Black Friday and Cyber Monday sales of smart TVs are likely prodigious this Thanksgiving weekend – but consumers need to be aware of the hole they can punch in home cyber-defenses.
That’s the word from the FBI, which warned that smart TVs, which hook up to the internet to allow users to access apps and stream Netflix and other video services, can be gateways for hackers.
“Hackers can take control of your unsecured TV,” according to the notice. “At the low end of the risk spectrum, they can change channels, play with the volume, and show your kids inappropriate videos. In a worst-case scenario, they can turn on your bedroom TV’s camera and microphone and silently cyberstalk you.”
Smart TVs also present other security issues, such as the ability for hackers to compromise them to infiltrate home Wi-Fi setups and penetrate other devices on the network.
“A bad cyber-actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router,” the bureau said in its notice, issued ahead of Black Friday and Cyber Monday.
While the FBI didn’t directly warn about botnets, it should be noted that Internet of Things (IoT) devices like smart TVs are popular targets for botherders, according to security researchers.
“Many cyberattacks, like the Mirai malware and the Dyn attacks, infect a network of computers, including smart connected devices such as home appliances, security cameras, baby monitors, air conditioning/heating controls, televisions, etc., and turn them all into compromised servers,” wrote Alan Grau, vice president of IoT, Embedded Solutions at Sectigo, who also outlined concerns in a recent Threatpost webinar. “These compromised servers then act as nodes in an attack and together create a botnet. They can participate in a variety of coordinated attacks, infecting other devices and expanding the network of bots, or participating in denial-of-service attacks.”
The feds also warned of the potential “risk that your TV manufacturer and app developers may be listening and watching you,” noting that newer TVs with built-in cameras allow video-chatting. Also, some models have facial recognition, “so the TV knows who is watching and can suggest programming appropriately,” according to the notice, which also potentially opens up privacy concerns.
“If you can’t turn off a camera but want to, a simple piece of black tape over the camera eye is a back-to-basics option,” the FBI noted. “Check the privacy policy for the TV manufacturer and the streaming services you use. Confirm what data they collect, how they store that data, and what they do with it.”
The concern is not theoretical: Recently, researchers discovered that smart TVs from Samsung, LG and others are sending sensitive user data to partner tech firms, even when devices are idle.
The FBI’s warning also follows news of real-world hacks and the discovery of several security vulnerabilities in smart TVs over the course of the last few years as the devices have gained popularity. Like many IoT devices, TV vendors don’t necessarily follow security-by-design principles, the FBI warned.
For instance, in April, researchers found two vulnerabilities in Android-based smart TVs from Sony, including the flagship Bravia line, which could allow attackers to access Wi-Fi passwords and images stored on the devices. In June, a vulnerability in SUPRA Smart Cloud TVs was found that would allow attackers on the same Wi-Fi network to hijack the TV set to broadcast their own content – including, potentially, fake emergency broadcast messages.
To protect themselves from all of these threats, consumers should change smart TVs’ default security settings and passwords, and know how to turn off the microphones, cameras and collection of personal information if possible, the FBI said. They should also check a manufacturer’s track record with pushing out security patches.