Samsung smart televisions contain a vulnerability which allows remote attackers to swipe data from attached storage devices, track shows users watch and gain root on the appliances.
Attackers could do so through a flaw in the internet-enabled TVs disclosed only to customers of a subscription vulnerability service.
It was also unclear what model TVs were affected but the discoverer of the flaw, Luigi told SC that it affected most models running the latest firmware.
“We have tested different Samsung televisions of the latest generations running the latest version of their firmware,” Auriemma said.
“Unfortunately we can't disclose additional information but we can only say that almost all the people having a Samsung TV at home or in their offices are affected by this vulnerability.”
He demonstrated the attack in a proof of concept video posted to the website of his vulnerability research firm Revuln.
Auriemma has previously discovered flaws in Samsung TVs and Blu-Ray players. Those attacks leveraged a vulnerability in remote controllers which allowed TVs to be spun into continuous restart loops every five seconds by setting fields such as MAC addresses to long strings.
This would trigger the crashing loop, which occurred too rapidly for hapless victims to intervene using their remote controllers.
Researchers from security firm Mocana published a report (pdf) claiming it was possible to push fake credit card forms to TVs, redirect internet traffic to phish users and steal manufacturer keys, and tap backend services.
And a simple denial of service attack was found in a Sony Bravia TV. Gabriel Menezes Nune, a security expert with the Brazilian Navy, attacked her own TV -- a Latin American model -- using theHping tool. That crashed the unit, preventing access to all functions until it turned off.
Scores more internet-enabled TVs were vulnerable to attack often targeting the host of features the technology now offered.