Researchers demo how Philips smart TVs do not have smart security

Share this article:
Experts demonstrated how recent Philips smart TVs are vulnerable to numerous attacks.
Experts demonstrated how recent Philips smart TVs are vulnerable to numerous attacks.

There is nothing smart about the security of recent Philips smart TVs.

Malta-based security research and solutions company ReVuln released a video on Thursday that shows exactly what an attacker can do to a 2013, internet-connected Philips Smart TV running the latest firmware.

Some of these, such as controlling the TV from another device and transmitting video and audio to the TV, are meant to be features for owners. Others are not meant to be features at all, such as accessing system and configuration files, accessing files on attached USB devices, and stealing browser cookies.

The issue exists mostly because of Miracast, a Bluetooth-like feature that recent Philips smart TVs use to establish a Wi-Fi connection to user devices without the need of involving a wireless router.

“The main problem is that Miracast uses a fixed password, doesn't show a PIN number to insert and, moreover, doesn't ask permission to allow the incoming connection,” Luigi Auriemma, CEO and security researcher at ReVuln, told SCMagazine.com in a Friday email correspondence. “So basically you just connect directly to the TV via Wi-Fi, without restrictions. Miracast is enabled by default and the password cannot be changed.”

Some of the nastier attacks are able to be carried out due to a vulnerability in JointSpace, which allows external programs to control a Philips TV, Auriemma said. The flaw, discovered in September and still unpatched, allows an attacker to access files if on the same network as the TV.

Any device with a Wi-Fi adapter can be used – including PCs, tablets and smart phones – and almost all the attacks can be executed through a web browser, Auriemma said, adding that the ReVuln team was unsuccessful after trying nearly every possible way to prevent an outside user from connecting.

Turning off Miracast from the network menu should be done as soon as possible to prevent other people from connecting, Auriemma said, adding that Philips should update their TVs to ask permissions for Wi-Fi connections, as well as provide a PIN to be inserted by individuals that are connecting.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

WikiLeaks makes FinFisher surveillance software available to public

Copies of controversial surveillance software, called "FinFisher," were made available for public scrutiny by WikiLeaks.

Researcher challenges reports that BlackPOS variant struck Home Depot

Nuix believes the malware found on Home Depot's systems belongs to a different threat family.

Documents reveal NSA plans to map every internet connected device in the ...

Documents provided by Edward Snowden reveal that the NSA is looking to build a near real-time map of every single internet-connected device in the world.