashioned way and use the remote.  If you do turn it off,  the TV listens anyway because there are some features that work even if general voice recognition is off and it sends that data, but not your voice, to Samsung for statistical analysis in addition.

We already know, courtesy of Edward Snowden, that the NSA looks at any data that the hackers hack that they can get their hands on.  Why do all that work.  Just steal it from the thieves.

I wonder if the NSA is listening to your smart TV?  If they weren’t before, I bet the are now.

A wire cutters to the microphone wire likely will work, however.

 

Mitch