Samsung Smart TV security hole allows hackers to watch you, change channels or plug in malware

Filed Under: Data loss, Featured, Malware, Privacy, Security threats, Vulnerability

Samsung remote controlDid your Samsung Smart TV just switch channel?

Don't blame the dog for stepping on the remote control - there's a remote possibility it could be hackers who've hijacked your smart TV.

Researchers with Malta-based security consultancy and bug seller ReVuln have found a vulnerability in an unspecified model of a Samsung LED 3D TV that they exploited to get root access to the TV and any attached USB drives.

In a video titled "The TV is Watching You", ReVuln shows a Samsung TV screen with which the researchers systematically fiddle.

Here's what the researchers found they could access:

  • TV settings and channel lists
  • SecureStorage accounts
  • Widgets and their configurations
  • History of USB movies
  • ID
  • Firmware
  • Whole partitions
  • USB drives attached to the TV

By exploiting the vulnerability, ReVuln also found that they could retrieve the drive image, mount it locally, and check for sensitive documents or material that should remain private, such as usernames, passwords, financial documents, or any other type of material typically kept on USB drives.

If the victim uses a remote controller, ReVuln also found that they could get its configuration and thereby control the TV remotely.

Samsung Smart Hub

ReVuln also found they could install malware remotely to gain complete root access to the TV, co-founder Luigi Auriemma told IDG News Service:

"If the attacker has full control of the TV...then he can do everything like stealing accounts to the worst scenario of using the integrated webcam and microphone to 'watch' the victim."

The vulnerability extends beyond one specific model tested in the firm's lab, he said:

"The vulnerability affects multiple models and generations of the devices produced by this vendor, so not just a specific model as tested in our lab at ReVuln."

ReVuln is a recent entrant into the market for buying and selling bug and vulnerability information and mostly focuses on vulnerabilities in SCADA and ICS software that run utilities, industrial systems and the like.

Auriemma has played around with TVs before. In April, he stumbled on a vulnerability in all current versions of Samsung TVs and Blu-Ray systems that would allow an attacker to gain remote access.

At the time, he said that the vulnerabilities could be found in all Samsung devices with support for remote controllers.

One hopes that the researchers have acted responsibly and informed Samsung of the vulnerabilities in their consumer devices, and that an over-the-internet firmware update to plug the security holes will be forthcoming.


, , , , , ,

You might like

5 Responses to Samsung Smart TV security hole allows hackers to watch you, change channels or plug in malware

  1. It took a few decades longer than George Orwell expected, but I suppose one more prediction from 1984 is on its way.

  2. Phil · 622 days ago

    I am guessing this is only valid if the T.V. is connected via the home network?

  3. Dean · 621 days ago

    Does it matter?

  4. What model TV's are affected?

  5. Guest · 621 days ago

    Do you know if it only affects TVs directly exposed to the Internet? I doubt it would be an issue if the TV were behind a firewall (unless a PC in that network got infected and was being remotely controlled.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.