Samsung has downplayed the significance of a data-leaking security bug in its Smart TVs, but promised to close the hole by January.
Earlier this month Malta-based startup ReVuln said it had discovered a vulnerability that allows hackers to remotely copy data off USB drives connected to a Samsung TV LED 3D and other Smart TVs, among other exploits.
ReVuln published a video clip to back up its assertions, and warned the security flaw grants hackers access to personal information and allows to them to plant malware or even change channels on vulnerable sets. Lisa Vaas of Sophos has listed all the possibilities here.
Luigi Auriemma of ReVuln told El Reg that the vulnerability "affects almost all the Samsung televisions of the latest generations", meaning that multiple models are affected.
ReVuln sold information about the flaw to its customers rather than report it to Samsung, which is consistent with its general policy of non-disclosure. Although ReVuln did not go into details about the hole, Samsung said in a statement that it has isolated the problem:
We have discovered that only in extremely unusual circumstances a connectivity issue arises between Samsung Smart TVs released in 2011 and other connected devices. We assure our customers that our Smart TV’s (sic) are safe to use.
We will release a previously scheduled software patch in January 2013 to further strengthen Smart TV security. We recommend our customers to use encrypted wireless access points, when using connected devices.
Adam Gowdiak, a Polish researcher who uncovered a possible mechanism for infecting set-top boxes with malware earlier this year, said the vulnerability discovered by ReVuln bears the hallmarks of a Universal Plug and Play (UPnP) bug.
"We haven't looked into Samsung SmartTVs, the YouTube video gives little information, but it looks like UPnP or DLNA [Digital Living Network Alliance] issue to us," said Gowdiak, whose Security Explorations firm is one of the few consultancies probing the emerging world of TV security in any depth.
A Samsung Smart TV can be used to browse the internet, post updates to social networks, purchase movies and perform many other tasks. These next-generation tellies are commonly, but wrongly, thought to be immune from malware and hacking attacks. In reality smart TVs and set-top boxes are becoming more like PCs than the dumb devices of yesteryear, a factor that makes information security a potential concern.
And, let's face it, if it's electronic, someone will find a way to compromise it. ®