Is Your Smart TV Spying On You?
August 5, 2013

Samsung Smart TV Security Concerns

redOrbit Staff & Wire Reports - Your Universe Online

The recent discovery of a smart TV vulnerability that could allow the integrated webcam to be remotely activated and used to spy on unsuspecting families has some questioning the safety of these high-tech televisions.

According to Chenda Ngak of CBS News, security researchers Aaron Grattafiori and Josh Yavor of iSEC Partners discovered a bug in 2012 model year Samsung Smart TV that allowed hackers to gain access to the webcams.

"The exploit works by inserting malicious JavaScript code into text boxes in apps, like a Skype chat window or Facebook comments," Ngak explained. He added the duo told CBS News, "the more dynamic a website is, the more opportunities there are for inserting code," and the core problem was "not with the apps but with the way they were designed for Samsung's Smart TV."

Grattafiori and Yavor, who presented their findings last week at the Black Hat security conference, said they chose Samsung-brand products because they offered the most features, meaning they also had the most potential security flaws. They told Ngak they had yet to test their method on any other brand of Internet-connected television.

The duo found several different methods which could potentially be used to hack the set's Web browser or social media applications, Slashgear's Chris Davies reported. Once either of those applications were compromised, they could be used by hackers to take over total control of the television, install a userland rootkit and steal account information.

"With a little careful design, that could lead to users inadvertently handing over PayPal, banking, credit card, or other personal information, believing themselves to be on legitimate sites," Davies said. "It's the potential for the TV to be turned into a literal spy in the living room that is most disturbing, cracking into the browser, the pair was able to seize control of the webcam Samsung integrates into select smart TV models, activating it with no visible indication on the set itself that they are being watched."

The iSEC researchers notified Samsung about the vulnerability, and the company quickly issued a security fix to all affected television sets, according to CNN Money. However, the discovery of the issue sheds light on a larger problem - the lack of security on Internet-connected televisions, lights, security cameras, heating systems and similar gadgets.

"If there's a vulnerability in any application, there's a vulnerability in the entire TV," Grattafiori told reporters.

He and Yavor said they were skeptical about the technology's safety, even after Samsung corrected the issue. "We know that the way we were able to do this has been fixed; it doesn't mean that there aren't other ways that could be discovered in the future," Yavor said. The duo advise smart TV users to make sure they regularly update their software, much as they would with computer operating system or anti-virus software updates.