Is Your TV a Security Risk? IoT May be the Next Threat

The latest televisions and Blu-Ray players come equipped with more than HD video and audio.  Internet access and a host of new applications are being built into devices.   Collectively, these devices are known as the Internet of Things (IoT) and it is expected that many more devices will eventually be connected to the Internet.  Internet services run directly on these “smart” TVs and DVD players.  A popular built-in feature is wireless Internet access which enables the user to avoid plugging in an Ethernet cable.  Accessing the internet and your favorite apps directly from your TV is convenient.  However, what security risk does it pose?

IoT Security Risk

The primary question is, “Are these devices a security risk?” Examining the features of smart TVs and Blu-Ray players and comparing them to existing systems that already have a risk profile will help answer this question.

To access the Internet, a device needs an Internet browser. Currently, manufacturers have decided not to develop their browsers but to use existing products that have proven effective on other platforms.  Some devices come equipped with a version of Opera while others utilize Google’s Chrome browser. Both browsers have been reasonably responsive in addressing security vulnerabilities and supporting the latest security standards.

Another feature offered by some devices is the ability to retrieve pictures, movies, and music from networked computers by using Microsoft’s Windows “media extender technology.”  The default installation of the press center extender provides full access to most of the shared media on the network. This access could allow a compromised television or Blu-ray player to give access to files on the home network or office network.

Another consideration is the type of content that will be available on these devices.  In the past year, a significant number of exploits focused on Adobe Flash or Java.  Blu-ray players currently support Java to display content often included on Blu-ray disks, while some of the TV browsers support flash content.  Additionally, many of the applications available for these devices (like Hulu Plus) use Flash.

Smart TVs and Blu-Ray players are typically connected to the network for extended periods of time. This long-term connection poses another risk. These devices may be configured to automatically download or index programs for future use. Since these devices are rarely monitored and typically used throughout the day, a security breach may go unnoticed for an extended period of time.  The longer a security breach goes unnoticed, the more damage and harm are typically caused.

Although there have not been any reported vulnerabilities for televisions and Blu-ray players yet, do not expect it to remain this way for long.  (Update: A security firm did recently find a weakness in a Samsung TV.  For more information, click here.)  It did not take long for cell phones to be exploited after internet access and applications were ported to them. Similarly, as the internet capable televisions and Blu-ray players grow in popularity, they will become a more sought-after target of hackers.

Securing IoT devices

Since no vulnerabilities have been published, companies have not developed security patches to prevent unwanted breaches. In reviewing recent firmware update release notes from mainstream television and Blu-ray manufacturers, none of the release notes documented fixes for security vulnerabilities.   These updates only enhanced functionality, not security.

Companies who have adopted Internet-capable devices should consider keeping them on a separate network segment.  Both home and business users can disconnect devices from the network if internet features are not needed.  By staying up to date on new vulnerabilities, corrective action can be taken when needed.

For added security, also consider turning off features that automatically index or download content.  This, combined with setting the device to turn fully off, will reduce the amount of time the device is potentially vulnerable each day.  When using the media center extender, consider cutting access from the default of full access to read only.  See this article for details on configuring tightened security for media center extenders (please be aware the article is rather technical).   Eventually, security patches for these internet capable devices will be released just like security patches are released for software applications and operating systems.  However, unlike computers, users are not familiar with the firmware update process, and not all companies make it easy to upgrade their products. In the future, companies will need to develop procedures for regularly updating devices.

In conclusion, a smart TV or Blue-ray player could be vulnerable once exploits are designed for these devices.  As the consumer usage for these devices increases, the likelihood of malicious code being developed will likewise increase.  The firmware on these devices can be upgraded, but manufacturers have not released any security updates for their devices. Until manufacturers address the invasions as they occur, the three best ways to protect a device from undisclosed vulnerabilities are:

  1. Disconnect the device from the network unless it is needed to use specific Internet features
  2. Allow the device to turn off and not download content automatically
  3. Configure tighter security on Windows media extenders.