Forgot your password?
typodupeerror
Television Java Security Linux

Samsung Smart TV: Basically a Linux Box Running Vulnerable Web Apps 166

Posted by Soulskill
from the for-sufficiently-dumb-values-of-smart dept.
chicksdaddy writes "Two researchers at the Black Hat Briefings security conference Thursday said Smart TVs from electronics giant Samsung are rife with vulnerabilities in the underlying operating system and Java-based applications. Those vulnerabilities could be used to steal sensitive information on the device owner, or even spy on the television's surroundings using an integrated webcam. Speaking in Las Vegas, Aaron Grattafiori and Josh Yavor, both security engineers at the firm ISEC Partners, described Smart TVs as Linux boxes outfitted with a Webkit-based browser. They demonstrated how vulnerabilities in SmartHub, the Java-based application that is responsible for many of the Smart TV's interactive features, could be exploited by a local or remote attacker to surreptitiously activate and control an embedded webcam on the SmartTV, launch drive-by download attacks and steal local user credentials and those of connected devices, browser history, cache and cookies as well as credentials for the local wireless network. Samsung has issued patches for many of the affected devices and promises more changes in its next version of the Smart TV. This isn't the first time Smart TVs have been shown to be vulnerable. In December, researchers at the firm ReVuln also disclosed a vulnerability in the Smart TV's firmware that could be used to launch remote attacks."
This discussion has been archived. No new comments can be posted.

Samsung Smart TV: Basically a Linux Box Running Vulnerable Web Apps

Comments Filter:
  • by djupedal (584558) on Saturday August 03, 2013 @08:12PM (#44467739)
    Samsung isn't stupid....either worry about seminar hack-trolls or patent trolls. In the end, what counts is staying in the public's mind. Mission accomplished, I'd say. Wash, rinse, repeat.
    • by Hsien-Ko (1090623)
      Yeah, not much different than a Windows 98-powered Media Center running WebTV.
      • Re: (Score:3, Insightful)

        by jedidiah (1196)

        Much like modern Windows, the problem isn't so much the kernel but the really retarded user land stuff. It doesn't matter if you are running VMS or Unix if you insist on engaging on Microsoft style stupidity with your apps.

        • by icebike (68054) on Saturday August 03, 2013 @11:31PM (#44468131)

          Retarded is buying a camera in your TV and only THEN worrying about privacy.

          • by AmiMoJo (196126) * <mojo@NOspaM.world3.net> on Sunday August 04, 2013 @06:50AM (#44469179) Homepage

            I worry that it will become hard to buy one without a camera in a few years. Look at laptops, most have a built in webcam now. Years ago when I worked in a computer shop I saw a lot with tape over the camera, and sometimes offered to disconnect the camera and microphone internally while doing other work. Most are just USB cameras and two wire button mics that can be unplugged.

            • by exomondo (1725132)

              Years ago when I worked in a computer shop I saw a lot with tape over the camera, and sometimes offered to disconnect the camera and microphone internally while doing other work.

              Really? So the conspiracy theory here is that somebody has remote access to your system and could then conceivably access all your information but the only thing people are really worried about is the potential for somebody to take a photo of them staring at the screen?

    • by dbIII (701233) on Saturday August 03, 2013 @11:38PM (#44468157)

      Samsung isn't stupid

      Since they have a range of voip phones that crash if you do a simple portscan and they still sell phone switchboard systems that by default can be accessed by telnet with no password I disagree.

      There are enough people in that place that do not care about computer security that it comes as no surprise that another wide open box has come out of there. Don't get me wrong, they do have some good stuff, but there's a lack of oversight and if the guys at the bottom of the tree don't care about something there's nobody giving them orders to care.

      • Re: (Score:2, Insightful)

        by Anonymous Coward
        Freemarket is perfect! /sarc

        We need some regulations about not following basic industry standards. Telnet access with no password? That's a fine and people can sue you if they get exploited from the issue.
        • by Shark (78448)

          People can sue you if you didn't put a 'careful, hot' warning label on a coffee cup. You don't need regulations for that, trust me.

      • by i.r.id10t (595143) on Sunday August 04, 2013 @10:01AM (#44469737)

        they still sell phone switchboard systems that by default can be accessed by telnet with no password I disagree.

        Not sure how I feel about this. Is no password better than "admin" or "password" or "1234" for the default password? Lets face it, each device that ships is going to have a default way of accessing it for configuration.... The problem really lies with the people that *leave* it at that configuration.

        • Lets face it, each device that ships is going to have a default way of accessing it for configuration.... The problem really lies with the people that *leave* it at that configuration.

          No and no in that order.

