Smart TVs can be infected with spyware – just like smartphones

‘Smart’ televisions with built-in microphones could be used as bugging devices by corrupting them with malware, according to software specialists NCC Group, as reported by The Register.

An attacker would not even need physical access to the television to launch an attack, security experts from the group warned.

Fooling a user into installing a malicious app is one way to gain control of the microphone – but models of televisions with built-in storage and microphones can be set to auto-update, so an attacker could feasibly create an app, then release an update containing it.

Software escrow specialists NCC recently released a white paper examining potential solutions for the problems posed by so-called “Internet of Things” devices.

‘Smart TVs’ seem to have been particularly soft targets. LG admitted that one of its models had been sending information during shows watched by their owners without informing them. After a successful hack of a Samsung Smart TV, Senator Charles E Schumer, a Democrat from New York addressed a letter to television manufacturers urging them to improve security.

“Many of these smart televisions are vulnerable to hackers who can spy on you while you’re watching TV in your living room. You expect to watch TV, but you don’t want the TV watching you.”

The latest hack was demonstrated by NCC near the Infosec conference in London last week, with journalists from The Register shown how Smart TVs can be hacked in much the same way as using a malicious app against an Android phone.

“Malicious apps could be downloaded from the manufacturer’s app store. The TV does have the option for auto-updating, so releasing a legitimate app, then releasing a malicious update, is another attack vector,” a researcher said.

“The devices contain microphones and cameras that can be utilised by applications, Skype and similar apps being good examples.”

“The TV has a fairly large amount of storage, so would be able to hold more than 30 seconds of audio – we only captured short snippets for demonstrations purposes. A more sophisticated attack could store more audio locally and only upload it at certain times, or could even stream it directly to a server, bypassing the need to use any of the device’s storage.”

Author , We Live Security

  • Vicki

    God, this is so scary! I closed my Facebook account over 2 years ago due to their invasive tactics and now they have “Deepface” facial recognition software (I may have read about that from you guys). Call me old-fashioned, but I don’t own a Smart Phone or a Smart TV. Eventually, though, I know I won’t have a choice but to upgrade my electronics. Then, there’s the Smart Grid that tells the government what appliances you have and their energy usage. There’s NO escape! I am so glad I am 60 years old so I don’t have to jump through security hurdles just to live my life. Great article as always. I love all of you at ESET and your Smart Security is the best investment I’ve ever made. Thank you for your diligence in protecting us from the bad guys.

Follow us

Copyright © 2017 ESET, All Rights Reserved.