Malicious Life Podcast: Smart TVs - A New Security Battlefield Transcript
You’ve probably noticed that smart homes are slowly but surely, becoming a part of our everyday lives. Many of us already own Smart TVs that can stream YouTube or Netflix, Smart Speakers such as Amazon’s Echo or Google Home – or security cameras that we can access remotely from our phones. Some early adopters even have remotely controlled alarm systems, water heaters and refrigerators – and it’s a trend that’s likely to keep growing year by year.
All these smart devices are connected to the internet, and so it’s little wonder that they are at risk of getting hacked. Still, it can be enlightening to get a glimpse of the numbers that serve to quantify that risk.
In July 2021, researchers working for the British consumer magazine “Which?” built their own smart home, made up of a variety of real consumer devices; gadgets that anyone can buy: smart audio systems, a smart thermostat, a smart kettle, and so on. They connected everything to the internet, and immediately experienced a relentless sequence of attacks, aimed at the entire system and at specific gadgets in it: more than 2000 malicious login attempts – using the default usernames and passwords that devices leave the factory with – in just a single week. That’s roughly 14 attacks – per hour. Most of the attacks were intercepted. The magazine’s employees were helped by security experts from NCC Group and the Global Cyber Alliance, so they definitely had a certain advantage over the hackers. Still, some of the hacks were successful. For instance: a wireless camera purchased on Amazon was hacked, and someone used it to spy on the house.
So here’s a question for you: what is the most vulnerable device in a smart home?
Let’s see if you guessed it right. According to a study by Avira – a security software company – two such devices sit at the top of the list. The first: smart speakers.
A Dangerous Portal
It’s no secret that smart speakers, such as the Amazon Echo or Google Home, have security risks. Researches from Check Point, for example, have shown how easy it is to hack into Alexa, the brains behind Amazon’s home speakers. A malicious link sent to users led to personal information leaking from the device: including, among other things, details about users’ bank accounts. Basically, it’s the same kind of information that can be found on a PC or a smartphone, devices that we put a lot more effort into protecting. In 2017, scientists from China’s Zhejiang University demonstrated how they can use high-frequency sound waves – sounds that are too high-pitched for human ears, yet can be picked up by a device’s microphones – to take over smart speakers from 16 different vendors, including Amazon, Microsoft, Samsung and others.
Having attackers gaining access to the personal information stored within these smart speakers is bad enough – but the biggest security problem with smart speakers is the fact they can and do serve as a portal to other devices. A smart speaker can allow you to do many things in the house – from turning the lights on and off, to operating the smart locks on the front door. Gaining control over a smart speaker can potentially give an attacker access to many other smart devices in our homes, creating all new kinds of risks.
The Weakest Security Link
But there’s another device, a surprising star on the top of the list for the most vulnerable devices in our smart home. It’s not a device that we usually think about as dangerous. It looks friendly. It’s big, it just sits there, we stare at it for hours and we never feel that it’s following us in any way. I’m talking about your TV.
Not every TV, of course. Old TV sets, that don’t have network access and don’t use apps, are about as dangerous as a flower pot. That is, you can definitely get hurt by them if they fall on your head. But smart TVs, as it turns out, are probably the weakest security link in our smart homes.
First, let’s define what makes a TV a smart TV. Simply put – any TV that can be connected to the internet is a smart TV. Once the connection is on, you can stream various media services on it, run applications (similar to our smartphone’s apps), browse the Internet, play games and more.
Essentially, we’re talking about a PC – but one which is operated a little differently, and with a bigger screen. But unlike our PCs – we approach our TV sets with a very easy going attitude. Ask yourself: when was the last time you checked your TV for malware? Do you have antivirus software installed on it?…
Yet when you come to think about it, a smart TV is a pretty tempting device to break into. Firstly, smart TVs are not that much different from smart speakers, risks included: Some smart TVs even have voice assistants, such as Alexa, installed, in order to help us switch channels, turn down the volume and search for interesting shows. Cameras and microphones are also, sometimes, part of the deal. That makes them valuable to certain threat actors – such as, for example, the CIA.
In May 2017, WikiLeaks released one of its biggest info dumps: A huge, information-laden library of documents. The title was: “Vault 7: CIA hacking tools revealed”. It included, as the name implies, a collection of hacking techniques used by the intelligence agency.
