The smarter the TV, the dumber the owner? No, but glue duct tape on your camera and microphone before it's too late!
A lot has already been written about the threat of hacking smart TVs, and this material would certainly not have come out if not for one detail.
Earlier, we heard warnings about the danger from the manufacturers of antivirus software and advanced users, but for the first time in human history, the FBI, a government agency actively cooperating with most countries of the world, recommends to tape the camera of a smart TV. The arguments of the law enforcement organization regarding the definition of the danger of a smart TV inevitably refer to the risk zone in general all products, regardless of the manufacturer and the host country. It is suggested to glue the TV camera if:
- The owner does not know or does not know how to use all the functions of the TV;
- You cannot turn off the camera and microphone on the TV, or change the basic security settings;
- Manufacturer's security policy information is not available or understood.
Whether TVs with an already sealed camera appear on sale, or this accessory (electrical tape) will have to be purchased separately, only time will tell. We are interested in the question, and how urgent is this problem in our country. If we look at the places where the camera can really give at least some opportunities for stealing money or information, we will see the following – all banks (and ATMs) have computer monitors without cameras, or these are old-style TVs, without an Internet connection. In the operating rooms of banks and in the area of cash registers of shops it is quite legal (although I consider this to be a violation of civil rights) security cameras are installed, which pose a potential threat to a person when entering a bank card password. In all these cases, the main thing is missing – the presence of a smart TV and access to the local network of third parties.
The concept of 'smart TV' has a rather vague framework, it can include both a one-piece product 'all in one case' and amateur assemblies such as' TV + Chromecast ',' TV + game console ',' TV + Android – prefix ',' TV + HTPC (small PC) 'and even' TV + home server '. Most assemblies based on connecting to a TV Windows – PC or Android – set-top boxes are no less protected than our smartphones. At least if their owners understand what they are doing, and if they do not understand, then installing a good antivirus program solves most of the problems. But when we talk about a smart TV based on its own operating system or with serious restrictions for fine-tuning, then only ready-made smart TVs and media players, such as the infamous Google chromecast or smart speakers, remain at risk for everyone. Sounds unexpected, doesn't it?
Google Chromecast does not have a camera through which a pest could spy on something interesting. However, there are other threats and meanings in taking over control of this device. Such threats include broadcasting illegal advertisements, terrorist content on TV screens, discrediting the authorities, etc. Recently, well-known hackers Giraffe and User (Giraffe and J3ws3r) have carried out a massive push broadcast to thousands of Chromecast users.
By the will of fate and due to incorrect configuration of home routers, Google's sticks were visible on the global network, where control over them was immediately intercepted by two activists. The content of the message of the two hackers posted above is a kind of harmless warning about the dangers of illiterate Internet connections. A short time later, Google completely removed the broadcast on YouTube, so no traces can be found.
But a much more dangerous thing is to hack your entire house and even your car, all devices that have voice input enabled, using Google Chromecast.
The video above shows that after gaining control of the Chromecast, commands can be issued through the TV speaker loud enough for the smart coffee maker and door lock to hear. The further actions of the attacker are understandable – this is gaining control over all elements of the smart home, and now the doors open before the 'thief', the crowbar is no longer needed.
Column Amazon Echo with Alexa assistant
Along with the quite expected and in its own way logical threats from criminals, the well-known A-brand can also play a pig. In February last year, there was an unplanned demand in the e-shop Amazon, which is still shrouded in mystery. So that no one has a desire to chop off the author's hands, I will immediately note that everything further in this block is my personal speculation, which I cannot confirm due to the fact that I did not think to take screenshots in time. In other words, treat it like a rumor. One of the richest companies in the world Amazon is known for providing its retail space to everyone, regardless of country, religion and political views. Thus, it is not surprising that products from China end up in Canada, and not somewhere to an apartment, but to a student campus (dormitory). Questions are raised only by the nature of the goods and the policy Amazon, and, in fact, the very fact that the students did not order these goods.
