Samsung Smart TV security flaw let hackers turn on built-in cameras
Flaw has been patched
By Laurie Segall and Erica Fink
6:25 PM, Aug 1, 2013
LAS VEGAS (CNNMoney) -- Today's high-end televisions are almost all equipped with "smart" PC-like features, including Internet connectivity, apps, microphones and cameras. But a recently discovered security hole in some Samsung Smart TVs shows that many of those bells and whistles aren't ready for prime time.
The flaws in Samsung Smart TVs, which have now been patched, enabled hackers to remotely turn on the TVs' built-in cameras without leaving any trace of it on the screen. While you're watching TV, a hacker anywhere around the world could have been watching you. Hackers also could have easily rerouted an unsuspecting user to a malicious website to steal bank account information.
Samsung quickly fixed the problem after security researchers at iSEC Partners informed the company about the bugs. Samsung sent a software update to all affected TVs.
But the glitches speak to a larger problem of gadgets that connect to the Internet but have virtually no security to speak of.
Security cameras, lights, heating control systems and even door locks and windows are now increasingly coming with features that allow users to control them remotely. Without proper security controls, there's little to stop hackers from invading users' privacy, stealing personal information or spying on people.
In the case of Samsung Smart TVs, iSEC researchers found that they could tap into the TV's Web browser with ease, according to iSEC security analyst Josh Yavor. That gave hackers access to all the functions controlled by the browser, including the TV's build-in camera.
"If there's a vulnerability in any application, there's a vulnerability in the entire TV," said Aaron Grattafiori, also an analyst at iSEC.
Yavor and Grattafiori were also able to hack the browser in such a way that users would be sent to any website of the hacker's choosing. While the hack would have been obvious if the website on the screen didn't match the desired address, Yavor says there could be serious implications if a bad actor sent a user to a lookalike banking page and retrieved a user's credentials.
The research was conducted on different models of 2012 Samsung Smart TVs and was presented this week at the Black Hat cybersecurity conference in Las Vegas.
In a statement to CNNMoney, Samsung said it takes user safety very seriously. Addressing the camera flaw, a company spokesperson said, "The camera can be turned into a bezel of the TV so that the lens is covered, or disabled by pushing the camera inside the bezel. The TV owner can also unplug the TV from the home network when the Smart TV features are not in use."2
Samsung also recommends that customers use encrypted wireless access points.
The iSEC crew said they remain skeptical that the technology is perfectly secure, even after Samsung patched the bugs.
"We know that the way we were able to do this has been fixed; it doesn't mean that there aren't other ways that could be discovered in the future, " Yavor said.
Companies like Samsung pay hackers when they report security vulnerabilities like the ones iSEC found. The researchers are iSEC confident that there are more undetected flaws in these devices that they are running a fund-raiser off of finding bugs in Smart TVs at technology conference Def Con later this week.
Yavor and Grattafiori say users should run regular updates from vendors like they would for anti-virus definitions or system updates on the smartphone.
And when all else fails, users can always put tape over their cameras.