          In the UK all wireless routers built into ADSL modems shipped by the major ISPs come with a unique random default wifi password. The password is printed on a card or sticker on the modem. A hard reset resets it back to this unique random default. Most people never change it from the default and the defa

          • Actually, for Sky, Virgin, O2 and Plusnet routers you can derive the wifi password from the SSID...

            • Actually, for Sky, Virgin, O2 and Plusnet routers you can derive the wifi password from the SSID...

              Oh that's sad :(

              Given that each one has minor customization in the firmware, it would clearly be _possible_ to make it secure by default. The trouble is that if you get unqualified people to do security then it never will be.

              • The problem (as always) is with people. People are going to unpack their new router, pull out the card marked "STOP! IMPORTANT! DO NOT THROW AWAY THIS CARD!" with the secure random passwords on it, join all their devices to the network, then put the card in a pile with all the other very important cards marked "STOP! IMPORTANT! DO NOT THROW AWAY THIS CARD!" like the warranty registration form and the certificate of compliance from the Icelandic telecom ministry.

                Six months later, they'll "clean up" the offi

        • by dbIII (701233)

          The problem really lies with the people that *leave* it at that configuration

          The Samsung techs that install it.
          Next?

    • by mcgrew (92797) *

      I'd say that anyone buying a TV with a microphone is the stupid one. Lets hope people are smart enough to kill this stupid NSA wet dream.

      • by cjjjer (530715)
        You know your phone has a microphone....
        • by bmk67 (971394)

          Your phone requires a microphone. Your TV does not.

          • by exomondo (1725132)

            Your phone requires a microphone. Your TV does not.

            So? Your phone doesn't require a camera or an internet connection but the vast majority have them.

        • by mcgrew (92797) *

          It won't pick up much sound closed and in my pocket. And you need a microphone in a telephone, having one in a TV makes no sense.

    • by hairyfeet (841228)

      Well all I have to say is....welcome to the club Linux guys, now that you have officially made it to the big time you too will have every malware writer on the planet gunning for ya. Coffee and donuts are in the back, try to just ignore the guy rocking and mumbling in the corner, that is the Apple guy and he is still kinda in shock after spending all that money on gear only to get pwned by MacGuardian.

      Seriously though what did anybody expect? You have an OS that 1.- Has both the OS and the apps capable of u

      • by i.r.id10t (595143)

        The only things I've done wiht my (camera-less and microphone-less) Samsung Smart TV is watch the occasional youtube video with the kids and use the netflix built into it.

        And since if the kids get into Netflix it eats my bandwidth so I can't play Xonotic, I usually just leave the TV's network cable unplugged. Fairly secure, no?

    • by tlhIngan (30335)

      The problem (as always) is with people. People are going to unpack their new router, pull out the card marked "STOP! IMPORTANT! DO NOT THROW AWAY THIS CARD!" with the secure random passwords on it, join all their devices to the network, then put the card in a pile with all the other very important cards marked "STOP! IMPORTANT! DO NOT THROW AWAY THIS CARD!" like the warranty registration form and the certificate of compliance from the Icelandic telecom ministry.

      Six months later, they'll "clean up" the offic

  • by cascadingstylesheet (140919) on Saturday August 03, 2013 @08:28PM (#44467791)
    ... the telescreen watches you.
    • by Anonymous Coward
      The people with the power watch the people with less information. This way in case one of the proles wakes up with information that counters the propoganda, he probably goofed on the Internet somewhere, even a misclick could be used against him. Once you watch what everyone is doing, you can pick and choose your political enemies you want to sit down. Hitler knew this. I guess they needed to wait until the people who fought Hitler were mostly old and dead before they tried this. Sure, it sounds good to
    • ... the telescreen watches you.

      I didn't realize Samsung was a Soviet company.

  • Yep. (Score:5, Informative)

    by Anonymous Coward on Saturday August 03, 2013 @08:31PM (#44467801)

    I have two Sam'sDung SmartTVs. Yes, all these TVs are glorified Linux boxes running a badly collected series of apps. There is little to integration. Some won't accept keyboard input while other do. You either watch TV or run an App. Most apps are poor. The browser won't run most web pages and crashes. Yes, crashes. In this day in age it is hard to believe in your browser crashing nearly every time you try to use it.

    As for security, I no longer use any of the apps as none are worth anything. Netflix is okay but not great but since I've gone back to DVDs from streaming I am blocking the ports (6000 mainly and I forget if another is in use) to stop the TV from phoning home every time it is turned on.

    I blocked the ports because my firewall was showing connections to my LAN from very strange locations; Brazil, Japan, Russia. The problem is that Samsung's 'partners' are unknown to me and I'm sure it is these apps that doing the calling out. Who knows who wrote them, what is in them, and what they can really do.

