As TVs and the kit that we connect to them become more sophisticated and reliant on internet-based services, they could be open to the same kinds of attacks as computer networks.
According to Italian security researcher, Luigi Auriemma, current versions of Samsung’s internet-connected TVs and Blu-ray players have two vulnerabilities that could enable attackers to get remote access to the devices.
Auriemma claims that it’s the devices’ support for network-based remote controls, such as a smartphone or tablet that shares a link to a home’s Wi-Fi router, which is to blame for the security risk. Remote control apps are are available for iOS and Android.
Potential problems include locking the TV or player into an endless restart loop or causing it to crash.
The researcher found the bugs inadvertently, he says, while trying to play a trick on his brother by sending him a funny message via the TV when it tells the viewer that a new remote control device has been found. He had altered the name of the device to show his message but the results almost destroyed the TV, which was rescued only by resetting it in engineering service mode.
Auriemma then found that he could crash connected devices by setting the MAC address to a long string, which appears to him to be a buffer overflow vulnerability, a security flaw that could potentially be exploited by hackers.
“The bugs have been tested on a D6000 and D6050 TV, but it's highly possible that many of the Samsung devices supporting this protocol are vulnerable because D6xxx is a recent TV and usually these 'core' components are like libraries shared with other devices that make use of the same protocol,” the researcher said in an email sent to the Threatpost website.
He says that a number of Samsung products with the Internet@TV, AllShare or Smart Hub features made in the last couple of years may be vulnerable. An attacker would need to gain access to the same network, but if your firewall or wireless security are not strong enough, they wouldn’t need access to your building. If you see an unexpected new remote control message, just press Exit.
The vulnerabilities appear to be fairly low risk compared to the host of viruses, malware and cyber attacks that computer networks have to fend off on a daily basis but it demonstrates that makers of “smart” home entertainment devices must be just as aware of security issues as any PC or software supplier.
In Luigi Auriemma’s case he was frustrated because there was no obvious route to report security bugs like this to Samsung. Having now made his findings public, we hope that a fix will be in the works. We’ll let you know if there is an update.