Next big security risk for home users: Internet connected TV

Every device between the TV cable and your laptop is hackable

Do you know why every survey about digital security shows most people don't follow even the simple recommendations of security specialists and that even those who do accept every warning of an alarming new threat?

Because security geeks are bummers, that's why.

Microsoft security guru/consultant Roger Grimes – the source of the unusually objective (for a Microsoftie) evaluation of Apple security I cited earlier this week – has issued a critical warning yesterday:

[ FREE DOWNLOAD: 68 great ideas for running a security department ]

If you have your TV hooked up to the Internet, someday soon someone will hack it.

IT market researchers NPD In-Stat estimate 100 million houses in North America and Europe will own Internet-connected TVs by 2016.

Costs are dropping and demand is growing for embedded Wi-Fi chipsets, making it cheaper to add communication capability to both computers and appliances, another NPD study showed.The level of digital intelligence inside homes will grow fast enough that 75 percent of electric meters will be smart by 2016, according to a third.

Nielsen estimates 60 percent of TV watchers check their email at the same time, using tablets or laptops and, increasingly, use voting systems or other interactive features on their favorite TV shows by downloading "The X Factor" app to their iPad or going to the site on their laptop during the show.

In December, 2010, security vendor Mocana published a study showing Internet-connected TVs could expose consumers and the companies they work with – credit cards, service providers, banks – to hackers able to push through the negligible security built into Internet TVs and set-top boxes.

The report wasn't theoretical, or a survey of the unrealistic fears of security wonks.

It was prompted by an HDTV manufacturer that asked Mocana to audit security on its boxes and show where the holes existed. The unnamed vendor is one of a very few to have made any effort at all to close off TVs as a potential hacking risk.

Digital TVs: Smart enough to be hacked, too stupid to prevent it

Digital, high-def, flatscreen TVs are computers, Grimes points out. Or at least they have computer-like things wired to their insides (which is how Mac users used to describe PCs, btw).

If they also have an Ethernet port, what you did by connecting it was not simply make it simpler to put Netflix on your main boob tube. You've connected a special-function, kind of stupid computer directly to the Internet, with no firewall and no antivirus software to protect it and precious little you can do to add your own.

In fact, making your TV hackable doesn’t even require that it have an Ethernet port. Connecting it through a media gateway, videogame console, DVD player or other device hangs your TV out there on the Internet, too.

In even more unpleasant fact, just plugging in to the set-top box could give hackers a shot at your set.

"I've successfully hacked Internet-connected TVs before," Grimes writes, not even adding that hacking a set-top box is pretty impressive considering how hard it often is to just get them to do what they're designed to do in the first place. "When I worked at Foundstone, my penetration-testing team got paid to try and break into the world's largest cable television provider's set-top box -- one of the first so-called IP TVs. Regular televisions were connected to set-top boxes, which were simply a custom personal computer appliance running a specialized version of BSD."

Grimes offers a few details and tools he used to break in to the cable box, but the important bit of the story could be a rewrite from a million other security stories: The vulnerabilities his team used to crack the set-top box were a JavaScript cross-site scripting attack, and an undocumented, unpatched, insecure web server running on the STB with no recent updates installed and little hope of ever getting any.

Your TV is probably smarter than most of the shows you watch on it

The specifics of how he broke into one STB years ago aren't relevant to the big-screen sitting in your living room running endless games of Call of Duty or the Big Bang Theory marathon.

No matter what firmware is running the thing, it's almost certain there is some vulnerability that would give hackers access to it.

The question is why.

They might be able to use the STB's certification to crack your ISP's security, or use it as a launching point for spam or attacks on other STBs.

They could even sit by voyeuristically monitoring the taste entertainment that is far less refined than the impression you try to give to people who don't join you for hours of brain-decaying reality TV.

They could even use root access in your STB or Internet-connected TV as a jumping off point to machines in the rest of the house.

If one end of an Ethernet cable is plugged into the TV, it's a good bet the other end is plugged in to the same router or switch used by the other computers in the house.

Even if the various network address translation (NAT) functions, firewalls, wishy washy permissions and local-network-sharing restrictions don't stop the probing and hacking, they could use the connection as a private proxy server to mask activity for which you'd be blamed, or just brick your TV, STB or cable router just to cause trouble.

A negligible risk that will eventually become a certainty

That doesn’t mean it's going to happen. It's extremely unlikely, just as widespread hacks of photocopiers, printers and other office devices burdened by negligible intelligence never really materialized.

Some people have done it, I'm sure, possibly even using hackable printers as the only reasonable point of penetration through security that is otherwise tight as a drum.

Companies holding enough sensitive data to be worth the effort of squeezing into them through a printer probably already understand the risk (and failed to fix it or admit they haven't).

For nearly everyone else, a vulnerable printer or set-top box or Internet TV is so small a risk it's not worth even thinking about unless you've made your home and work networks so secure you have nothing to lie awake nights worrying about except things you're not sure would work anyway.

That could change if bits of malware suddenly appeared that were able to infect and take control of TVs or STBs or home-theater-system controllers or any other of the growing number of other Internet-connected appliances.

Think of the mayhem, the suffering you'd have to endure if some soulless hacker in Ukraine were able to pwn your dishwasher and demanded you pay 'protection' money to keep the water spots off your glassware.

The thing is, that's not even much of a joke. I don't personally see much point in wiring appliances to the Internet. But home networks, entertainment systems, storage devices, alarm systems, air-conditioning and heating systems, internally wired VoIP and all kinds of other smart home-based systems are becoming common enough to provide a tempting target, even if the payoff for pwning one hasn't really shown up yet.

At some point relatively soon, even non-geek consumer households will be packed with so many devices able or required to hook up to the Internet that they'll qualify as little enterprises themselves.

Design and manufacture of those devices, for the most part, will focus on aesthetics and use, not security or efficiency. Your STB, TV and home stereo will all be smart enough to be hacked and have network connections available so any laptop in the house can be used set the DVR, change channels or stream video.

Unless there's some grand awakening among electronics manufacturers about security, none will have the firewalls or end-user authentication processes that might slow down a bit of smart malware hoping to find its way from the STB to your laptop to swipe your banking info or sign up for duty in a local botnet.

There's plenty of risk right now, but not much of a threat. The vulnerabilities exist, but as far as I know, no one is taking advantage of them.

That won't last long.

For much of the last few years the biggest security threats were aimed at big companies with big piles of secure data that could be stolen. It's more efficient that way, just as it is to rob a bank rather than mug 1,000 people on the street.

Hacking an individual PC or a home network was simply not worth the effort it would take to accomplish it, unless the PC or network then becomes an asset to the hacker -- a set of nodes in a botnet used to distribute the malware further, launch DDoS attacks, or act as a proxy server so that badly executed penetration attempt on the Pentagon looks as if it came from your house rather than a sweatshop filled with out-of-work programmers from the Ukraine.

That changed when it became clear it was more effective to spear-fish for suckers who work for the company you're trying to penetrate than it is to shotgun malware all over the Internet and hope someone with access to useful servers is infected.

It's only a matter of time until your TV will be watching you

The evolution of malware to the point that they can adapt to the random assemblage of hardware and configurations they find in strange environments made the value of attacking individuals even more clear, and automated the process to boot.

Stuxnet descendant Duqu, for example, assembles most of its working parts only after infecting a machine, by phoning home for attack modules appropriate for the environment in which it finds itself.

There's not much doubt someone will eventually take up the challenge of doing something similar to infect home networks by infecting their TVs, STBs or cable routers, possibly by downloading directly onto the device when someone in the house uses the TV to navigate to the wrong web page.

The only questions are, how long will it take before we have to be as worried about the sanctity of our digital entertainment systems as we are about our laptops and smartphones and whether anyone will be making security software to make the hack a little more difficult.

There's one more, kind of obvious question left unanswered, too: Even, if all that happens, knowing there's a risk, an immediate threat and something we can do to defend ourselves against it, how many of us will actually do anything about it?

Worrying about security is a bummer when you're trying to browse Reddit/pics wirelessly in a coffee shop or playing interactive games with your buddies on the road.

Worrying about it at home while you're trying to relax and watch TV is worse. Practically un-American.

My bet is that even long after every one of us knows someone who lost an identity or big chunk of downloaded movie and music files after having their set-top hacked, we'll continue tut-tutting about how terrible it all is and not do anything at all to stop it.

Who wants to listen to a lot of dire warnings when the weather's warm, there's baseball on TV and someone we assume is from the cable company's customer service keeps popping up a chat window on the TV to make sure we're enjoying the game. It's just a coincidence his name is Boris.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon