With their high-resolution screens, cameras, microphones and innovative interfaces geared towards a better user experience, smart TVs have found their way into many homes. They have become so popular that, according to Statista, more than 114 million smart TVs were sold globally in 2018 and smart TVs account for most TVs sold these days. In addition, consumers also have the option to turn “dumb” TV sets with HDMI input into “smart” ones by connecting them to external streaming devices.
It is little surprise that Android TV – which encompasses both pure Android implementations and manufacturer-modified versions – is the most popular operating system for Smart TVs. With Android and Android TV sharing the same base architecture, many malware strains targeting your Android-powered smartphone or tablet are just as capable of causing havoc on your internet-enabled TV, says Carey van Vlaanderen, CEO at ESET South Africa.
How can a TV be compromised?
Cybercriminals are typically driven by financial motives. That means they want information they can sell, data they can use to blackmail people, hardware they can hijack, or computing power they can harness. Smart TVs might provide all these opportunities, making them appealing targets.
There’s an arsenal of tools that attackers can combine and use to wreak havoc on a victim’s digital – and actual – life. Malware, social engineering, vulnerabilities, wrong or weak settings, and physical attacks against smart TVs in public spaces rank among the most common techniques used to gain control of Smart TVs.
To be sure, Android security has improved since its day of old. The platform, released more than a decade ago, is now more resilient to exploits, its sandboxing techniques have been enhanced, and its attack surface has been reduced courtesy of limiting the number of processes running with root privileges.
Still, its open-source character and huge popularity, together with the imperfect vetting process for Google Play apps, has made the platform, and its users, an appealing target. With Android’s expansion into the Internet of Things (IoT) arena, the risks clearly go beyond touchscreen mobile devices.
There have been cases of smart TVs falling prey to ransomware – threats that instruct victims to pay to recover access to their devices. Compounding things further, many users root their devices and install software from outside Google Play Store for Android TV. Once a device is rooted, an app can run loose and, if malicious, it can leverage the elevated permissions for stealing information from accounts in other apps, execute a keylogger or overall neutralise the system’s security safeguards.
As hinted at earlier, another threat potentially looming large has to do with the misconfiguration of your Smart TV. This could be the fault of the vendor, who modified the underlying operating system to add new functionalities, or it could very well be due to your own negligence, or it could be the combination of the two.
The most common ways that device misconfiguration that ultimately set the stage for a cyberattack include keeping ports open, using insecure protocols, enabling debugging mechanisms, relying on poor or default passwords (or no passwords at all), as well as using unneeded services and, as a result, expanding your attack surface.
Smart TVs are also known to suffer from security vulnerabilities that can make them easy prey for hackers. This includes flaws that make it possible to control some TV models remotely using public APIs or vulnerabilities that allow attackers to run arbitrary commands on the system.
The fact that TVs have voice assistants built-in and link to a variety of IoT sensors opens another potential attack vector. The large amounts of information that they handle, together with their being hubs for endless sensors, only boosts their appeal to cybercriminals.
Physical attacks through USB ports
Although vulnerabilities can be patched and users can educate themselves to avoid falling for scams, many TVs still wind up in vulnerable spaces. Places where they are physically accessible to outsiders, such as in waiting rooms outside offices or in private living rooms used for events attended by guests who are effectively strangers.
For examples, USB ports can be used to run malicious scripts or to exploit vulnerabilities. This can be done quickly and easily by using certain gadgets, such as the famous (or infamous) Bash Bunny by Hak5 and its predecessor the Rubber Ducky, or indeed any hardware with similar features. And they aren’t particularly complicated or expensive to create from zero, either.
With these gadgets in their hands, attackers can automate a wide range of malicious actions based on interaction with the user interface and launch an attack in just a few seconds by simply plugging in a device that looks like a USB stick.
Social engineering remains at the heart of many campaigns aimed at stealing personal information, distributing malware or exploiting security loopholes.
Almost all Smart TVs come fitted with a web browser, which is why the devices are not exempt from risks such as phishing and other types of online fraud that are typically associated only with computers and smartphones.
As Smart TVs gain more features, the amount and sensitivity of the data they handle are increasingly appealing to cybercriminals. The TVs can be misused to spy on users with the cameras and microphone or act as jumping off points for attacks on other devices in home and corporate networks.
The more people buy these and other IoT gadgets, the more incentive attackers must design new ways to take advantage of the diverse range of products within the IoT ecosystem. This underscores the need for awareness of some of the key attack vectors and, by extension, the ways to stay safe.