Your Smart TV knows a lot about you.
It knows exactly what Netflix shows you watch.
It knows which shows you want to watch.
But it could also be letting hackers know more than you want them to about you.
As first reported by Ars Technica, there’s a new hack whose proof of concept suggests that terrestrial radio signals could be used to take control of a large swath of Smart TV sets without having actual physical access to any one of them.
Security consultant Rafael Scheel demonstrated of the hack, using a cheap transmitter to embed malicious commands into a rogue TV signal, Ars reports.
When that signal is broadcast to devices in the vicinity, it’s able to gain access to the televisions. The key to the attack is the exploitation of two documented security flaws in the Web browsers that run in the background of the TV models used in the test — both manufactured by Samsung. Other sets are not necessarily immune — if the attack were engineered to target other browser bugs, it would likely be just as effective.
“Once a hacker has control over the TV of an end user, he can harm the user in a variety of ways,” Scheel told Ars. “Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV’s camera and microphone.”
During Scheel’s demonstration, he was able to remotely control and the TV, and even rebooting and resetting the device didn’t lock him out of the smart appliance.
Perhaps the most disturbing part of Scheel’s proof of concept is that a hacker wouldn’t need any physical access to any of the devices. That means that a hacker could control a much larger number of smart TVs, too.
As an increasing number of concerns are raised about smart home devices, this demonstration certainly serves to underscore our vulnerability.
“This research is significant because TVs are used by a fundamentally different demographic than computers,” Yossef Oren, a security researcher told Ars. “People who use TVs don’t know/care about security, they aren’t used to getting security prompts from their TVs, they don’t have the discipline of installing security updates, and so on.