TVs Now 'Smart' Enough To Get Hijacked, Pick Up Malware
from the what-a-time-to-be-alive! dept
Hook a “smart” TV up to a “dumb” pipe and this is the inevitable result.
In a comment on Reddit this week, user “moeburn” raised the possibility of new malware circulating for Smart TVs:
My sister got a virus on her TV. A VIRUS ON HER GODDAMN TV.
It was an LG Smart TV with a built in web browser, and she managed to get a DNS Hijacker that would say “Your computer is infected please send us money to fix it” any time she tried to do anything on the TV.The Reddit post included this image:
If a TV can surf the web, it can be hijacked or pick up malware. It’s a little tougher to make malware stick to smart TV browsers, but while the commenter’s outrage might be warranted, shock isn’t.
SecureList dug into this hijacker and has both good news and bad news. The good news is this particular version was only live for a few days and disappeared more than four months ago. The bad news is that there’s nothing particularly unique about the attempted hijacking. Multiple domains served as hosts for the malware, including a handful at Amazon’s cloud services.
It’s not a new threat, but spotting it on a smart TV is rather novel. SecureList chased down other versions of the same scammy Javascript — which prompts people to call a phone number to “protect” their TV from malware — including this fantastic bit of non-native English that both impersonates a Chrome warning page and suggests your TV is now a portal to a vast selection of retail outlets.
Fortunately, it appears this hijacking can be easily dodged. Even though the code prevents browsers from closing the dialog box (it will just pop up again), the threat can be nullified in other ways.
We also ran the file on a Samsung Smart TV and got the same result. It was possible to close the browser, but it did not change any browser or DNS settings. Turning it off and on again solved the problem as well. It is possible that other malware was involved in the case reported on Reddit, that changed the browser or network settings.
As SecureList points out, it’s not a smart TV-directed threat. It’s just something that will attack any browser on any device. Other variants may change browser settings or attempt to dump a malware payload, but this one appears incapable of doing so. And while it’s only a matter of time before this becomes more widespread, there are a number of factors limiting attacks on smart TVs.
- Smart TVs are not often used to surf the web and users seldom install any app from web pages other than the vendor’s App Store – as it is the case with mobile devices
- Vendors are using different operating systems: Android TV, Firefox OS, Tizen, WebOS.
- Hardware and OS may even change from series to series, causing malware to be incompatible.
- There are by far fewer users surfing the web or reading email on the TV compared to PCs or mobile devices.
But this is coupled with more bad news: if it has a browser, it can be attacked. Someone’s going to end up with a “ransomed” TV at some point… or a fridge… or anything else a manufacturer has decided would be more attractive to consumers with added connectivity.
Comments on “TVs Now 'Smart' Enough To Get Hijacked, Pick Up Malware”
Missed one
And while it’s only a matter of time before this becomes more widespread, there are a number of factors limiting attacks on smart TVs.
You left out a rather large reason why the attackers might be interested in targeting ‘smart’ devices like tvs:
The built in security is often laughable, if it exists at all.
Combine pathetic security with the makers of the ‘smart’ devices trying to grab as much data as they can for advertising purposes, not to mention the ‘convenience’ of having multiple devices linked together allowing the weakest link to act as a security hole for other devices that would otherwise be more secure, and while ‘smart’ devices may present problems for attackers, they also offer some very tempting targets.
Re: Missed one
Not to mention all of the systems that are always listening or offer camera views. All of those patents on getting people to stand up and cheer or say something to make an ad go by faster… who wouldn’t like to be able to look into peoples homes to find the nicer ones to empty? Or snapping photos from inside someones bedroom. Or that smarttv that was scanning all attached storage it had access to on the network if it was played on the tv or not… how hard to make it upload full files rather than just filenames?
Smart TVs suffer from the corporate blinders of nothing bad came come from this.
We have an awesome idea and everything will be perfect.
Budget for security? Why would we waste money on that?
Nothing bad will happen and even if bad things happen it’ll be down the road while we are making money today.
Stick a computer in everything!!! We can charge 3 times the price, it’ll be great! As more of these enter the market, there will be more targeted attacks…
Re: Missed one
And built in camera and microphone in some cases!