That same red cloak. Photo by CBC.CA
An unknown generous sender filled the students with brand new cameras and sex toys, and the red cloak that had been sent was the cherry on the cake. All items came in 'paid' condition, but did not contain any invoices or receipts. An initial investigation, launched right after the students' complaints, alleged the fault of smart speakers Amazon, which bought things themselves, snatching and interpreting words from radio and TV shows. A little later, the information about the wine Amazon disappeared, and the most ridiculous explanation for what happened was invented. In the revised version, Chinese sex toy and cam makers decided to take over the Canadian market by sending gift baskets of their products to innocent students who then had to recommend the products to their friends. And the fault of the Chinese sellers is only that they did not warn anyone about their intentions. Both are not true, Chinese shops and manufacturers are not fools, and students are not innocent. And we also remember the 'agreements' between Apple and the owners of the burned-out iPhone and see no reason why Amazon should not behave differently, hiding the failures of their flagship products. I invite everyone to make their own conclusion, but do not share it in the comments.
I wonder if Alexa will understand the pony? Picture
There are also less conspiracy matters, fully proven and confirmed by the company itself Amazon. For example, there is a famous case when a speaker reacted to the spoken word 'Alexa' in a conversation that did not concern it. Having listened to the conversation, Alexa made her conclusions and began broadcasting the conversation to an outsider whom she found in the contact list. In this particular case, everything ended well, because this person turned out to be a common acquaintance of the speakers, but what would happen if this information got to third parties?
Probably the most famous example of attempts to eavesdrop and spy on the owner of a house with the help of television is the attempt to inject the 'Crying Angel' exploit (a preloader that discreetly intercepts OS control, similar to pirate 'activators' Windows) by the CIA and MI5 in regarding Samsung TVs F8000 series.
A good (for the secret service) idea turned into a failure and global shame after the publication of the relevant documents on the Wikileaks portal. The CIA and MI5 exploits were leaked to GitHub and disassembled by enthusiasts. After installing this software, the smart TV turns into an all-seeing eye, an all-hearing ear and is able to broadcast to a remote server. The exploit prohibits updating the OS, resetting to factory settings, disconnecting from the Wi-Fi network, and when you try to turn it off (using the remote control), it sends the TV to a deep sleep without disconnecting the camera, microphone, and network card. Information about the hacking of only one series of TVs has leaked into the public space, but how many are there really? Nobody knows the answer.
Surveillance by the CIA, MI5 or the FSB is not dangerous for a respectable citizen of any country, but there are a number of points that strain:
– If MI5 can, then a third-party hacker can;
– The prohibition of OS updates as a result of the exploit turns the TV into a pumpkin, because most of its services stop working without updates.
Russian private apartments with TVs and media players installed in them are relatively safe. Relative, because our citizens are often courageous and at the same time unaware of the consequences. They learn how to set up routers themselves, install alternative firmware on smart TVs and players, and are not afraid to download software from nameless file sharing sites. This state of mind, leading in most cases to equipment breakdowns or making it possible to hack from the outside, was very aptly described by Saltykov-Shchedrin:
I wanted something: either the constitution, or the sevryuzhins with horseradish, or to rip off someone
In other words, all our troubles stem from ourselves – we substitute ourselves, we disentangle ourselves. On the opposite side from the Russian criminals are the Russian special services, deprived of any technical ability to do with televisions the same as their foreign counterparts.
Image by Wikileaks, from the section on Russian 'citizen surveillance' under the SORM3 concept.
Based on this formulation of the question, both the Yarovaya law and the fresh law On providing consumers with the opportunity to use pre-installed Russian programs for electronic computers when selling certain types of technically complex goods began to play with new colors. The text of the law and its promotion can be found here. From myself, I would like to note that replacing a foreign exploit with your own makes sense only if it does not turn a smart TV into a brick. And then it really will be consumer protection. Read the law carefully, there are no restrictions for the described scenarios.
At the moment, only the owners of PCs (without antivirus), Google Chromecast and Android – set-top boxes with custom firmware of unknown origin are exposed to the danger of unauthorized surveillance.
Earlier, we have already discussed the topic of the security of 'smart' devices more than once, and on the network you can find instructions on how to hack even such mundane thing as a thermostat, which is part of the 'smart home' device complex. And, as we can see, new security holes appear much faster than patches for old ones come out. In such a habitat, there are only three possible paths:
- Do not use smart TVs and set-top boxes.
- Use them and believe only in the good.
- Use smart TVs and set-top boxes only after covering microphones, cameras and other senses with electrical tape (if any).
Dear readers, which of the options is closer to your worldview?