One of the files in Vault 7 described a malware code-named “Weeping Angel”. It was apparently developed in collaboration with MI5, the British equivalent of the CIA, starting in 2014, and targets a specific model of smart TVs: Samsung’s F-series.
If we take the Wikileaks dump at face value, “Weeping Angel” is a software that mimics a standard TV application, such as Netflix. But it doesn’t stream reality shows. Instead, “Weeping Angel” runs in the background, and just listens. How does it do it? It turns on the microphone found in the TV’s remote, and starts recording everything that is said around the TV set. A special feature of this little spy tool is called “Fake Off”. It’s designed to record what is happening nearby the TV set, even when the TV itself is turned off. “Weeping Angel” is supposedly installed using a USB key, but it may also be possible to install it from afar.
In a conversation with Forbes magazine, Matthew Hickey, a security researcher and co-founder of Hacker House said:
“The tool appears to be under active development. The capabilities it boasts cannot currently capture video, according to the leaked docs. But that is the goal of the project. It can record audio but it does not stream it in real-time to the CIA. Instead it copies it off the TV as files.”
This means that CIA agents are required to physically approach the infected device in order to extract the information it has accumulated. They do this, according to Wikileaks’ dump, by using a special WiFi hotspot. When the smart TV recognizes this hotspot’s name, it transmits the recorded information. We can now imagine a CIA agent in a white van, turning off the hotspot in his device, and driving into the night.
We don’t know if the CIA actually used Weeping Angel to spy on its adversaries, or if it was just a proof-of-concept – but it’s easy to see why Intelligence agencies and similar organizations might find smart TVs interesting: many, if not most meeting rooms have smart TVs sitting in quiet corner or hanging off the wall. And of course, intelligence agencies are not the only ones interested in gaining access to your smart TV.
It is not immediately obvious why anyone who’s not a potential target for an intelligence operation – should be at all concerned about hackers breaking into their smart TV. We’re used to using our laptop and desktop computers for ‘serious stuff’ – you know, logging into our bank accounts and such – so it makes sense to keep them safe. But…TVs? What reason is there to worry about the security of a device whose main function is to display reruns of Friends and the occasional sports game?
It is a valid question, yet it reminds me of conversations I had with people in the 1990’s, who didn’t understand why computer security matters. “Why should I care about viruses? I just use my PC to play games and stuff,” was a common argument back then. Experience has taught us a lot since then, but let’s look at some of the current and potential threats against smart TVs.
The first virus specifically designed to attack smart TVs was discovered in 2016. it’s name: FLocker, short for “Frantic Locker”. It started its life a bit earlier, as malware targeting mobile devices – but later versions were specifically tailored for smart TVs. FLocker’s developers released thousands of variants, adapting the malware to different devices.
According to a TrendMicro report, Flocker spreads via spam SMS or malicious links. Once opened on a smart TV, the malware ‘locks’ the screen – that is, prevents the user from interacting with the device in any way – and presents a frightening message from the “U.S. Cyber Police”, a non-existent but scary-sounding agency, accusing the TV owner of committing crimes. It’s a well known scare tactic, but many victims – especially those who are not very tech savvy – fall for it. FLocker then demands $200 – payable in iTunes gift cards – in exchange for releasing the lock on the screen. Sadly, even paying the $200 gift card ransom, does not guarantee the release of the screen, nor retrieval of any stolen data.
Who is behind FLocker? The only clue we have is a mechanism in the malware that checks the location of the attacked TV. If it is located in one of the following countries: Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia, or Belarus – the virus stops its malicious attack. This might indicate that the malware authors are Eastern European or Russian, or it might be related to issues of cost vs. benefit, or shady matters of territorial division between criminal organizations. Who knows.
Less than two years following the discovery of Flocker, information security researcher Wang Hui, from 360Netlab, discovered a new rapidly spreading malware targeting smart TVs – but this time, for a different reason.
Monero is a decentralized cryptocurrency created in 2014 – similar in nature to Bitcoin and Ethereum. Unlike Bitcoin & Ethereum, however, Monero places a major emphasis on anonymity, employing various techniques to obfuscate the details of the transactions – such as IP addresses, wallet addresses and the value of the transaction. These features make Monero especially popular among privacy advocates – as well as with users who have more nefarious intentions such as paying for drugs and weapons on Darknet markets – and, naturally, hackers.
