Smart TVs are becoming increasingly popular, especially due to their high-resolution screens, cameras, microphones and numerous innovative features that are signed to streamline and improve the user experience. Statista reports that over 114 million smart TVs were sold across the globe in 2018. Smart TVs currently account for most TVs sold. In addition to these statistics, consumers have the option to turn ‘dumb’ TV sets with HDMI input into ‘smart’ TV sets by connecting them to external streaming devices.
Android TV is currently the most popular operating system for Smart TVs. Android TV currently encompasses pure Android implementations and manufacturer-modified versions. Android and Android TV share the same base architecture, and as a result of this, many malware strains that target Android-powered smartphones and tablets are also capable of causing damage to internet-enabled TVs, according to Carey van Vlaanderen, CEO at ESET South Africa.
How can a TV be compromised?
Cybercriminals are said to be typically driven by financial motives. To this end, they are constantly searching for information they can sell for a profit, data they can use to blackmail people, hardware they can manipulate or computer power they can utilize. Smart TVs are capable of providing all of these opportunities for hackers and cybercriminals.
Cybercriminals have a variety of tools at their disposal that they can use to disrupt a person’s digital and actual life. Social engineering, malware, vulnerabilities, wrong or weak settings, and physical attacks against Smart TVs in public spaces rank among some of the most common and popular techniques that are used to gain control of Smart TVs.
Android security has improved its security features over the years. Released over a decade ago, the platform is nor more robust and resilient to exploits and its sandboxing techniques have been improved and enhanced. Its attack surface has been reduced in order to increase its security fidelity.
However, the operating software’s open-source character and huge popularity, as well as the imperfect vetting process for Google Play apps, has made the platform and its users susceptible to cyber attacks. Android’s expansion into the Internet of Things (IoT) arena increases the risks outside of touchscreen mobile devices.
There have been a number of cases involving Smart TVs falling victim to ransomware. These types of cyberattacks instruct victims to pay a certain fine in order to recover access to their devices and data. Many users root their devices and install software from outside Google Play Store for Android TV. Once a device is rooted, an app can ‘run loose’ and leverage the elevated permissions for stealing information from accounts from other apps, execute a keylogger or overall neutralize a system’s security safeguards.
Another threat relates to the misconfiguration of Smart TVs. This could be the fault of the TV vendor who modified the underlying operating system to add new functionalities, or it could be due to the TV owner’s own negligence, or sometimes both. The most common ways that device misconfiguration that could set the stage for cyberattacks include keeping ports open, using insecure protocols, enabling debugging mechanisms, relying on poor or default passwords (or no passwords at all), as well as using unneeded services, which can expand the attack surface.
Smart TVs suffer from security vulnerabilities that can make them a target for hackers. This includes flaws that make it possible to control some TV models remotely using public APIs or vulnerabilities that allow attackers to run arbitrary commands on the system. Smart TVs have voice assistants built-in and are linked to a variety of IoT, but this feature makes the TV more vulnerable to cyberattacks.
Physical attacks through USB ports
Vulnerabilities can be patched and users can educate themselves to avoid ransomware scams, but many TVs still become vulnerable to cyberattacks. TVs can be physically accessed by hackers in open areas, such as in waiting rooms outside offices, private living rooms or venues utilized for public functions.
USB ports can be used to run malicious scripts or to exploit vulnerabilities. This can be done very quickly and easily by using certain gadgets, for example, the Bash Bunny by Hak5 and its predecessor, the Rubber Ducky, or any hardware similar features. These gadgets are not considered difficult to create from scratch. Attackers, armed with these devices, can automate a wide range of harmful actions based on interaction with the user interface and launch an attack in a matter of seconds just by plugging in a device that looks like a USB stick.
Social engineering remains pivotal to many campaigns aimed at stealing personal information, distributing malware or exploiting security loopholes. Almost all Smart TVs come fitted with a web browser, which is why the devices are not immune to risks such as phishing and other types of online fraud that are mainly associated with computers and smartphones.
As smart TVs continue to gain more features, the amount and sensitivity of the data they handle are increasingly appealing and attractive to cybercriminals. TVs can be misused to spy on users via the cameras or microphones or act as jumping-off points for attacks on other devices in both home and corporate networks. The more people buy gadgets and devices like Smart TVs and IoT devices, the more incentive attackers have to design new ways to take advantage of these devices within the IoT ecosystem. This highlights the need for awareness of some of the key attack vectors, and by extension, the ways to stay safe.
Edited by Kojo Essah
Follow Kojo Essah on Twitter
Follow IT News Africa on Twitter