Nothing like checking out a place you’d like to burgle from the inside.
Re: Missed one
Yes. Exactly how is one going to know that it’s their smart toaster that is looking through that camera on the smart TV and sending information to whomever and their brother-in-law while the smart thermostat is monitoring the smart garage door opener to determine if your home or not while the smart refrigerator spoofs the smart security system with images of half empty milk containers and redirecting signals intended for the monitoring company to YouTube so would be thieves know that the coast is clear and they can come in and collect all your non-smart stuff?
> or anything else a manufacturer has decided would be more attractive to consumers with added connectivity.
It was only extensive study that I realized
a) that my lightbulb was blinking in morse code, and
b) that I had a long lost relative in Nigeria who had left me a significant sum, needing only a modest fee to release.
When people start dying from hacks of medical implants we will look back on these days as quaint.
Re: Re:
You aren’t thinking big enough! Why hack people’s medical implants to kill them when you could hack them to make them empty their bank accounts for you. Imagine the message on the Smart TV but applied to your pacemaker – “Your pacemaker is infected with malware! Send us $$$$$ and we’ll delete the malware.”
Re: Re:
Well… that has been done a few years ago. The medical implant was a pacemaker and the range was 30 feet. But before the attack could be made public the person died. I guess he was suicided, fell down the stairs or locked himself inside a sports bag and then put the keys to the lock under the bag afterwards… you know… classical suicide. After all you don’t want an attack that could kill a high level politician to be known to the public.
Re: Re: Re:
Correction: not pacemaker, insulin pumps. So it might not be because of a high level politician. And of course nothing a nation putting sugar in about everything should be worried about.
Never mind medical implants there are MANY publicly accessible “industrial controls” with vendor default username/passwords. Until you search on Shodan and do a little poking and see that it includes Railway controls you do not get a really good realization of how truly lucky we are that trains are not ramming into each other every day.
Re: Re:
hmmm
Re: Re: Re:
Stupidest comment ever. Please don’t ever do that again. How could you possibly imagine anyone else would want to read that? There is nothing of value there.
This isn’t an issue about television security. This is an issue about consumer stupidity being so damn problematic as to hook a fucking television to the internet.
No excuses will ever be accepted as to justify any reason to hook a television to the internet.
These consumers get everything they deserve being this fucking stupid.
Next, they’ll want to hook a teapot, light bulb, toaster, refrigerator, oven, or any other electrical device to the internet because “IT’S SO KEWL!”
Poetic justice, dispensed.
Re: Re:
“No excuses will ever be accepted as to justify any reason to hook a television to the internet.”
TV on demand?
Re: Re: Re:
I’m sensing massive and subtle sarcasm. I got through the below before I thought… woah there Spartacus
“This is an issue about consumer stupidity being so damn problematic as to hook a fucking television to the internet.”
Way to blame the victim. This is absolutely about TV security and trust. What are people going to do when TVs ship with their own cellular chips, and don’t even bother asking for your wifi password? Will you be wrapping your TV in aluminium foil?
Re: Re:
“These consumers get everything they deserve being this fucking stupid.”
Nice try TV industry.
I have a hard time with this “blame the victim” mentality, is there a particular reason you dislike ignorant consumers more than you dislike greedy manufacturers?
I doubt many consumers are demanding the “Internet Of Things”, no – it is the manufacturers who are trying to convince the consumers they need this shit.
Re: Re: Re:
I’m giving Violynne a funny.
Re: Re:
Well, not until all TV manufacturers decide that their TV’s need to phone home every ten minutes because [BS Marketing Reason].
I guess we should be saying ‘monitor’ or ‘display’ at this point, though. I’d assume that TVs will disappear, since I doubt that very many people use ’em as tuners anymore.
Re: Re:
This is an issue about consumer stupidity being so damn problematic as to hook a fucking television to the internet.
Actually my TV probably has the least amount of (personal) data of any of the devices I hook up to the Internet.
