back to article Hacker warning over internet-connected HDTVs

Internet-connected HDTVs could be used by hackers to infiltrate home networks, according to a firm that markets device security software for smartphones, VoIP devices and TVs. Mocana's not-exactly-disinterested warning follows tests by the firm on a range of inter-connected TVs, during which a security flaw was discovered in …

COMMENTS

This topic is closed for new posts.
  1. banjomike
    WTF?

    at least until a fix is released...

    er, so how many flash upgradable TVs are there? Mine isn't. I suspect that a TV firewall is a LONG way in the future.

    1. mccp

      A title is not required

      Well probably loads. I've just bought a new TV, FreeSat receiver and BluRay player (Samsung, Humax & Sony). Each one can have its firmware upgraded from a USB flash drive plus Ethernet, DVD-R and over the air. In fact, all were delivered with out of date firmware.

    2. Richard Lloyd

      Er, most new large TVs are flash upgradeable

      Most new large TVs are flash upgradeable. My 32" LG, for example, has a USB port and runs Linux - throw in a stick with the new firmware on and it'll upgrade the set for you. Amusingly, someone leaked the engineer backdoor sequence to get into the service menu for an older firmware release (it was blocked after the leak though) and the menu lets you enable features in more expensive models - whoops! So a quick downgrade, enable features and upgrade again got my set playing movies, music and photos from the USB port, which it couldn't previously do.

    3. dom0410
      FAIL

      Over the air

      My LG TV updates over the air automatically and it wasn't an expensive model so I'm guessing that a lot of TVs will have this functionality.

      1. Anonymous Coward
        Anonymous Coward

        I've got an LG too, but...

        ...since models go 'obsolete' quite quickly these days, when the new models come out, don't expect any updates to them.

        1. dom0410
          Thumb Up

          Already had one..

          I've only had the TV 2 months and have already had 1 OTA update so far so there is at least some support. I'm guessing internet connected TVs will be able to update over the internet rather than via the TV signal like my TV.

          1. Anonymous Coward
            Anonymous Coward

            What would stop someone with a mobile transmitter and the right software

            Sending out their own updates to these TVs?

    4. Anonymous Coward
      Anonymous Coward

      @banjomike

      "I suspect that a TV firewall is a LONG way in the future."

      Maybe so, but there's nothing to stop you putting a router (with its own user locked down firewall) between the TV and the internet.

  2. Michael Souris
    FAIL

    Samsung

    Reading the PDF, it's a Skype capable TV with the manufacturer redacted to Xxxxxxx. So that'll be Samsung then.

    1. purplefloyd
      Pint

      Vieracast

      It's definitely Panasonic Vieracast, not Samsung. The URLs in the linked-to article make this a certainty.

      Beer, coz it's now Friday evening.

  3. Vladimir Plouzhnikov

    Good

    Internet connected TV = SONY/MPAA/BPI lawyers sitting in your living room and controlling what you can/cannot watch on it. If not now, then soon enough.

    If you connect your TV to the Internet you deserve to be hacked, if you just buy an "internet-enabled" TV you are half way there...

    1. Anonymous Coward
      Anonymous Coward

      Oh yes, how right you are.

      Anyway it's time for your medication now...

      1. Vladimir Plouzhnikov

        @AC

        Check your own prescription first, mate, before you touch the keyboard.

  4. Anonymous Coward
    FAIL

    I'm not a betting man....

    But I suspect it's Panasonic Viera's, and the website that is mentioned (albeit redacted) is http://www.vieracast.tv

    1. adfh
      Happy

      I reckon it's Panasonic Viera..

      Document mentions .eu and .tv domains and accessing home-screen.js

      Google home-screen.js and you get http://customvieracast.blogspot.com/2010_05_01_archive.html

      Read that document and you see "Looking at the code in home-screen.js I can see that it downloads from vieracast.eu (EU market) vieracast.tv (US market) depending on where you are."

  5. s. pam Silver badge
    Flame

    Gee, there's a bit more

    all home connected games consoles are just the same dummies on unprotected/registered ports, your DVD players, etc.

    El Reg you do fail badly you mutants -- who on earth will do a SW upgrade to their tele?

    1. Rob Crawford

      Seems you are relatively uninformed then

      I know the Sony Bravia range needed a software update when they used to refuse to come out of standby mode (apparently an overflow problem in a counter)

      My Samsung certainly has the option for a software update and if I used the built in Freeview tuner I would probably carry out the update just to try and get something more usable (but I don't so I wont)

    2. Anomalous Cowherd Silver badge

      Did one last night actually.

      So there's at least one, and it was a lot easier than upgrading Windows.

