Proof of concept hack on smart TVs heading

The vast room for improvement in protecting Internet-of-Things ("IoT") devices has once again been highlighted by the recent proof of concept attack on Samsung smart TVs carried out by Swiss security consulting company, Oneconsult, in March 2017. Using an inexpensive terrestrial digital video broadcasting ("DVB-T") transmitter, security consultant Rafael Scheel embedded malicious commands into the terrestrial radio signal which was then broadcast to nearby smart TVs in order to gain root access to the devices. The malicious transmission exploited known vulnerabilities to command Scheel's own webpage (which hosted malicious code) to open in the background.

While smart device hacks are not a new thing, this hack is of particular interest because:

• Previous attacks on smart TVs have been carried out with physical access or user interaction e.g. via a USB key or downloading an app. This type of hack, however, can be carried out remotely and on multiple devices at the same time. DVB-T signals are unidirectional i.e. data only flows from the hacker to the victim, which also makes it more difficult to catch the attacker.
• Hackers with malicious intent could complete a distributed denial-of-service attack, spy on the user via the TV's camera and microphone, steal user data or attack further devices in the home - all without any obvious signs that the device has been compromised. In this proof of concept, neither a reboot nor a factory-reset proved effective in remedying the attack.

Scheel advised that as much as 90% of current smart TVs could be susceptible to similar attacks. Technology research firm, Gartner, predicts that by 2020 over one quarter of all cyberattacks will involve IoT devices. However up until now the cyber security of IoT devices such as smart TVs has generally not been taken as seriously by users and manufacturers as it is for computers, with users less likely to update anti-malware software, change passwords regularly or adjust their privacy settings (e.g. to reflect their consent to sharing data with third parties).