Re: Re:
The fact that it exists and is selling TVs disproves that. As for the reason, of course it’s money, for selling their customers’ personal information to “business partners.” I’d expect customers to run away screaming from it, but most customers aren’t “tech-savvy” and tend to believe marketing pitches which boast consumer benefits of a connected experience.
What's the market?
Who is demanding “smart” TVs anyway?
People who want to watch Netflix, but DON’T have a game console, roku/slingbox/etc, blu-ray player, or even an HDMI cable long enough to stretch from a computer?
Are the TV manufacturers getting kickbacks from the OTT service providers for including their apps? There’s got to be some reason they are putting so much effort into doing something so badly.
Re: What's the market?
“People who want to watch Netflix, but DON’T have a game console, roku/slingbox/etc, blu-ray player, or even an HDMI cable long enough to stretch from a computer?”
That would be people looking for the elegant solution, one screen with no attached boxes. The simplicity of it, the clean lines. Give me an Xbox that’s an app that I download to my television rather than an ugly clunky box that sits beside it.
Re: What's the market?
Doing something badly takes a lot less effort than doing it well or right.
Scary
This is horrifying. What if a hijacker locks my TV to 24hr Fox News? I’ll start spouting bigotry and admiring Donald Trumps hair.
Why do I even have to buy a smart tv?!?
I don’t want a smart tv. Not because of this, though this isn’t surprising. But it adds expense, and often the UI/UX is pretty terrible. as radix mentioned you have ~$30 devices like chromecast/fire stick if you want smart functionality. And those can easily/cheaply be upgraded. I don’t want to have to upgrade my TV every few years because some new app came out that my TV doesn’t support. So why bother making TVs ‘smart’ to begin with? It seems the only way to get ‘dumb’ TVs mostly now is to get off brand TVs. Can someone please start selling dumb TVs again that are a bit cheaper than these supposed smart TVs.
Re: Why do I even have to buy a smart tv?!?
I bought a TV in the early days of connectivity, it had an ethernet port but there was no real implementation of it at the time (remember DLNA). Eventually software caught up and I was able to connect the TV to the router and serve content to it from a mac running Serviio, now I’ve got a TV that only faces my network and not the internet and I’m very glad of that – but everything on my hard drive is available on the big screen.
Pro tip:
Do not connect things to the internet unless absolutely necessary, and when you do – do so very cautiously.
Devil's Advocate Question: Any Wi-Fi on "Smart TVs"?
If so, even those in the peanut gallery that just plug these beasts into the power outlet and Digital Antenna are still open to attack if they do not tell the TV turn its Wi-Fi off?
Re: Devil's Advocate Question: Any Wi-Fi on "Smart TVs"?
Only if my TV hacks my refrigerator to get my WiFi password.
Re: Re: Devil's Advocate Question: Any Wi-Fi on "Smart TVs"?
No big deal, some ISPs broadcast your login credentials to your neighbors.
what means "disappeared"?
What exactly does “disappeared” mean, in context of this malware?
The article states:
At a glance, one might think that “disappeared” = “gone”, yet the TV that is the subject of the article managed to catch it (even though it “disappeared”).
So does “disappeared” mean it went into stealth mode or something? Or does “good news” mean Good News™? Or.. ?
Re: what means "disappeared"?
In this case, the virus went offline and cannot be contracted from the original source. It has also not been found again in the wild (not saying it’s gone, just saying it’s not around right now). The Reddit post in question was from a while ago (if it was real in the first place), and the other examples are simple JavaScript fake outs.
Reopening dialog
What about that “prevent this page from creating additional dialogs” checkbox on the screenshot? Does it not work?
Re: Reopening dialog
What piece of software do you imagine is putting that dialog up?
We are coming up on a pivot point. All these things connected to the internet so that they can be datamined about who you are and what you do in your life. As usual, no one thinks security till after the fact. So all that bought these smart tvs that will connect to the internet are in for some real experiences down the road in a few years. Sadly, it’s not just tvs.
Your vehicle, the traffic lights, your electricity provider, your water provider, grocery stores you buy your food from, your clothes from, nearly every business now has a presence on the internet.
Hackers will always go to the easiest and weakest point to get into money access. The two together spell some serious problems that are just beginning to show up but are the future.