      1. Vladimir Plouzhnikov

        @Rob Crawford

        "I know the Sony Bravia range needed a software update when they used to refuse to come out of standby mode"

        That only means too things:

        a) The manufacturer got lazy - "I'll have a beer rather than debug that firmware properly, after all the luser can always be forced to update it later..." and

        c) The TVs have got more "features" than they need to have

        What it DOESN'T mean:

        a) The Internet connectivity for TVs is a necessary or a good thing.

  6. Anonymous Coward
    Thumb Down

    Terrible redaction...

    .. it's Samsung!

    There are lots of clues in the doc, but one simple test is who makes Skype enabled TVs.

    There is only Panasonic and Samsung. Further on it mentions domain names, in the .tv ccTLD, with specific JavaScript files. Guess what happens when you try those URLs with Samsung instead of the redacted X placeholders!!

    If you are going to redact, do it properly!!

  7. lansalot
    Go

    hmmm

    Looking at their list of afflicted applications, it matches with what I have on my Panasonic.

    Sony have their own walled-gardens of course, as do other manufacturers.

    The article confirms that the TV in question contains no actively listening services (quite rightly, why would it). Their whole premise appears to be based on the fact that they have redirected the TV (through local DNS redirection) to retrieve manufacturer-supplied scripts that have been doctored.

    Rightly, as no authentication is performed on the source of these scripts, they are able to rewrite them as they like and do what they will with them. The TV in question accepts them as authentic and then the fun begins. So of course they can change things in these circumstances.

    Frankly, if my home network has been compromised to that degree, then not getting youtube on my telly is the least of my worries.

    That said, interesting article. I think it's of more use as an educational jumping-off point, give some people some ideas on how to customise or open-up the walled gardens the manufacturers have locked them into. Nice bit of fun in other words :-)

  8. Anonymous Coward
    Anonymous Coward

    shame i don't know anyone with a Panasonic Viera..

    ..but a quick google of "home-screen.js" shows that these things have been pointed out before on user forums.

  9. baconbuttie
    Thumb Down

    Ugghh !

    No real interest in the PDF, but it's a slow day so I thought I would take a butcher's. What's with excessive hyphenation ? Surely someone as technically-aware as this bunch could work that out ?

  10. lansalot
    Go

    fwiw..

    I've updated the software on my TV a few times since July. Part and parcel. Not a problem, nothing to see here, move along etc.

    One would hope the base OS itself is actually verified before installation. Understandable that content isn't, of course. Still don't regard this as an issue to get me worried

  11. Bernd Felsche
    Pirate

    They're all computers

    Most appliances, even "unsophisticated" ones, are just computers with specialised peripherals. Alas, those who provide network interfaces don't often "realize" what they're doing; leaving the computer wide open to being "owned".

    What is probably closer to the truth is that they don't have the resources to build in the necessary protection for the "feature" that the marketing department has dreamed up and advertised 16 hours before product launch?

    And TV is, by definition, networked. How about malware payloads carried by digital TV signals, injected to attack particular TV engines? Right past the firewall of a domestic network.

    Want to attack other networked computers pretending to be appliances made by competitors?

  12. Disco-Legend-Zeke
    Thumb Up

    Self Repairing...

    ...self damaging.

    My blue light special movie player frequently offers firmware upgrades, the last of which disabled playing NETFLIX. The Blu-Ray spec intimates movie playing can be likewise crippled.

    HDNA gives your player/TV hooks into the rest of your network, especially mass storage.

    Where things will get scarey is when a camera and mic become* a "feature" of a TV.

    Makes buying a TV for your girlfriend a great christmas present. Of course skype would be on it. Trivial** to turn on the cam remotely and invisibly. A friend keeps a piece of tape over the lens on his lappy for just that reason.

    These guys have identified a genuine need. But then so have the makers of duct tape.

    *Technology predicted for 1984

    **For some people.

  13. Graham Bartlett

    Walled garden?

    Not really. It's more like putting on a blindfold and trying to walk down the road using dead-reckoning. One step too many/few, and you're in front of a car.

  14. Beachrider

    Vieracast.tv?

    I don't know of any site called www.vieracast.tv, I get a not-found when I key it in on my PC.

    IPTV is an interesting alternative to Cable-TV. It is not rare for people to be paying $165/mo for Cable/Phone/Internet. For a lot of people, there is some hope that IPTV is part of a way to do that stuff cheaper.

    1. Anonymous Coward
      FAIL

      www?

      You really don't know a lot about DNS and the web and stuff do you?

      Just because an A record doesn't exist for www doesn't mean that the domain doesn't exist...

      There are lots of other sub-domains on that domain.

  15. The Indomitable Gall

    Potentially perfect zombies...

    How many people ever turn off their TVs? You switch off your PC, and many people switch off games consoles, but how often do you actually physically remove power from your telly?

    You don't. You point a box at it and press a red button. So you're relying on software to switch it off. And if the software is hacked, then it can keep DDoSing websites, cracking captchas or whatever it is that the cool botnets are doing this year.