    The TV isn't bad when hooked up to my modified version of the PS3 media server project.

    • Can these Samsung Smart TVs be made to ignore all the convergence stuff and just be a monitor?
      • by vux984 (928602)

        Can these Samsung Smart TVs be made to ignore all the convergence stuff and just be a monitor?

        Yep, mine doesn't have a network cable or wifi connections. In fact all it has is one HDMI cable running up from my receiver. That's it.

        The Wii/WiiU/HTPC/BRAYDVD/DVR etc are plugged into the receiver. The receiver isn't internet connected either.

        When I want to do something online, the HTPC has internet access, and the Wii's can go online if necessary, but its not usually necessary.

        As you can imagine the salesmen's

        • by drinkypoo (153816)

          All I cared about was brightness, black levels, and other characteristics of the LCD panel

          And you still bought a Samsung TV? Methinks price was a major factor.

          • by vux984 (928602)

            And you still bought a Samsung TV?
            Methinks price was a major factor.

            Lol, I bought a Sharp actually; and it wasn't at the budget end of the lineup, but yes, price was a factor.

            • by drinkypoo (153816)

              Lol, I bought a Sharp actually; and it wasn't at the budget end of the lineup, but yes, price was a factor.

              Well, price is always a factor. I have a Sharp TV too :)

        • Yes i realize that of course. Here is some clarification. Does it nag you because you dont have internet hooked up? Can you NOT see the links to the web services if you jsut use the TV normally or is it in your face?
          • by vux984 (928602)

            Does it nag you because you dont have internet hooked up?

            Full disclosure... I've actually got a Sharp not a Samsung.

            But no, not one bit. It doesn't nag or complain about internet until I go into the menu and actually select one of the apps, e.g. netflix etc. It otherwise behaves as a monitor, and all I ever do is turn it on or off. Because all the switching is done at the receiver, I don't even switch inputs.

            Its entirely possible though that there are TVs that are more intrusive about how "smart" they are.

      • by tlhIngan (30335)

        Can these Samsung Smart TVs be made to ignore all the convergence stuff and just be a monitor?

        Last I checked, you needed a network connection for this stuff. So all you need to do is... not plug in the network cable. Or configure the wifi.

        So just use it as a TV and you're golden. No one says you have to plug in every cable the TV supports.

        Of course, I suppose a smart Smart TV might try to use the ethernet-over-HDMI function ...

    • by emag (4640)

      And people tell me that after my horrific Hamstrung experience with one of their pump & dump phones, I'm stupid for refusing to consider any electronics from them ever again...

      • Re: (Score:2, Interesting)

        by symbolset (646467) *
        Samsung is a global conglomerate that makes 750 models of Android smartphone - and each model can have several variants. I believe they have a few feature phones too. Each is targeted at a different consumer. Some are for the most price sensitive, some the most demanding of cutting edge features, some for those who crave only the most open phone. If you want to be helpful maybe you could mention the specific model that raised your ire? And then maybe the selection criteria and buying process that led t
    • by symbolset (646467) *

      I love my two Samsung LED SmartTV HDTVs. I have a 50" and a 55". The picture is glorious. I love how slim they are. The smart TV feature though? That's an implement of torture. Certainly they never intended it be used - it's just one more logo that has to be on the box. It's a big monitor. The audio is okish, for audio that's integrated into a TV, but that's not saying much. I don't use the speakers either. Frankly I almost never use the tuner either.

      I don't think anybody in their right mind lets

      • by tepples (727027)

        who in their right mind would buy a TV with a webcam in it in the first place?

        What solution do you recommend instead for video chat with relatives without having to interrupt another household member's use of the family PC?

      • by BitZtream (692029)

        I know people are worrying about turning on the TV's webcam, to which I would ask who in their right mind would buy a TV with a webcam in it in the first place?

        Anyone who likes the concept of video conferencing with loved ones around the globe by just using their TV.

        I realize thats not what actually happens, but I'd love if I could do FaceTime on my TV with a built in camera and no laptop/phone.

      • Trying again, with the goalposts in the correct places in the direct reply:

        What solution do you recommend instead for a living roomful of relatives to video chat with another living roomful of relatives? In my case, one end lives in Indiana and the other end in Arizona or Florida. People would choose a smart TV with a webcam for this because most people are unwilling to put a PC in the living room and use a TV as its monitor.

