If it connects to the Internet, it’s vulnerable to attack.
Digital security experts warn that smart TVs – Internet-enabled television sets -- provide cybercriminals a new way to sneak into your home computer and steal sensitive personal information.
While such hacks are so far only known to have been done by security researchers, experts say it’s only a matter of time before an enterprising crook uses a smart TV to rob someone blind.
“As more people get these smart sets, we’ll see a lot more hacking of TVs to get into the home computer network,” said Pam Dixon, executive director of the World Privacy Forum. “It’s not a back-door or a side-door; it’s a front door to your home network. It’s a toboggan run directly to your computer.”
And the number of such sets is growing rapidly. About 46 percent of U.S. households have a smart TV – a set that has a browser and Wi-Fi capability that enables it to go online, according to the Consumer Technology Association (CTA). That figure is expected to pass 50 percent before the end of the year. CTA predicts that nearly 70 percent of all TVs sold in the U.S. this year will be capable of connecting to the Internet.
Robert Siciliano, a fraud prevention specialist with BestIDTheftCompanys.com, says it’s only a matter of time before cybercriminals exploit this attractive target.
“It’s inevitable that smart TVs will be hacked to gain access to home computer systems,” Siciliano said. “Smart TVs, like computers, host numerous software programs and apps that are susceptible to being compromised. Both security researchers and criminals have figured out that you can jump from the smart TV or an app on that TV to the laptop or desktop or any other computer on the home network.”
Here are some of the things a hacker with access to your TV could do:
- See your viewing, browsing or other usage history to possibly use against you.
- Access any information, photos or data you might have on a memory stick connected to the TV.
- Steal account numbers and passwords.
Electronics companies are well aware that their sets are vulnerable and say they are doing things to mitigate the risk.
“Manufacturers today are clearly stepping up the game and they’re doing more than ever before to lock down the technology,” Shawn DuBravac, CTA’s chief economist, told NBC News. “We’re working with them quite closely on best practices and other things that can be done to secure those environments.”
Security experts told NBC News they don’t know of any data thefts where the break-in was done via a smart TV. But last year, security researchers were able to hack into a smart TV and turn on the built-in camera and microphones. If hackers accomplished the same thing “in the wild,” people in front of the set would never know someone was spying on them.
At the Consumer Electronics Show in Las Vegas earlier this month, Samsung announced that its newest smart sets, which use the Tizen-based operating system, would come with a new security suite called GAIA.
In its news release Samsung said GAIA “creates a secure space … to safeguard personal information” such as credit card numbers and passwords. GAIA also has built-in anti-malware to detect and block any unauthorized programs that may be used to hack key parts of the set’s operating system. And it encrypts important data transmitted between the set and other servers.
A diabolical demonstration
Candid Wueest, a threat researcher with digital security firm Symantec, was able to successfully infect his new Android-based smart TV with ransomware – software that locks a computing device until a user pays extortion to the hacker. He said it was easy to do. As he wrote on Symantec’s blog, the malicious software “locked the TV after a few seconds, displayed the dreaded ransom note on the screen, and made the TV unusable.”
Why would cybercriminals want to shut down a TV?
“Attackers just want to make money, so they are after the profits,” Wueest told NBC News in an interview from Switzerland. “Imagine this happening during the Super Bowl. A lot of people would probably pay to get their TV working again, so there’s the potential for a lot of money involved here.”
You probably don’t think of that new web-enabled television as another computer in the house. But that’s exactly what it is – and you need to treat it that way.
While most users have security software on their computers, there is no anti-virus software specifically made for televisions. And while you probably lock your computer with a password, that smart TV can be used by anyone who has access to the remote control.
“These TVs are manufactured as a consumer appliance and not as a computing device first and foremost, so there’s virtually no security involved,” said Chester Wisniewski, a senior security adviser at the network security company Sophos. “They’re far less protected than your other computers which make them a soft target, an attractive target, for the bad guys.”
You could, of course, eliminate the risk of getting hacked by disconnecting your smart TV from the Internet, but that would defeat the purpose of having a web-enabled set.
So what can you do short of that radical step? Wisniewski has two suggestions:
- If your smart TV runs on the Android platform, go to the Google Play store and download any of the security apps designed to protect your Android smartphone.
- If your Wi-Fi router allows you to create multiple accounts, set up a guest account for your TV.
That’s how Wisniewski addressed the threat on his home network.
“I have a separate network just for the smart things in my home,” Wisniewski explained. “That way they’re not on the same network as my PC and laptop where I do all of my sensitive stuff. And that way, if they were to be hacked, it’s probably not the end of the world.”
The CTA recommends making sure that “firmware” -- permanent software built into a computing device’s read-only memory -- is up to date when you first use the TV and set it to automatically accept future firmware updates as they become available.
Also, be careful when installing new applications because they could be hiding malware. Your best bet: Avoid apps from unknown sources and non-official locations.
Also limit what you do online via that television. Even though these TVs make it easy to get online, don’t use them to do anything that involves account numbers, PINs, passwords or other sensitive information.
Pam Dixon with the World Privacy Forum put it bluntly: “Until further notice, until TVs are equipped with really good security software and robust firewalls, doing any kind of financial transaction through your TV is a really bad idea.”