Denise Giusto Bilić, Security Researcher at ESET explains how internet-enabled Smart TVs have become a attractive target for cyberattacks and how cybercriminals can ruin more than your TV viewing experience by spying on users with the cameras and microphone or act as jumping-off points for attacks at other devices in home and corporate networks.
With their high-resolution screens, cameras, microphones and innovative interfaces geared towards a better user experience, smart TVs have found their way into many homes. They have become so popular that, according to Statista, more than 114 million smart TVs were sold globally in 2018and smart TVs account for the majority of TVs sold these days.
In addition, consumers also have the option to turn “dumb” TV sets with HDMI input into “smart” ones by connecting them to external streaming devices. Three of the best-known streaming devices are Google Chromecast, Amazon’s Fire TV, and Apple TV. Nonetheless, there are dozens of TV boxes or streaming boxes that offer similar features.
It is little surprise that Android TV – which encompasses both pure Android implementations and manufacturer-modified versions – is the most popular operating system for smart TVs. With Android and Android TV sharing the same base architecture, many malware strains targeting your Android-powered smartphone or tablet are just as capable of causing havoc on your internet-enabled TV.
How can a smart TV be compromised?
Cybercriminals are typically driven by financial motives. That means they want information they can sell, data they can use to blackmail people, hardware they can hijack, or computing power they can harness. Smart TVs might provide all these opportunities, making them appealing targets.
There’s an arsenal of tools that attackers can combine and use to wreak havoc on a victim’s digital – and actual – life. Malware, social engineering, vulnerabilities, wrong or weak settings, and physical attacks against smart TVs in public spaces rank among the most common techniques used to gain control of smart TVs.
To be sure, Android security has improved since its days of old. The platform, released more than a decade ago, is now more resilient to exploits, its sandboxing techniques have been enhanced, and its attack surface has been reduced courtesy of limiting the number of processes running with root privileges.
Still, its open-source character and huge popularity, together with the imperfect vetting process for Google Play apps, has made the platform, and its users, an appealing target. With Android’s expansion into the Internet of Things (IoT) arena, the risks clearly go beyond touchscreen mobile devices.
There have been cases of smart TVs falling prey to ransomware similar to Simplocker and the “police virus“ – threats that instruct victims to pay up in order to recover access to their devices. Meanwhile, in 2018 a worm called ADB.Miner hijacked the computing power of thousands of Android devices, including many Android-based smart TVs, and used them to mine digital coins for the attackers. This threat is an example of how malware designed for cryptocurrency-mining has become more complex, gaining the ability to self-propagate and install itself on Android devices by exploiting open debug ports.
Compounding things further, many users root their devices and install software from outside Google Play store for Android TV. Once a device is rooted, an app can run loose and, if malicious, it can leverage the elevated permissions for stealing information from accounts in other apps, execute a keylogger or overall neutralize the system’s security safeguards.
As hinted at earlier, another threat potentially looming large has to do with misconfiguration of your smart TV. This could be the fault of the vendor, who modified the underlying operating system to add new functionalities, or it could very well be due to your own negligence, or it could be a combination of the two.
The most common ways that device misconfiguration that ultimately set the stage for a cyberattack include keeping ports open, using insecure protocols, enabling debugging mechanisms, relying on poor or default passwords (or no passwords at all), as well as using unneeded services and, as a result, expanding your attack surface.
Lest it be forgotten, insecure settings paved the way to the ADB.Miner outbreak, as the worm scanned for devices with their Android Debug Bridge (ADB) open to remote connections.
Smart TVs are also known to suffer from security vulnerabilities that can make them easy prey for hackers. This includes flaws that make it possible to control some TV models remotely using public APIs or vulnerabilities that allow attackers to run arbitrary commands on the system.
Other proof-of-concept or actual attacks relied on the use of HbbTV (Hybrid Broadcast Broadband TV) commands to gain administrator permissions and execute malicious actions. Additional examples aren’t hard to come by, and one of our earlier articles listed a slew of them.
The fact that TVs have voice assistants built-in and link to a variety of IoT sensors opens another potential attack vector. The large amounts of information that they handle, together with their being hubs for endless sensors, only boosts their appeal to cybercriminals.
Physical attacks through USB ports
Although vulnerabilities can be patched and users can educate themselves to avoid falling for scams, many TVs still wind up in vulnerable spaces. Places where they are physically accessible to outsiders, such as in waiting rooms outside offices or in private living rooms used for events attended by guests who are effectively strangers.
For example, USB ports can be used to run malicious scripts or to exploit vulnerabilities. This can be done quickly and easily by using certain gadgets, such as the famous (or infamous) Bash Bunny by Hak5 and its predecessor, the Rubber Ducky, or indeed any hardware with similar features. And – spoiler alert – they aren’t particularly complicated or expensive to create from zero, either.
With these gadgets in their hands, attackers can automate a wide range of malicious actions based on interaction with the user interface and launch an attack in just a few seconds by simply plugging in a device that looks like a USB stick.
Generally speaking, social engineering remains at the heart of many campaigns aimed at stealing personal information, distributing malware or exploiting security loopholes.
There is nary a smart TV that doesn’t come fitted with an email client and web browser, which is why the devices are not exempt from risks such as phishing and other types of online fraud that are typically associated only with computers and smartphones.
As smart TVs gain more features, the amount and sensitivity of the data they handle are increasingly appealing to cybercriminals. The TVs can be misused to spy on users with the cameras and microphone or act as jumping-off points for attacks at other devices in home and corporate networks.
The more people buy these and other IoT gadgets, the more incentive attackers have to design new ways to take advantage of the diverse range of products within the IoT ecosystem. This underscores the need for awareness of some of the key attack vectors and, by extension, the ways to stay safe.