It is a well known fact that cheap devices are often designed with little security in mind – and this seems to be true not only for knock-off DVD players and 15-dollar webcams, but also for smart TVs.
For example, in a blog post released in November 2020, an independent investigator who goes by the name “sick codes” – along with a researcher named John Jackson – warned about serious security holes in Android-Based smart TV sets from popular Chinese brand TCL – which controls 14 percent of smart TV sales in the United States. This translates to literally millions of vulnerable devices. Heck, I have one hanging off the wall behind me right now: the TV in our office is a TCL machine running Android… I Guess I’ll need to think about what I’m saying next time I’m gossiping about Ben Or during a coffee break…
Ben Or: Wait, What? You guys are talking about me behind my back?
What? Ahh…no, of course not… I meant, Nate. We’re gossiping about Nate.
Anyway, “sick codes” and Jackson discovered an undocumented TCP/IP port throught which an attacker can have full read/write access to all the files in the TV’s file system – without any need for a username or password. In most cases, an attacker would need to be on the same local network as the TV set – but in at least one case, the researchers were able to access a random TV set in Zambia, Africa, and browse its content until the TV’s owner presumably turned off the device.
When the two investigators made contact with TCL and reported their findings, an even more troubling event occurred. Sick Code discovered that his TV set was silently updated by the company. In an interview with Security Ledger, he said:
“This was a totally silent patch: they basically logged in to my TV and closed the port. […] This is a full on back door. If they want to, they could switch the TV on or off, turn the camera and mic on or off. They have full access.”
And then they made another troubling discovery: an app installed on the TV called Terminal Manager Remote, that was configured so it could send files, logs and screenshots to servers in China, the Middle East, Africa and other locations. There’s no evidence to show that such data was actually sent and who is the supposed recipient – but the capability was certainly there.
Once again, it’s not so obvious why we should even care about our smart TVs getting hacked and our data being stolen – and in many cases, the damage might indeed be negligible today. But keep in mind that as the technology evolves, it’s probable that smart TVs will take on more and more roles in our daily lives – much the same way that computers and mobile phones became more and more important and useful in the past 20 years or so. Also, it’s worth remembering that the bad guys are always looking for ways to exploit these new technologies. Perhaps a hacker could use the TV’s camera to gather information about valuables kept in the house, and the best time to break into it – or maybe they could use it to take a sensitive photo, with which they could blackmail someone. As TVs become more sophisticated and capable of carrying out more functions other than just displaying sitcoms and reality shows – new ways of abusing these capabilities will emerge too.
A Message From The FBI
TCL’s response to sick codes’ disclosure was roughly what you would expect from a large corporation’s PR department:
“TCL takes privacy and security very seriously, and particularly appreciates the vital role that independent researchers play in the technology ecosystem. […] We are committed to bringing consumers secure and robust products.”
Even if we suppose that the said vulnerabilities were due to bad judgement or bad design – it turns out that this isn’t always the case, to say the least. There may even be a bigger problem lurking inside our innocent-looking TVs.
One cold day, in early December 2019, right between Black Friday and Cyber Monday, the FBI’s Portland field office issued an unusual announcement. It read:
“Beyond the risk that your TV manufacturer and app developers may be listening and watching you, that television can also be a gateway for hackers to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router”.
In their statement, the FBI recommended regularly updating the security software on the TV, and added a not-so-technologically savvy tip: stick a black tape on the TV’s camera.
It’s a safe bet to say that the FBI’s warning didn’t really hurt the smart TV sales on Cyber Monday, which came a few days later. After all, it is rather generic and non-specific… yet, let’s take a closer look at the first sentence in the FBI’s announcement:
“Your TV manufacturer and app developers may be listening and watching you”.
The risk that the FBI puts at the top of their message is not about hackers. It’s about the smart TV manufacturers. And it certainly doesn’t come out of nowhere.
A few months prior to the FBI’s warning, the Washington Post published a story about the vast amounts of information that some smart TV manufacturers collect about their users. Big brands like Samsung and LG were mentioned.
