Philips Sensible TVs riddled with safety and privateness flaws • Graham Cluley


A researcher has found that so-called Sensible TVs from Philips endure from a lot of critical safety flaws that would permit hackers to not solely steal info from hooked up USB sticks, and play pornographic motion pictures as a prank, but in addition pilfer authentication cookies which might give them entry to viewers’ on-line accounts.

As Ars Technica stories, the intense safety downside was uncovered by Luigi Auriemma of the Revuln safety analysis group.

In accordance with Auriemma, a latest firmware replace for Philips Sensible TVs enabled a characteristic known as “Miracast” which turns the TV right into a Wi-Fi entry level for the aim of displaying video content material on close by computer systems and smartphones.

Sadly, the authentication password for the gadgets beaming over their video content material is hardcoded on the Philips Sensible TV and no PIN is required to authorise a brand new Wi-Fi connection.

Signal as much as our e-newsletter
Safety information, recommendation, and ideas.

What’s the password, you marvel? Properly, right here it’s…

Miracast

Sigh.

A number of the penalties of this safety screw-up is probably not that critical. As an example, it’s straightforward to think about how somebody might intentionally broadcast a pornographic or in any other case embarrassing video onto a Philips Sensible TV, with out the permission of the proprietor. Or they may meddle with the TV’s controls – altering channels or the amount stage, as an example – with out the TV’s viewers realising what was happening.

All of the prankster would want is to be inside Wi-Fi vary of the tv.

However different assaults are extra critical, corresponding to the flexibility to silently exfiltrate knowledge on USB sticks hooked up to the TV.

Auriemma made a video, demonstrating methods through which the flawed Sensible TV firmware might be exploited:

The affect is that anybody within the vary of the TV WiFi adapter can simply hook up with it and abuse of all the great options provided by these SmartTV fashions like:
– accessing the system and configuration information situated on the TV
– accessing the information situated on the hooked up USB gadgets
– transmitting video, audio and pictures to the TV
– controlling the TV
– stealing the browser’s cookies for accessing the web sites utilized by the consumer
– much more
Humorous eh?

As Ars Technica notes, the vulnerability was launched in a firmware replace launched by Philips in December final yr, and that there isn’t a approach for customers to vary the hard-coded password required by close by gadgets to entry the Miracast community.

Auriemma believes that every one 2013 fashions of Philips Sensible TVs are in danger as a result of they use the identical flawed firmware.

This revelation of lax safety on the a part of Philips highlights considered one of my key considerations in regards to the “web of issues”.

Producers of gadgets that hook as much as the web should recognise that safety must be on the high of their design guidelines. To provide such gadgets with out paying correct consideration to safety might backfire when customers realise private info is being leaked, or placing their on-line lives in danger.

After all, this isn’t the primary time that we now have seen so-called sensible televisions introduce privateness and safety considerations.

Final yr it was revealed that LG Sensible TVs have been spying on house owners’ viewing habits, and grabbing details about information saved on hooked up USB gadgets.

Replace:

The Wi-Fi Alliance has launched an announcement relating to the vulnerability reported in sure Philips Sensible TVs:

“Wi-Fi Alliance takes safety very significantly. All of our specs and certifications embody necessities to assist the most recent era of safety protections. Within the case of Miracast™, the underlying specification requires device-generated passphrases to include characters randomly chosen from higher case letters, decrease case letters, and numbers.

“The latest report of a non-compliant passphrase implementation seems to be restricted to a single vendor’s implementation. We implement the necessities of our certification packages and have been in touch with the corporate in query to make sure that any gadget bearing the Miracast mark meets our necessities.”

Discovered this text attention-grabbing? Observe Graham Cluley on Twitter to learn extra of the unique content material we submit.



Graham Cluley is a veteran of the anti-virus business having labored for a lot of safety corporations because the early Nineties when he wrote the primary ever model of Dr Solomon’s Anti-Virus Toolkit for Home windows. Now an unbiased safety analyst, he recurrently makes media appearances and is a world public speaker on the subject of laptop safety, hackers, and on-line privateness.

Observe him on Twitter at @gcluley, or drop him an e mail.





Supply hyperlink