FBI Warns of Smart TV DangersCameras, Microphones and Security Flaws - A Bad Recipe
The FBI has a new suspect in its sights, and there’s one in nearly every home: smart TVs.
See Also: Hybrid IT-OT Security Management
The FBI’s Portland office says the devices can pose privacy and security threats. An unsecured smart TV could be the avenue hackers use to gain access to a home network, it points out.
“A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router,” the agency warns. “Hackers can also take control of your unsecured TV. At the low end of the risk spectrum, they can change channels, play with the volume and show your kids inappropriate videos. In a worst-case scenario, they can turn on your bedroom TV's camera and microphone and silently cyberstalk you.”
TVs: Entry Point for Hackers
Smart TVs have long been known as potentially problematic internet of things devices. The data collected by smart TVs, such as programs watched, can be incredibly valuable for precise ad targeting on the TV itself and other devices used by consumers.
On the security front, the FBI warns that many newer smart TV models have cameras. In some cases, “the cameras are used for facial recognition so the TV knows who is watching and can suggest programming appropriately.”
Many of the concerns about smart TVs mirror those of mobile apps: opaque privacy policies, difficulty navigating menus plus questionable patching and software development.
"Hackers can also take control of your unsecured TV. At the low end of the risk spectrum, they can change channels, play with the volume and show your kids inappropriate videos. In a worst-case scenario, they can turn on your bedroom TV's camera and microphone and silently cyberstalk you."
In February 2018 Consumer Reports released the results of its security tests of smart TV models, including Samsung’s UN49MU8000, LG’s 49UJ7700, TCL’s 55P605, Sony’s XBR-49X800E and Vizio’s P55-E1 SmartCast TV.
It found an unsecured API in Roku’s platform, which is used in smart TVs made by Samsung, Hitachi, RCA, Sharp and many others. The API vulnerability had been present since at least 2015. The API was designed for developers to make Roku-compatible applications.
“They allowed researchers to pump the volume from a whisper to blaring levels, rapidly cycle through channels, open disturbing YouTube content or kick the TV off the wifi network,” it reported.
The most obvious way to avoid privacy and security issues with smart TVs is simply not to buy one.
But Consumer Reports found that it’s actually challenging to purchase a television these days that doesn’t have streaming capabilities or connectivity. Two years ago, Samsung said it expected that all of its TVs to have web connectivity by next year.
And while users can blunt data collection tools by turning them off, it also means kneecapping much of the TV's functionality, Consumer Reports found.
One of the most prominent U.S. regulatory moves against a smart TV manufacturer came against Vizio, which reached a $2.2 million settlement with the U.S. Federal Trade Commission in February 2017.
The FTC alleged that Vizio installed automatic content recognition software on their devices, which collected not only minute-by-minute data on programs watched but also network data, such as IP addresses, Wifi access points and MAC addresses. It appended other demographic data to those profiles, including sex, age, income and marital status.
Vizio was accused of selling the data to other partners, including for targeted advertising. But consumers were not informed about the data collection, the FTC alleged.
Know Your Smart TV
The FBI recommends that smart TVs be treated in much the same way as mobile devices: Learn about the settings and pay attention to privacy policies.
It’s also beneficial to search for the model of a device and key terms, such as microphone, camera and privacy. If a device does have a camera and it can’t be turned off, apply black tape over it, the FBI says. It’s advisable to check if a manufacturer can deliver security patches to a smart TV.
“Change passwords if you can – and know how to turn off the microphones, cameras and collection of personal information if possible,” the FBI says. “If you can’t turn them off, consider whether you are willing to take the risk of buying that model or using that service.”
It also recommends to not rely on default security settings. Often, those are set in such a way as to facilitate data collection by default. “Confirm what data they collect, how they store that data and what they do with it,” the FBI says.