Consumer Reports from publisher Consumers Union is a magazine that’s been dedicated to providing consumers with unbiased information about products and services since 1930. So basically, they’ve been doing what they’re known for longer than most of us have been alive. That’s pretty impressive when you think about it.
Here’s something that should be of interest to those of us in the cybersecurity community: Consumer Reports is starting to become a useful source of security information pertaining to consumer software and the Internet of Things (IoT).
IoT consumer devices have exploded in recent years. There are now all sorts of IoT devices that people can buy for their homes, ranging from Amazon Echo to kitchen appliances to entertainment devices for your living room.
The Digital Standard is a collaborative effort which includes Consumer Reports, security researchers, and digital privacy advocates. From The Digital Standard’s homepage:
“The Digital Standard is an ambitious, open, and collaborative effort to create a digital privacy and security standard to help guide the future design of consumer software, digital platforms and services, and Internet-connected products.
The standard defines and reflects important consumer values that must be addressed in product development: electronics and software-based products should be secure, consumer information should be kept private, ownership rights of consumers should be maintained, and products should be designed to combat harassment and help protect freedom of expression.
Our goals are to enable consumer organizations to test, evaluate, and report on whether new products protect consumer security and privacy, and to empower consumers to make smarter choices about the products they buy.”
For a publication founded all the way back in 1930, Consumer Reports sure is keeping up with the Information Age! The Smart TV vulnerabilities I’ll report here were discovered through Digital Standard research.
According to IHS Markit, 69% of new TVs shipped to retailers in 2017 had Internet capabilities. Smart TVs are now “normal TVs.” They typically connect to the WLAN in your home, so they can be a cyberattack vector to any other endpoint on your WLAN, including PCs and smartphones. Plus, people often enter their sensitive authentication data into their Smart TVs for various user accounts, such as for Netflix, Hulu, Google, YouTube, and Amazon.
When those credentials fall into the wrong hands, cyber attackers can ruin people’s digital lives. Attackers can even engage in financial and identity theft with credentials stolen from Smart TVs. The consequences of cyber attacking a Smart TV can be a lot more serious than simply being unable to watch the latest NFL game in your living room (though to a lot of people, not being able to watch football would be the absolute worst thing ever).
Now that I’ve reminded you about the seriousness of this matter, let’s get to Consumer Reports’ latest findings.
These are the specific device models that Consumer Reports tested with The Digital Standard:
The Vizio model runs Google’s Chromecast, The Sony model runs Google’s Android TV, the Samsung model runs their proprietary Tizen platform, the LG model runs webOS, and the TCL model runs Roku.
Consumer Reports found the Samsung UN49MU8000 and the TCL 55P605 to be the least secure, according to their testing methodology.
Consumer Reports researchers used remote web applications in order to attack the TVs they tested. By exploiting APIs in Samsung’s Tizen and the Roku implementation on the TCL TV, they were able to control the YouTube app in order to play unpleasant videos, disconnect the TVs from their WLAN, change television channels rapidly, and increase the speaker volume to eardrum piercing levels.
All of those attacks would be very unpleasant experiences for me when all I want to do is catch up with Veronica and Betty in the latest episode of Riverdale (I love that show). It would feel like an evil ghost has taken over my living room. Could it be the Black Hood?
The Digital Standard member and Disconnect’s lead engineer Eason Goodale said, “Roku devices (such as the TCL TV) have a totally unsecured remote control API enabled by default. This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.”
A Roku spokesperson responded with, “There is no security risk to our customers’ accounts or the Roku platform with the use of this API.” But disabling the Roku API that enables cyber attackers to remotely access YouTube, the volume control, the channel changer, and disconnect Roku devices from the Internet also makes it unable for legitimate users to control their TVs through Roku.
I can imagine the development of malicious bots that can wreak havoc on millions of Roku TVs through the Internet without individual human cyber attackers having to specifically target and “hack” each TV. There are definitely attackers who’d be motivated to use the Internet in order to startle people in their homes. Any vulnerability in a product that allows people to do harm is a cybersecurity problem.
The vulnerability on the Samsung UN49MU8000 appears when a user installs its corresponding Tizen remote control smartphone app. If the user opens a malicious webpage on the same smartphone, the cyber attacker who controls the webpage can acquire the same access to the Samsung UN49MU8000 that they can acquire to TCL 55P605 by using a simpler cyberattack method.
Goodale said, “Samsung Smart TVs attempt to ensure that only authorized applications can control the television. Unfortunately, the mechanism they use to ensure that applications have previously been authorized is flawed. It’s as though once you unlocked your door, the door would never lock again.”
Samsung responded. “We appreciate Consumer Reports’ alerting us to their potential concern.” They said that they’d security harden their vulnerable API “as soon as technically feasible.” I get the feeling that Samsung takes cybersecurity more seriously than Roku and TCL do. Samsung’s reaction to Consumer Reports’ finding makes me optimistic about their future Smart TVs.
Consumer Reports is also concerned that users are signing away their digital privacy rights when they accept the EULAs (end user license agreements) that display when they set up their Smart TVs for the first time. Even I’m guilty of reacting to a EULA by thinking, “Blah, blah, blah. Click on ‘Agree’ and make it go away.”
This particular concern of Consumer Reports and the Digital Standard pertains to all five Smart TVs that they tested.
Automatic Content Recognition (ACR) is a feature that collects data about which TV shows, Internet streaming programs, and DVDs and Blu-rays Smart TV users watch. That data is then sent to the applicable vendor and possibly one or many ‘business partners.’ ACR data is most frequently used for targeted advertising and market research.
If consumers don’t agree to the various data sharing legalities in their Smart TV’s EULA, it reverts to an old-fashioned “dumb TV” with users being unable to enjoy their TV’s Internet connectivity features such as watching Netflix.
Consumer Reports concludes that the only way for users to prohibit data collection on these Smart TVs is to not agree to their EULAs and not connect their TVs to their WLANs.
Maybe people should just buy plain old flat screen HDTV or 4K displays with HDMI and composite cable ports and little else. But it seems like pretty soon TV manufacturers won’t make those anymore.
About Kim Crawley
Kimberly Crawley spent years working in consumer tech support. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. By 2011, she was writing study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. She’s since contributed articles on information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo-developed PC game, Hackers Versus Banksters, and was featured at the Toronto Comic Arts Festival in May 2016. She now writes for Tripwire, Alienvault, Cylance, and CCSI’s corporate blogs.
The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance.