|
|
Subscribe / Log in / New account

Security quotes of the week

Security quotes of the week

Posted Mar 10, 2017 13:50 UTC (Fri) by hkario (subscriber, #94864)
In reply to: Security quotes of the week by smitty_one_each
Parent article: Security quotes of the week

the problem is not having smart devices, the problem is when those smart devices are running decade old code and will never be updated

or in other words: Smart TV != HTPC + TV; or even Roku + TV

to post comments

Security quotes of the week

Posted Mar 10, 2017 16:38 UTC (Fri) by excors (subscriber, #95769) [Link] (3 responses)

Even without the security concerns, it seems foolish to tie a large expensive piece of hardware that is going to be perfectly decent for a decade or more (a TV screen, a fridge, a car, etc) to a complex piece of software that needs to constantly evolve to keep up with current and future third-party services. Of course for TV manufacturers it's great, they can just stop updating the software and people will be pressured to buy entire new TVs.

I got a quite expensive Samsung Smart TV some years ago and it seems the smart software (which was fairly rubbish and painfully slow) has barely changed at all since it was released, apart from some of the apps disappearing. Samsung also helpfully sold an Evolution Kit, which was a piece of hardware you could plug into the back to upgrade it to the next year's version of the smart UI - but that was restricted to only the most expensive models of TV, not the merely quite expensive ones. And it cost around £250. (£250 for the Evolution Kit, not the TV). And that'd only extend the TV's useful life by about one year.

Alternatively you can get any TV with an HDMI input and add a Roku Streaming Stick or Fire TV Stick or Chromecast etc for under £40, which are decently designed and will probably be well supported for several years. When they become obsolete, or if they have unresolved security issues, you can easily and cheaply throw them away and get a new model, and you can keep the expensive TV screen forever.

So I kind of agree with the advice in Lauren Weinstein's post, except I think all the reasoning there is wrong:

> if you have one, don’t connect it to the Internet directly.

The leaked CIA wiki mentions USB installation of hacked firmware, not a remote exploit. Lack of internet won't stop it getting exploited, and once it's exploited it can silently connect to the wifi access point in the CIA van outside your house.

> "Well, what if the spooks are subverting both my smart TV and my external dongle?" [...] The solution though even for that scenario is simple — kill the power to the dongle when you’re not using it.

If they're both subverted, but (for some reason) the subverted TV isn't connected to wifi directly, it could simply buffer the recorded audio and send it over to the subverted dongle once it's powered on again.

> Buy a Chromecast or Roku or similar dongle that will provide your Internet programming connectivity via HDMI to that television — these dongles don’t include microphones [...]

Many versions of Roku and Fire TV have voice search via a microphone in the remote. (And the remotes are battery powered so in theory they could also record audio while your dongle is unpowered (though in practice they only have a tiny amount of storage)). Chromecast's 'remote' is your phone, which also has microphones (and at least two cameras, and a couple of internet connections, and a load of storage and local processing power, and known-insecure years-old software).

Security quotes of the week

Posted Mar 10, 2017 18:28 UTC (Fri) by rgmoore (✭ supporter ✭, #75) [Link]

The leaked CIA wiki mentions USB installation of hacked firmware, not a remote exploit. Lack of internet won't stop it getting exploited, and once it's exploited it can silently connect to the wifi access point in the CIA van outside your house.

Maybe that will happen if you're a target of a powerful nation state's intelligence service, but that's not the threat most of us should really be worrying about. The typical person is at far more risk of having their TV hacked by script kiddies who want to add it to their botnet, or to spy on random people for the thrill of it. You'll probably be able to dodge that threat by not connecting your TV directly.

For the people who are targets of powerful security agencies, shutting down any particular avenue of attack is really just playing whack-a-mole. If the CIA is really targeting you, they aren't going to let your lack of a smart TV stop them; they'll just use one of their numerous other tools to do the job. The only way to avoid that kind of really dedicated spying attempt is by traditional tradecraft.

Security quotes of the week

Posted Mar 10, 2017 19:55 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

CIA can just as well use a laser to pick up sounds from your window pane. Or just install a smallish (USB-powered) wireless microphone.

Security quotes of the week

Posted Mar 16, 2017 8:50 UTC (Thu) by oldtomas (guest, #72579) [Link]

> to the wifi access point in the CIA van outside your house.

This would be for the CIA's premium customers. For the rest of us, access is via the neighbour's open (possibly also hacked[1]?) WiFi.

I always thought: "I trust my WiFi router, so my TV won't go to the Internet". Until I realized that. Now, I'll have to look into my TV... gah, I hoped I could ignore it.

[1] Endless possibilities, like DNS spoofing, offering your TV better firmware upgrade opportunities. Unless the firmware engineers got everything right (HAH!)...


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds