Ars Technica reports on new research that reveals a security vulnerability with Philips Smart TVs that could affect individual privacy. Smart TVs are part of the “Internet of Things,” which is a computerized network of physical objects. In IoT, sensors and data storage devices embedded in objects interact with Web services. (For more on privacy and the IoT, see a Center for Democracy and Technology report that I consulted on and contributed to, “Building the Digital Out-Of-Home Privacy Infrastructure.”) Ars Technica reports:
Internet-connected TVs manufactured by Philips running the latest firmware update are wide open to browser cookie theft and other serious attacks by hackers within radio range, a security researcher has warned.
The hacks work against Philips Smart televisions that have a feature known as Miracast enabled, Luigi Auriemma, a researcher with Malta-based ReVuln (Twitter handle @revuln), told Ars. Miracast allows TVs to act as Wi-Fi access points that nearby computers and smartphones can connect to so their screen output can be displayed on the larger set. The hacking vulnerability is the result of a recent firmware update that allows anyone within range to connect to the TV, as long as they know the hard-coded authentication password “Miracast.” […]
In a video posted Wednesday, Auriemma showed how authentication cookies for valid Gmail accounts were siphoned off a Philips TV running the latest firmware. The video also demonstrated how videos, images, and other data stored on a USB drive connected to the TV can also be accessed. The theft took seconds to carry out, and there was no visible indication to an end user that anything was amiss. […]
The proof-of-concept attack is the latest to underscore the risks of so-called Internet-of-things capabilities, which transform thermostats, LED light bulbs, baby monitors, and, yes, TVs into networked appliances with the ability to send and receive commands and other data. Adding computing and networking capabilities to everyday devices shouldn’t automatically be dismissed as risky, but consumers have plenty of reason to be wary. After all, if Microsoft, Apple, and other companies with huge security teams regularly struggle to make their products safe, what reason is there to trust companies that are new to network security?