Credit: ITworld/Steve Traynor
Smart TVs are opening a new window of attack for cybercriminals, as the security defenses of the devices often lag far behind those of smartphones and desktop computers.
Running mobile operating systems such as Android, smart TVs present a soft target due to how to manufacturers are emphasizing convenience for users over security, a trade-off that could have severe consequences.
Smart TVs aren't just consumer items, either, as the devices are often used in corporate board rooms. Sales of smart TVs are expected to grow more than 20 percent per year through 2019, according to Research and Markets.
While attacks against smart TVs are not widespread yet, security experts say it is only a matter of time before cybercriminals take note of the weaknesses.
"Many of the solutions aren't even adapting the best practices that are already known in the IT world," said Phil Marshall, chief research officer for Tolaga Research. "The ecosystem is fragmented, and there is an emphasis on getting the solution to market quickly."
Smart TVs are essentially computers, with USB ports, operating systems and networking capabilities no different than smartphones. But unlike computers and mobile devices, smart TVs often don't require any authentication.
"Basically with these TVs, if you are in the same room, you're always going to be treated like you're the owner of the TV," said Craig Young, a computer security researcher with Tripwire.
Young, who has been researching security issues with smart TVs, also said some models don't confirm whether someone sending commands over the network is the same person who can actually physically control the TV.
This means an attacker from afar could potentially cause a smart TV to show something far more risque than the latest sales figures during a meeting.
"If someone in the board room is doing a presentation, that can lead to some embarrassing situations or some unexpected situations," Young said.
Many of the major manufacturers -- Samsung, LG and Sony -- have built app stores for smart TVs, a model pioneered by Apple for smartphones. But users can also be convinced to download malicious apps from third-party app stores, an attack method used against smartphones that could also be used against smart TVs.
Candid Wueest, a threat researcher with Symantec, deliberately infected his brand-new, Android-powered TV with ransomware, which is malware that encrypts files and demands a ransom to be paid in bitcoin.
Wueest's experiment was a bit rigged: he modified the DNS (Domain Name System) settings on his own router in a mock man-in-the-middle attack and directed the TV to download the malicious app from a dodgy source. But such an attack would not be beyond the capabilities of attackers, he said.
Sign up for CIO Asia eNewsletters.