        • by symbolset (646467) *
          A tablet or phone. We already have those, they already have connections for the TV either wired or wireless, they have every sort of video chat option imaginable and will continue to do so because they number in the billions. And we know when they are looking at us; they turn off.
    • by Snotnose (212196)
      My PS3 does the same. I farked up my laptop a couple months ago and tried to use my PS3 to get info on how to fix it. Pretty much everything past google crashed the PS3 web browser.
    • Couldn't you just disconnect the TV from the internet? Or am I missing something?

  • All I have to say.....
  • To bad cable card failed and there has been little to replace it.

    tru2way and RVU are there in small numbers but you are still stuck with the cable or sat GUI that kills off most of real use of an smart tv.

  • by aaronb1138 (2035478) on Saturday August 03, 2013 @10:47PM (#44467999)
    Thanks to bad headline choices you all missed the point. Samsung provided a ripe platform for hacking and development by making root easy (just like with their smart phones).

    Shut up and get to work porting XBMC to it already.
    • by Smegoid (585137)

      For what it's worth, there's a very decent Plex client that is under active development (check the plex forum). This app is why I went with smart tv. All the perks of plex/xbmc without another bloody roku/htpc box to drive it.

      • There are two bigger issues in the giant pile of FUD that the security community has been gravitating towards in favor of higher paychecks and less rather than more informed users. The first is defining the scope of damage. What can a hacker *do* with a compromised smart TV, versus how likely is the end user to just factory reset an oddly acting set. The second is ignoring multiple user failure steps as somehow being the software's fault. The latest HTTPS hack is a complete fabrication of an issue. Ass
    • Re: (Score:3, Funny)

      by phantomfive (622387)

      Shut up and get to work porting XBMC to it already.

      Well that motivated me to do it for you.

      • Thank you for identifying yourself. I'd rather not work with people who can't appreciate the subtle humor of the stereotyped, "Shut up and get to work..." meme. Actually, seeing someone laugh at an over the top delivery is a great way to figure out who had to work through high school / college in the service industries. This is usually a good way to filter and find people who can pinch hit and knock stuff out of the park when everyone's back is to the wall.
  • This description is not specific to just Samsung. Other manufacturers follow the same pattern with their smart TVs
  • I own both LG(2013) and Samsung(2012) Tvs. I bought it on purpose w/o camera ;-) However Samsung is still the king, apps are much more polished,DLNA works MUCH better. However you realize that after you buy something different from Samsung. If you use DLNA a lot, Samsung is the only way to go.
  • "Smart" is undergoing a semantic evolution similar to that of nice [hull.ac.uk]

  • ...they'll put Windows 8 on it

    • by BitZtream (692029)

      I'd FUCKING LOVE for a TV to come with Windows 8 Media Center, 3 or 6 Cable Card Tuners and a network port so it could feed WMC extenders and use an NAS for storage. Its only competition in the DVR arena is TV.

      But don't let ignorance get in the way of your fancying.

  • I own several samsung devices and i am extremly happy with the hw quality/price ratio.

    But: Samsung, your software sucks. Deeply.

    -Updates are late, incomplete and appear only until 1y after the products release (recently flashed my 1st gen galaxy tab to cyanogenmod and yeah - it runs better now)

    -The crapware bundled on the device looks like it was specified by some management monkey and implemented by a intern. It suck the battery empty is most likely riddled with security holes

    -Even talking to the devices

    • -Updates are late, incomplete and appear only until 1y after the products release (recently flashed my 1st gen galaxy tab to cyanogenmod and yeah - it runs better now)

      Yup, and actually Cyanogen is part of the answer.

      What we definitely need is a very good quality 3rd party opensource firmware suite for "glorified linux set top box" WebTVs.

      We have CyanogenMod for Linux/Android phone (and look how successfull and what good quality the results are. You're far from the only person with a "Got fed up with the delay/absence of firmware from my hw manufacturer, so I switched to CyanogenMod and my life is now full with rainbows"). Some hw manufacturer are even jumping aboard the

  • Why there are no web-cameras with a lid? It is so obvious and inexpensive to install a small light lid on a web-camera and microphone to control them physically. Still it is never done.

    When something is closed with a physical lid, it is closed 100%. No way to open it for eavesdropping from network.
  • This is what happens when companies do stuff outside of their core competencies. They tend to do things half-assed (knowingly or unknowingly). There are better devices out there that are specifically built to do what "smart" TVs are poorly attempting.

    As usual, you get what you pay for.

  • I just got a smart TV, but I've left it entirely disconnected from the network. I connected a Debian box running XBMC to it. I trust that machine far more than whatever is running on the smart TV. The rule for my trusted network is: if I don't have root, it's not trusted. And root is a necessary, but not sufficient condition for trust. For example, my Kindle is rooted, but I still don't entirely trust it since Amazon still has remote control over it.

Prototype designs always work. -- Don Vonada

Working...