Recently I had a chance to do some experiments on a new generation smart TV to see how well it was secured against attacks. Within a short time I was looking at an ultimately unusable brand new TV infected with ransomware. Thankfully, there’s plenty to be learned from my tinkering.
This blog will examine some of the security issues associated with smart TVs, including ways in which they can be attacked, why anyone would want to attack them, and what you can do to stop your TV from being attacked.
The latest incarnation of the smart TV allows viewers to, among other things, browse the internet, watch on-demand streaming media, and more interestingly, download and run applications. These “smart” TVs are quickly becoming the norm in households and business environments, with some reports predicting that there will be 100 million internet-connected TVs in North American and Western European homes by 2016. Current smart TVs mainly use one of four operating systems: Tizen, WebOS 2.0, Firefox OS, or Android TV (which is a version of Android 5 Lollipop). The TV I bought runs Android but many of the scenarios I’ll look at later apply to other smart TVs regardless of the brand or operating system.
How would someone attack a smart TV?
The most likely scenario for an attack is the installation of malware onto the TV. Aside from doing this manually through the TV’s USB port, or accidently downloading an infected app from the official market for example, there are several other methods an attacker could use.
Malware could be installed on the TV by carrying out a man-in-the-middle (MitM) attack. An attacker would need to be on the same network path to conduct this attack but could do this by gaining the Wi-Fi password or hijacking DNS requests. Not all connections made by the TVs use SSL encryption and some that do, don’t verify the certificate thoroughly enough, for example some accept self-signed SSL certificates which are easy for attackers to create. Another way to avoid unsecure communication from the TV would be to make use of device certificates with solid Roots of Trust, which are already used by the Cable industry to protect their content.
When the TV user downloads an app, the attacker could intercept the request and redirect it to another server. So instead of the TV downloading the real app from the legitimate server, the request is redirected to a different server which instead sends down a malicious app to the TV. Once downloaded, the user still has to accept the permissions requested by the malicious app and open it, but since the user doesn’t know the app is not the real one, they will likely accept and install the app anyway.
An attacker can also compromise the TV by exploiting software vulnerabilities. As the TV can be used to browse the internet, all the attacker needs to do is get the user to visit a malicious website which will detect vulnerable software, exploit it, and deliver a payload. Since smart TVs render many different media formats, file format vulnerabilities, such as the recent libpng bug, would be ideal targets for attackers to exploit.
Updates… or lack thereof
It’s encouraging to see that many smart TVs are set up to automatically check for updates and download them during the time when the device is idle. Unfortunately, even though the developer of your TV’s OS might release updates for its software regularly, you’re still reliant on the TV’s manufacturer to issue the updates to your device, which means in the meantime your TV is vulnerable. My TV, for example, was still vulnerable to some of the Stagefright bugs, despite the fact that these were already addressed by Google a few months ago.
Furthermore, some smart TVs, including mine, download firmware updates from non-SSL websites, so this network traffic could be intercepted and dropped by a MitM attacker. This means the TV could be prevented from ever being updated, leaving it open to any vulnerabilities already present. On a positive note, modifying the update package itself would be difficult as, on my TV at least, it’s encrypted and verified before installation. However, we have seen other devices where the update is not protected at all.
TV remote apps
TV remote applications can come in handy and can be installed on mobile devices. The apps are authorized by a challenge-response PIN. An attacker in the same network can sniff an authenticated remote control device and replay the commands to, among other things, change channels, adjust the volume, or switch the TV off. There are risks involved with any network-accessible service and there have been many cases of denial-of-service (DoS) attacks or even remote code execution through UPnP vulnerabilities on smart devices. In general, the attacker needs to have access to the local network or have malware running on a computer inside the same network in order to conduct such an attack.
Why would someone attack a smart TV?
There are a variety of reasons why someone may want to attack a smart TV, of which, the following are some examples.
Installing adware or malware that performs click fraud onto the TV could be a way for attackers to profit from infecting smart TVs. As the TVs remain switched on for long periods, constant ad-clicking in the background without the owner’s knowledge could generate cybercriminals affiliate revenue.
