There is nothing smart about the security of recent Philips smart TVs.
Malta-based security research and solutions company ReVuln released a video on Thursday that shows exactly what an attacker can do to a 2013, internet-connected Philips Smart TV running the latest firmware.
Some of these, such as controlling the TV from another device and transmitting video and audio to the TV, are meant to be features for owners. Others are not meant to be features at all, such as accessing system and configuration files, accessing files on attached USB devices, and stealing browser cookies.
The issue exists mostly because of Miracast, a Bluetooth-like feature that recent Philips smart TVs use to establish a Wi-Fi connection to user devices without the need of involving a wireless router.
“The main problem is that Miracast uses a fixed password, doesn't show a PIN number to insert and, moreover, doesn't ask permission to allow the incoming connection,” Luigi Auriemma, CEO and security researcher at ReVuln, told SCMagazine.com in a Friday email correspondence. “So basically you just connect directly to the TV via Wi-Fi, without restrictions. Miracast is enabled by default and the password cannot be changed.”
Some of the nastier attacks are able to be carried out due to a vulnerability in JointSpace, which allows external programs to control a Philips TV, Auriemma said. The flaw, discovered in September and still unpatched, allows an attacker to access files if on the same network as the TV.
Any device with a Wi-Fi adapter can be used – including PCs, tablets and smart phones – and almost all the attacks can be executed through a web browser, Auriemma said, adding that the ReVuln team was unsuccessful after trying nearly every possible way to prevent an outside user from connecting.
Turning off Miracast from the network menu should be done as soon as possible to prevent other people from connecting, Auriemma said, adding that Philips should update their TVs to ask permissions for Wi-Fi connections, as well as provide a PIN to be inserted by individuals that are connecting.