back to article Samsung Smart TV pwnable over Wi-Fi Direct, pentester says

A security researcher is complaining that Samsung isn't making a serious response to a vulnerability in its Smart TVs. The bug, discovered by pen-test outfit Neseso, concerns the televisions' implementation of Wi-Fi Direct authentication. An attacker only needs to sniff out the MAC address of a trusted device to connect to the …

  1. Long John Brass
    Big Brother

    concluded that this is not a security threat

    Maybe someone should get all the Samsung Security Muppets TVs to randomly turn on and play some Rick Astly videos; Or maybe endless loops of Crazy Frog

    or is that *TOO* evil?

    1. Dan 55 Silver badge
      Devil

      Re: concluded that this is not a security threat

      Keep piling on the pressure. Given enough, Samsung will say they've updated their TVs with enhanced trusted device recognition instead of fixing a bug.

      Just like their S8s with red tinted screens, that will receive enhanced colour balance controls with a software update. No, it's a bugfix.

      Or the pentester that said he found 40 vulnerabilities in Tizen in their Smart TVs a couple of weeks ago. I presume he gave up because he was spoilt for choice and it was like shooting fish in a barrel.

      Samsung are everything that's wrong with software development.

  2. Anonymous Coward
    Anonymous Coward

    Samsungs inability to secure their devices will result in me (and many others) looking elsewhere for our next TVs.

    I wonder how LG's WebOS is coming along...

    1. Anonymous Coward
      Anonymous Coward

      Last time I checked, LG software was absolutely rancid.

      It would be smart to avoid smart TVs for now.

      1. Jonathan 27

        Unfortunately, if you're buying a new TV that isn't really an option. Virtually all of them are "smart" now. I suppose the best option if you're really paranoid would be to disconnect the Wi-Fi antenna on your new TV (and never connect Ethernet, obviously).

        1. John Brown (no body) Silver badge

          "disconnect the Wi-Fi antenna"

          Depending on where the wifi is, that may just shorten the range, albeit considerably.

          I once got sent to a job where the fault description was, "can't connect to WiFi". Got there, opened laptop, noticed aerial connectors not connected, connected them, all fine now. User (in an IT department), had upgraded to wifi themselves and only ever used it at his desk. One office rearrangement later and he was no longer sitting directly under the WAP so could no longer connect.

          No, I've no idea why he needed a laptop that was only ever used at the desk either. Or why it needed wifi if it never moved off the desk. Probably he was a "ranker" who "deserves the best".

    2. Baldrickk

      I can't speak for security - I'm not a pen tester, but my new LG WebOS 3.0 TV works well.

      The interface is smooth and crisp, as is app performance.

      I was able to disable the WiFi in it entirely, and instead it is connected via ethernet - so you already need to be on my network to talk to it.

      1. paulf
        Headmaster

        @ Baldrickk "I was able to disable the WiFi in it entirely, and instead it is connected via ethernet - so you already need to be on my network to talk to it."

        That should probably read: "I selected the option to disable WiFi in the TV settings. The TV told me WiFi was disabled and I believed it."

        These days you have to colour me cynical on these options that claim stuff is disabled.</cynical>

        1. Baldrickk

          Maybe, but I can't find a way to access it other than through the ethernet. It certainly isn't broadcasting anything over Wifi.

          Unlike the three Samsung TVs that are advertising themselves for the world to see that I can pick up from my Lounge.

        2. Anonymous Coward
          Anonymous Coward

          That should probably read: "I selected the option to disable WiFi in the TV settings. The TV told me WiFi was disabled and I believed it."

          Mine's an older Samsung that doesn't have built-in wifi (it needs a USB dongle). So at least that's safe :-)

  3. Anonymous Coward
    Anonymous Coward

    "company concluded that this is not a security threat”

    * Vintage Samsung response. But look how these chaebols operate... They're afraid of absolutely nothing with no consequences!

    * Stopped buying their TV's after the panel lottery scandal broke. Plus, at least LG and others still offer basic TV's....

    * This is IoT hell 101. Who wants to be a willing mark for big-tech / hackers / cybercrims / scammers / CIA-MI5 & Ukrainian war propagandists etc...

  4. Anonymous Coward
    Anonymous Coward

    I'm just glad that MAC addresses are fixed and in no way can you spoof them....