Adding smart TVs to a botnet and using them to perform distributed denial-of-service (DDoS) attacks is also plausible. However, routers are a more interesting target for this and, as we’ve seen with threats such as Wifatch, routers with default passwords might also be easier to compromise.
Stealing account credentials for online streaming services or app stores like Google Play is also a possibility. The version of Android used for Android TV makes it difficult for applications to steal such account data but this may be possible with other smart TV operating systems.
New TVs have performant graphics chips, which could make them interesting targets for mining crypto currencies like Bitcoin; however, compared to specialized ASIC chips, a hijacked smart TV wouldn’t generate much profit for cybercriminals but a large network of them could be of some use.
Infecting smart TVs with ransomware could potentially be a profitable attack scenario for cybercriminals. TVs can cost a lot of money and, as we’ve seen with PC and smartphone ransomware, the threat of losing access to our precious devices and the data they hold is enough to make many people pay up. Additionally, as I found out, this attack is trivial to carry out.
Access to other connected devices
Compromising a smart TV can provide criminals with a staging post to access other devices in the home network environment or business network.
Smart TVs may collect a lot of private information such as usage data, including voice and video recordings. Cybercriminals may attempt to steal this data before or while it is uploaded to the backend, in order to use it to fine tune subsequent attacks or to blackmail the user.
How my TV got infected with ransomware
The TV I purchased has a preinstalled gaming portal, where you can select and install games. Unfortunately this portal doesn’t use encrypted web requests when communicating with the server. This allows a MitM attacker to modify all the information displayed about the app as well as the location of the app itself, making it easy to trick the user into installing a malicious app. While the user thinks he’s installing a new racing game, the attacker redirects the request to an identical looking but Trojanized version.
Since my TV was running Android, and I knew that ransomware variants are capable of infecting mobile devices and even smart watches, I was curious to find out if a hypothetical attacker could infect a TV with ransomware. Using the MITM attack scenario described earlier, I hijacked the installation of a game and had a test user install and start the malicious app on the TV. As expected, the threat worked and locked the TV after a few seconds, displayed the dreaded ransom note on the screen, and made the TV unusable. This particular ransomware displays the ransom note every few seconds which prevented me from carrying out any meaningful interaction with it.
It’s good to see that the TV uses the common Android security settings, which by default prohibits installations from third-party markets and verifies downloaded apps. These settings help to minimize the risk of accidentally installing malware. Owners need to think carefully about the risks before changing this setting.
A happy ending…eventually
So what can you do if you have ransomware on your smart TV? Sometimes the solution may be as simple as uninstalling the malware through the system menu, as our friends at 0xid demonstrated. In other cases, cleaning an infected smart TV can be more challenging. Unfortunately, the ransomware version I used was a bit more aggressive and the two-second interaction window that it allows was not long enough to go through the menu to uninstall it. When restarting the TV, there was a 20-second window before the threat started, but again this wasn’t long enough to initiate a factory reset or to access the uninstall settings.
I raised my case with the TV manufacturer’s online support but to make matters worse the malware prevented me from starting a remote-support session on the TV itself. After a while, and some additional explanations about what happened, the support staff got back to me. Sadly, they weren’t able to help me remove the ransomware from my TV. Fortunately, I had previously enabled the hidden Android ADB debugging option and was able to remove the Trojan through an ADB shell. Without this option enabled, and if I was less experienced user, I’d probably still be locked out of my smart TV, making it a large and expensive paper weight.
Although we’ve yet to see any widespread malware attacks targeting smart TVs and most of the attacks to date are proof-of-concepts created by security researchers, it doesn’t mean attackers won’t target these devices in the future. As smart TVs continue to gain in popularity cybercriminals will eventually start to target them. Smart TV owners should consider the following advice to reduce the risk of possible attacks:
In order to help drive awareness and improve the security of IoT devices, Symantec supports the Online Trust Alliance, a non-profit organization developing security and privacy standards for the Smart Home and connected devices.
110 Reykjavik, Iceland