A recent FBI report warned smart TV users that hackers can also take control of your unsecured TV. “At the low end of the risk spectrum, they can change channels, play with the volume, and show your kids inappropriate videos. In a worst-case scenario, they can turn on your bedroom TV’s camera and microphone and silently cyberstalk you,” explained the FBI.The risk isn’t new. A few years ago, smart TVs from LG, Samsung, and Vizio were spying and reporting on your viewing habits to their manufacturers.
Today, the FBI is warning that “TV manufacturers and app developers may be listening and watching you.” It added, “[A] television can also be a gateway for hackers to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router,” ZDNet reported.
Smart TVs are more often than not vulnerable to various cross-site attacks where remote web sites can send commands directly to the TV. This is possible when software running on the television does not have sufficient checks to validate request authenticity. On most streaming devices I’ve tested, a remote web site can initiate a stream on the TV. The immediate impact of this is of course an annoyance but it could also be invasive or downright dangerous. Consider what might happen if a foreign adversary were able to trigger fake missile alert warnings in homes across the country.
The problems are further compounded by slow software updates on smart TVs. Modern web browsers all receive security patches no less frequently than monthly but many TVs would be likely to get 2 updates in a year. This means that potential attackers often have a long list of known vulnerabilities to exploit using cross-site attacks. Successful attacks could allow malicious web site content to gain access to TV peripherals like cameras and microphone.
A great way to reduce the risk posed by smart TVs and other connected media devices is to disable as many app control or content sharing features as possible when not in use. In my experience, these features are the ones most likely to be taken advantage of.
Another good idea is to use multiple wireless networks for segmentation. Doing general browsing on a network without access to the TVs can prevent opportunistic cross-site attacks.