    Sarcasm aside, using the mac address as security is like trying to defend your home from tigers with a butter knife.

    1. John Brown (no body) Silver badge

      "Sarcasm aside, using the mac address as security is like trying to defend your home from tigers with a butter knife."

      Not at all. If you practice, train and are lucky, you might be able to stab the tiger through the eye and into the brain, thus killing it. No matter how hard you practice and train with your MAC address, it will never become a security defence weapon.

    2. CrazyOldCatMan Silver badge

      like trying to defend your home from tigers with a butter knife.

      Works for me - my home has never been attacked by tigers. Apart from the usual small, mostly-domesticated ones that have conned me into feeding and housing them..

  5. Olivier2553

    But who need a smart TV

    Smart TV is an insane concept. Hopefully, your television will last 10 years, but your computer needs to be changed every 2 or 3 years. Why joint both in a single equipment?

    A standard TV with an external single board computer, android dongle... It cost a fraction of the price of a smart TV, and is way smarter.

    1. Baldrickk

      Re: But who need a smart TV

      I recently bought a new TV - I couldn't buy a non-smart one for the same price - for that, I would need to go to en enterprise display panel, which would cost more.

      If it goes out of date, then I can always use an external PC to provide input...

    2. Anonymous Coward
      Anonymous Coward

      Re: But who need a smart TV

      Agree, as i pointed out in another post about how wonderful Android TV's are, I bout a NowTV box for £10 and never bothered with the subscription.

      Looking back a Fire TV may of been better, but at the end of the day it's got iPlayer and that does 90% of what I need.

      1. Christopher Reeve's Horse

        Re: But who need a smart TV

        It's almost like the manufacturers have a vested interest in you connecting your TV to the internet, so they can access reams of usage and customer data... The provision of a service useful to customers is just an afterthought, or a disguise.

        I would rather just have a decent, but dumb, display panel with LOTS more inputs.

        I've already got a 'smart' dishwasher (resolutely not connected online), and I can't think of any practical advantage to being able to switch it on remotely from my phone. Not until it's smart enough to load and empty itself anyway. I can only assume that Bosch want telemetry data about it's usage - at my expense and at my security risk. F**k them.

      2. Jamie Jones Silver badge

        Re: But who need a smart TV

        I have a eavily modified Beelink R68 android box, (native nfs/ip6 configured/512Gb ssd and usbstick) 5.1 surround sound amp, speakers, 1080p projector producing 95" "screen", air mouse remote control/keyboard, and all for probably a lot less than a top end smart tv.

        After watching a bit of TV, I'm now sitting back on my sofa, staring at my wall, typing this message. It's nice having a comfy sofa as ones office!

    3. User McUser
      Unhappy

      Nobody, but that won't stop them.

      Hopefully, your television will last 10 years, but your computer needs to be changed every 2 or 3 years. Why joint both in a single equipment?

      Probably because they want to sell you a new TV every 2 or 3 years instead of every 10.

  6. Tikimon
    Pirate

    Grab the torches and pitchforks!

    Join me, my comrades! This intolerable situation must be ended! We must act now to save the word "Smart" from brainless marketers! Death to Tech Newspeak!

    This isn't as goofy as it might sound. Through the stupidity of marketers a word meaning "intelligent" has been co-opted to mean "dumbest idea ever." Although to be honest, I'm pretty sure we'll just have to give up the original usage of "smart" and use other words instead. Damn marketers anyway, can't they just make up fancy-sounding nonsense words like they used to?

  7. Ian Joyner Bronze badge

    Sammy?

    Really - stop calling Samsung 'Sammy' as if we are all big friends. Samsung wants to dominate the market and cuts corners to do so. They are yet again caught out with sloppy practices and bringing substandard products to market. Samsung make things that look good in a shop, but dig deeper and it does not stack up. Security breaches (and anything software) are not as obvious and exciting as hardware catching on fire as in Note 7 and washing machines.

    People accuse Apple of making bling and only being interested in how something looks with UI. But that is not true. Apple digs deeper, did not take the lazy path of adopting Linux (less security) and makes sure that underneath things are as secure as possible. However, with software, even with the best development practices, things go wrong and issues that weren't considered arise. Yet Register always disparages Apple as 'that fruity company', while being loving towards 'Sammy', whatever they do.

    As Dan 55 noted before "Samsung are everything that's wrong with software development."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like