Attackers can use a host of vulnerabilities in top end smart TVs to spy on users and intercept traffic.
The televisions contained flaws primarily because the devices were designed to provide a rich and smooth experience to consumers that presented more avenues of attack were not properly secured.
Speaking at Breakpoint in Melbourne today, Korea University researcher SeungJin Lee said he was able to spy on users who had smart TVs in their homes, even when the units were 'turned off'.
"Do not allow your TV to see your bed," Lee said.
Lee also tested spying through smartphone cameras but this produced blurry photos due to motion and also drained the device battery, making it less than ideal for interception purposes. "The TV makes a better photographer, although it does not move."
Within the TV environment Lee created a call to switch off TV LED lights that would normally indicate that the unit was powered on. This ensured he maintained surreptitious access to the unit.
Not only were the flaws a potential privacy risk for consumers, but it could allow attackers to spy on corporates with smart TVs in their offices.
He said that Google had the same smart TV he tested in one of its corporate offices.
There were many avenues to attack the TVs and few defences in place in the units -- none of which were entirely effective, Lee found.
He pointed out that the television app stores contained "1990's basic bugs" including problems with sanity checks and flaws in installers.
For example, it would take only a single mistake in any of the hundreds of application program interfaces for compromise to occur. Another man-in-the-middle attack venue existed within a TV chat client because traffic was sent in plaintext without SSL, and did not verify the validity of certificates.
"All apps run with root privileges, which is a massive fail," Lee said.
In an example of a borked defence attempt, a smart TV vendor had introduce a so-called User Executable Preventer that would remove binaries that were not signed by vendors. In order to gain persistence on the units, Lee took advantage of the sluggish rate in which it took to find suspect binaries and deployed his own daemon to kill the preventer which lacked a watchdog, and used TV web apps to call his code.
He said the preventer only slowed down TVs.
Listen to more analysis on the research via Risky.Biz.