The latest televisions and Blu-ray players are being shipped with more than high definition video and audio.┬á Internet access and a host of new applications are being built in to run directly on these devices.┬á A popular built-in feature is wireless access which enables the user to avoid plugging in an ┬áEthernet cable. ┬áAccessing the Internet and your favorite apps directly from your TV is convenient.┬á However, what security risk does this pose?
Are TVs and Blue Ray Players a Security Risk?
The primary question is, ÔÇ£Are these devices a security risk?ÔÇØ Examining the features of these systems and comparing it to existing systems that already have a risk profile will help answer ┬áthis question.
In order to access the Internet, a device needs a browser. Currently, ┬ámanufacturers have decided not to develop their own browsers but to use existing products that have proven effective on other platforms.┬á Some devices come equipped with a version of Opera while others utilize GoogleÔÇÖs Chrome browser. Both browsers have been reasonably responsive in addressing security vulnerabilities and supporting the latest security standards.
Another feature offered by some devices is the ability to retrieve pictures, movies and music from networked computers by using MicrosoftÔÇÖs Windows ÔÇ£media extender technology.ÔÇØ┬á The default installation of the media center extender provides full access to most of the shared media on the network. This access could allow a compromised television or Blu-ray player access to files on the home or office network.
Yet another consideration is the type of content that will be available on these devices.┬á In the past year, a large number of exploits focused on Adobe Flash or Java.┬á Blu-ray players currently support Java in order to display content often included on Blu-ray disks, while some of the TV browsers support flash content.┬á Additionally, many of the applications available for these devices (like Hulu Plus) use Flash.
Internet capable television or blu ray players are typically connected to the network for extended periods of time. This long-term connection poses another risk. These devices may be configured to automatically download or index programs for future use. Since these devices are rarely monitored and typically used throughout the day, a security breach may go unnoticed for a long period of time.
Although there have not been any reported vulnerabilities for televisions and Blu-ray players yet, do not expect it to remain this way for long.┬á It did not take long for cell phones to be exploited after Internet access and applications were ported to them. Similarly, as Internet capable televisions and Blu-ray players grow in popularity, they will become a more sought after target of hackers.
So What Can You Do?┬á
Since no vulnerabilities have been published, companies have not developed security patches to prevent unwanted breaches. In reviewing recent firmware update release notes from mainstream television and Blu-ray manufacturers, none of the release notes documented fixes for security vulnerabilities.┬á┬á These updates only enhanced functionality, not security.
Companies who have adopted Internet capable devices should consider keeping them on a separate network segment.┬á Both home and business users can disconnect devices from the network if Internet features are not needed.┬á By staying up to date on new vulnerabilities, corrective action can be taken when needed.
For added security, also consider turning off features that automatically index or download content.┬á This, combined with setting the device to turn fully off, will reduce the amount of time the device is potentially vulnerable each day.┬á When using the media center extender, consider reducing access from the default of full access to read only.┬á See this article for details on configuring tightened security for media center extenders (please be aware the article is rather technical).┬á┬á Eventually, security patches for these Internet capable devices will be released just like security patches are released for software applications and operating systems. ┬áHowever, unlike computers, users are not familiar with the firmware update process and not all companies make it easy to upgrade their products. In the future, companies will need to develop ┬áprocedures for regularly updating devices.
In conclusion, an Internet TV or Blu-ray player could be vulnerable once exploits are developed for these devices.┬á As the consumer usage for these devices increases, the likelihood of malicious code being developed will likewise increase.┬á The firmware on these devices can be upgraded but manufacturers have not released any security updates for their devices. Until manufactures address the invasions as they occur, the three best ways to protect a device from undisclosed vulnerabilities are:
- Disconnect it from the network unless it is needed to use specific Internet features
- Allow the device to turn off and not download content automatically
- Configure tighter security on Windows media extenders.