    1. The BigYin

      I do

      Every night almost all gadgets get powered off and unplugged. Even the router. The only thing that gets left n stand-by is one PC, and it's job is to record TV, so it often wakes up, does it's thing and then goes back to sleep.

      If I am ever daft enough to connect a TV to a network (and why would I? The DRM-crippled usage wouldn't be worth it), then I'll have to make sure I am running a router and a firewall that can pick-up crap like this on the network. One simply cannot rely on the OEM to do it correctly.

  16. Stevie

    Bah!

    This probably means my fridge *doesn't* need resupplying with P3niz P1llZ, and I've just wasted 50 quid.

    If only this warning had arrived yesterday.

    *When* will The Register begin to deliver timely warnings to its subscribers?

    1. TeeCee Gold badge
      Coat

      Re: Bah!

      Suit yourself, don't get 'em then. Just don't come crying to us when your fridge collapses into a post-tumescent heap on the floor.......

  17. Kevin McMurtrie Silver badge
    Pirate

    Panasonic backdoor

    My Panasonic TC-P50V10 listens on a port open while it's turned on. Panasonic won't say what it does and it doesn't respond to random codes sent to it.

  18. Mage Silver badge

    Ermm

    How can this work with a normal Broadband + Router + firewall setup?

    User has Browser on TV goes to web site with evil stuff that does???

  19. Anonymous Coward
    Joke

    New tv feature.....

    Anonymous releases new embedded version of LOIC, it's the Low Orbit (42") Plasma Cannon ;-)

    1. Anonymous Coward
      Troll

      ION Cannon

      Unless of course you are refering to the screen technology in play...

  20. John Smith 19 Gold badge
    Troll

    Shocking redaction?

    One might almost think they wanted people to get hacked.

    Surely not.

  21. Dr Patrick J R Harkin

    You know what this means?

    Hackers could make your TV home on Britain's Got Talent broadcasts and prevent you switching away or turning down the volume! RUN FOR THE HILLS - IT'S THE PIERSMORGAGEDDON!

  22. Nameless Faceless Computer User
    Megaphone

    Wait what?

    I have never, nor ever will, connect my refrigerator to the Internet.

    1. Anonymous Coward
      Black Helicopters

      "I have never, nor ever will, connect my refrigerator to the Internet."

      Then the government will just have to inspect the contents of your fridge the old fashioned way. By kicking in your front door and beating you to death.

  23. Cyclist
    Thumb Up

    NTV-a-go-go

    Surely this is just the natural conclusion of steps begun many years ago by the venerated Noel "Neddy" Edmonds on his House Party programme, where they jumped live to some unsuspecting fat bloke in his living room on a Saturday evening on the awesomely funny NTV slot. Probably.

  24. Anonymous Coward
    Anonymous Coward

    @The Indomitable Gall

    "but how often do you actually physically remove power from your telly?

    You don't. "

    Speak for yourself. We always switch ours off at the plug mainly because we don't use it much and it saves a little bit of electricity. Not everyone is so lazy that they can't make it over to the wall socket.

    1. Anonymous Coward
      FAIL

      @boltar

      So you only get hacked whilst you're watching the telly?!? Wow. Big deal.

      1. Anonymous Coward
        WTF?

        @anon coward

        "So you only get hacked whilst you're watching the telly?!? Wow. Big deal."

        One is a 10 year old CRT analogue set and the other doesn't have networking. Hacking them would be pretty impressive. Wanna try?

        Idiot.

  25. Christian Berger

    The point is simply...

    ...who controls the boxes. For example I have a networked "satellite receiver" which is essentially a Linux PC. I can record and store everything I want for as long as I want to. I can get both Freesat and normal FTA satellite reception. All recordings are normal files I can easily re-encode to just about anything I want. I could build an ITV to Youtube gateway, if I really wanted.

  26. david 12 Silver badge

    Massive HDTV BotNET

    How often do you run AV on your HDTV? Root Kit Scanner? Hijack This?.

    Once a Botnet gets into those HDTV's, it will never get cleaned out.

    And it won't be interfering with your TV watching pleasure -- it will be silently disrupting everyone else.

  27. The BigYin

    Simple answer...

    ...do not connect the TV to the local network. Why are people obsessed with doing this anyway? The experience is usually marred by DRM and proprietary interfaces with are a total pain in the balls. Use the TV as a dumb-monitor, nothing else. Drive it from some kind of media centre front-end (i.e. a PC). That can be easily upgraded/reconfigured/firewalled/etc and you neatly insulate yourself from the TV manufacturer deciding that your 2 year-old TV is now "obsolete".

    It's just a shame that when you get a big TV, you end up paying from USB, Ethernet, DLNA and other crap that you simply do not need.

This topic is closed for new posts.