Samsung Smart TVs may be listening to everything you say, but new research published Wednesday brings a reminder that there are always new ways to compromise Internet-connected televisions—and the Internet of Things in general.
Researchers at security software company Avast noticed that a Vizio smart TV they were evaluating communicated with a particular site, tvinteractive.tv, about once a second. They were curious about what data the TV was sending to the server, so they devised a man-in-the-middle attack that allowed them to intercept the data the TV sent out and also trick the TV into thinking commands they sent to it were from the server.
They found that the TV was transmitting user viewing records (proof of how many times you’ve rewatched Blue Planet). A Pro Publica report from Monday also investigated this feature, which Vizio calles “Smart Interactivity.” Julia Angwin explained, “The tracking … is turned on by default for the more than 10 million Smart TVs that the company has sold. Customers who want to escape it have to opt-out.”
Once they had done the reverse engineering and general trickery to be able to impersonate the TV’s trusted server, the researchers realized that if malicious attackers used the same technique they might also be able to infiltrate the home Internet network that the TV was on. Aaron McSorley, a developer at Avast, wrote in a blog post:
Through this experiment, our aim is to show just how much a regular person can be affected by vulnerabilities within a smart device. … We found that the smart TV we were inspecting actually broadcasted fingerprints of users’ activities, whether they agreed to the device’s privacy policy and terms of services when first setting it up. In addition, we uncovered a vulnerability within the device that could serve as a potential attack vector for an attacker attempting to access a user’s home network.
McSorley emphasizes that when Avast contacted Vizio about the vulnerability, the company was cooperative and released a patch for its affected smart TVs to protect against this man-in-the-middle approach. Vizio claims that the patch downloads automatically, though Ars Technica notes that a truly autodownloading update would be unusual.
Internet-enabled devices can be compromised by an attacker and used against us. We know this. But when you have to go home and face your TV, it feels unnerving all over again.
