Samsung Smart TVs hit by remote camera activation flaw

 

Gallery

Posted on 13 Dec 2012 at 09:55, by Gareth Halfacree

Samsung's latest Smart TV devices have a flaw which could lead to the TV watching you, with attackers able to activate attached cameras without a user's knowledge or consent.

A team of researchers from security firm ReVuln discovered the flaw, which allows for comprehensive access to the various features of Samsung's Smart TV products. An attacker can use the vulnerability to access username and password details for social networking sites associated with the device, copy data from storage devices attached to the TV, and even activate video cameras and microphones for sets that support video conferencing functionality.

The issue, the group claims, exists in all Samsung Smart TV sets running the latest firmware, and as yet no work-around exists for the problem. That said, protection measures commonly in place in a home - such as routers that use Network Address Translation (NAT) to prevent exposure of internal devices onto the internet - should help prevent mass exploitation of the flaw.

Samsung has yet to comment on the flaw, but its efforts to fix the problem may be hampered by ReVuln's business model: the company makes money by finding flaws in commercial products and then keeping the details to itself, demanding payment in exchange for information that would help companies to address the issues and update the software. While Samsung is likely to work towards fixing the problem itself, if it chooses not to meet ReVuln's demands it could take a significant length of time.

ReVuln's actions are in direct opposition to the commonly-accepted practice of 'responsible disclosure,' in which security researchers first release details of the problem to the company responsible for the software and allow them to develop and release a fix before going public with details that could result in attacks.

For now, those wishing to protect themselves fully should disconnect their Samsung Smart TV from the network when its internet-connected functionality is not being used.