Collecting users’ data is an everyday activity on many devices, websites and social networks. It’s a popular way to improve ads targeting, and to tailor relevant content. Yet gathering information about TV viewers is a particularly sensitive issue. Hacking into a system that controls your coffee machine isn’t probably a huge disaster: at most – someone finds out that you’re addicted to homemade caramel macchiato. But the information that can be collected by a TV is different: apart from what can be recorded by the microphone and camera, there’s also our viewing habits – which can tell a lot about ours and our kids interests and hobbies – as well as how much time we spend watching, and at what times. This is why watching TV is considered a private activity and is protected by US law.
And yet, many companies are not obeying these laws. They collect viewing habits information without getting permission from the viewers to do so – or at least – without them fully knowing that they’ve agreed.
Collecting information on smart TVs is done through a controversial system called ACR, an acronym for Automatic Content Recognition. It is a technology that allows the TV to detect what content is currently being played on the screen without direct access to the app through which the content is streamed. This is done by employing a sort of ‘fingerprinting’ technique, similar to one used by music recognition apps such as Shazam. ACR recognizes on-screen broadcasts via cable, air, streaming services and even DVD and Blu-Ray.
But as already mentioned – watching the viewers is a frowned upon activity. In February 2017, VIZIO, one of the world’s largest makers of smart TVs, was accused by the Federal Trade Commission and the New Jersey Attorney General’s Office that it had installed an ACR data collection system on its TVs. 11 million televisions in New Jersey collected every detail of their users’ viewing habits, and passed the information on to VIZIO’s headquarters, without getting clear consent. Vizio agreed to pay $2.2 million in compensation.
In a later interview to The Verge, VIZIO’s CEO Bill Baxter, defended his company’s actions.
“So look, it’s not just about data collection. It’s about post-purchase monetization of the TV. This is a cutthroat industry. It’s a 6-percent margin industry, right? I mean, you know it’s pretty ruthless. […] And then I need to make money off those TVs. […] The average lifetime of a Vizio TV is 6.9 years. […] There are ways to monetize that TV and data is one, but not only the only one. It’s sort of like a business of singles and doubles, it’s not home runs, right? You make a little money here, a little money there. You sell some movies, you sell some TV shows, you sell some ads, you know. It’s not really that different from The Verge website.”
Baxter has a point. What he is really saying is that if it wasn’t for the information gathered about our viewing habits and what not – these smart TVs would have to be more expensive, and he’s probably right. It’s the same old argument that has been going on for 20 years on the Internet: almost every website we visit – from Google to Facebook to Amazon – collects information about us and our habits, because that’s partly what allows us to keep using many of these services for free. If you’re not concerned about privacy on the internet, then you probably won’t be too concerned about VIZIO and other similar companies learning about your viewing habits. If you’re the kind of person who cares about privacy, then smart TVs are something to be concerned about.
In some ways, Smart Homes are mirroring the same trends that we saw in the World Wide Web. When computers were first introduced, security wasn’t a real concern. As the web became more prolific, that’s when we began to see the real risk from malwares and hackers taking form – and at the same time, our privacy began to suffer as more and more websites and services started tracking our activities and collecting more and more data about our habits and interests. Similarly, as our homes are becoming smarter and more connected, the risks from malware and hackers are also getting more serious – and our privacy starts to suffer as well.
Is there anything we can do to resist this trend? On a personal level, of course there is. ACR systems on smart TVs can usually be turned off. We can choose not to buy TVs equipped with cameras and microphones, or if we do – cover the camera with a black tape, as the FBI recommended. It’s also prudent to change the devices default passwords: This would also make it very difficult for viruses to get in, as they usually try all passwords and usernames that come from the factory.
But if there’s anything we’ve learned from our experience with security on the Web, is that all these measures probably won’t be enough. Most users won’t bother to change their passwords, nor turn off the ACR systems on their smart TVs (which are not always called ACR, which obviously adds even more confusion). Most users will probably continue buying smart speakers, smart coffee machines and smart TVs – as they should. After all, most of us love technology, and we don’t want our TVs to be flower-pot stupid. This means that unless something very unusual happens, the digital battlefield of cyber security will probably expand to cover almost everything around us, from coffee machines to Baby Monitors.
It used to be that a person’s home was his castle. It seems that the smarter the castle becomes, the weaker its walls get.