I want nothing connected to the internet with the exception of my computer, which I can turn off. No wifi is allowed in this house. The tablet is not going to phone home. No internet connected devices that require the internet will be allowed in this household.
Even that does not prevent future problems. We are today in the same position as we were with MADD for nuclear war. That is the citizens are vulnerable totally with all this spying creating access points that have or will be discovered in the future. At some point someone is going to take advantage of it and when you go to the store you’re going to find people piled up in car wrecks at intersections, no food at the stores, no water at home, no electricity either, and it will all come to a head by such short sighted applications as you are seeing with these tvs.
Re: Re:
Hmm. Happen to know if the Lo Teks are currently accepting new members?
Don’t surf porn sites on your tv. Duh.
Re: Too much corporate push down
Corporate tech is pushing too much crap down to the US population. Most, is useless to most americans. Sad thing, too many americans want to be in the “in crowd” buying Apple shit, not even thinking about better alternatives (because they follow the crowd, or their employer does).
In my day (boomer), I could fix my cars, motorcycles, and lawnmowers. Basic stuff a man or woman could sort, and the engine was designed to be fixed. Guess what 21st century men and women, your daily transportation tool (car, motorcycle) can no longer be fixed on the road or at home unless you have a computer and mechanical engineering degree 🙂 So, young folks are now dependent on folks with the magic of medical doctors of the “old days” to fix a d*** car. Lucky, thanks to the post ww2 japan and german auto builders, modern cars and motorcycles last lots longer than old american cars. Finally american builders got the hint and are catching up. But f***, I just spent 3000 on a rebuilt ford transmission on a 125k explorer. Guess transmissions haven’t caught up to ford engines. I wish my motorcycle had an auto trans as the manual shifter crap leaks oil. Motorcycles seem always 10-20 years behind cars these days, even tho scooters now have auto transmissions. No modern motorcycle manufactures make a real “automatic transmission”, just a double clutch clunky lump, that no way compares to to real auto transmission or even scooter CVT.
Americans see so much new technology these days. Europe and far east are also catching up, and surpassing new american ideas and tech (IP theft). WTF? VR, wtf is VR useful for except for maybe flight simulation, maybe gaming? But its a big thing apparently in tech these days. Corporate push down. Typical humans, computer users, aren’t into VR gaming or aviation training (unless you have a military job flying drones, and those guys and gals are quitting that gig.
If I were a venture capitalist, I wouldn’t spend a cent on VR. There’s no daily use for VR. Except, “VR is a thing”.
If “smart tvs” become the only way I can consume “content” thru my cable tv provider, I’ll quit cable tv. I can get movies over the net on my computer. I can better control malware over a computer than a d** tv.
Re: Re: Too much corporate push down
And get off my lawn!!!!
"Jack in! Megaman.EXE transmit!"
We’re halfway to the Mega Man Battle Network series becoming reality, what with how we have many things connected to the internet even when they shouldn’t be connected to the internet. Now someone just needs to invent NetNavis so we can do some virus busting.
When someone’s smart entertainment system gets hacked and used to determine when the parents are gone and the kids are home alone, and said kids are taken and never seen again, folks may wake up to some of the risks.
Re: Re:
“when the parents are gone and the kids are home alone”=very bad parenting
And arguably orders of magnitude more serious than TVs that spy on you.
Re: Re: Re:
Despite the laws’ attempts to lower the age of culpability, I still consider teenagers younger than age of majority (eighteen or twenty-one dependent on jurisdiction) are “kids.” Are you afraid to allow your soon-to-be-grownups alone in your house unsupervised? If so, how are they ever going to grow up?
Re: Re:
That’s why the government wants magic golden-key backdoors built into TVs. That way, they can peek into our living rooms whenever they want to, to make sure the kids are safe and everybody’s OK.
what?
Bad parenting. When the parents are there, what is happening? Doing homework? Or watching TV? Or playing in the back yard? Even with a smart TV, you should be able to insert a stick. But that brings up another option, could you install another OS, and “computerize” it? Like mint or a new version of android? That would be cool.