Researchers demo how Philips smart TVs do not have smart security

Share this article:
Experts demonstrated how recent Philips smart TVs are vulnerable to numerous attacks.
Experts demonstrated how recent Philips smart TVs are vulnerable to numerous attacks.

There is nothing smart about the security of recent Philips smart TVs.

Malta-based security research and solutions company ReVuln released a video on Thursday that shows exactly what an attacker can do to a 2013, internet-connected Philips Smart TV running the latest firmware.

Some of these, such as controlling the TV from another device and transmitting video and audio to the TV, are meant to be features for owners. Others are not meant to be features at all, such as accessing system and configuration files, accessing files on attached USB devices, and stealing browser cookies.

The issue exists mostly because of Miracast, a Bluetooth-like feature that recent Philips smart TVs use to establish a Wi-Fi connection to user devices without the need of involving a wireless router.

“The main problem is that Miracast uses a fixed password, doesn't show a PIN number to insert and, moreover, doesn't ask permission to allow the incoming connection,” Luigi Auriemma, CEO and security researcher at ReVuln, told SCMagazine.com in a Friday email correspondence. “So basically you just connect directly to the TV via Wi-Fi, without restrictions. Miracast is enabled by default and the password cannot be changed.”

Some of the nastier attacks are able to be carried out due to a vulnerability in JointSpace, which allows external programs to control a Philips TV, Auriemma said. The flaw, discovered in September and still unpatched, allows an attacker to access files if on the same network as the TV.

Any device with a Wi-Fi adapter can be used – including PCs, tablets and smart phones – and almost all the attacks can be executed through a web browser, Auriemma said, adding that the ReVuln team was unsuccessful after trying nearly every possible way to prevent an outside user from connecting.

Turning off Miracast from the network menu should be done as soon as possible to prevent other people from connecting, Auriemma said, adding that Philips should update their TVs to ask permissions for Wi-Fi connections, as well as provide a PIN to be inserted by individuals that are connecting.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.