Attackers can use a host of vulnerabilities in top end smart TVs to spy on users and intercept traffic.
The televisions contained flaws primarily because the devices were designed to provide a rich and smooth experience to consumers that presented more avenues of attack were not properly secured.
Over recent years, researchers have revealed multiple flaws in brand name TVs that allowed remote attackers to steal data from connected hard drives and send the devices into continuous reboot loops.
Speaking at Breakpoint in Melbourne today, Korea University researcher SeungJin Lee said he was able to spy on users who had smart TVs in their homes, even when the units were 'turned off'.
"Do not allow your TV to see your bed," Lee said.
Lee also tested spying through smartphone cameras but this produced blurry photos due to motion and also drained the device battery, making it less than ideal for interception purposes. "The TV makes a better photographer, although it does not move."
Within the TV environment Lee created a call to switch off TV LED lights that would normally indicate that the unit was powered on. This ensured he maintained surreptitious access to the unit.
Not only were the flaws a potential privacy risk for consumers, but it could allow attackers to spy on corporates with smart TVs in their offices.
He said that Google had the same smart TV he tested in one of its corporate offices.
There were many avenues to attack the TVs and few defences in place in the units -- none of which were entirely effective, Lee found.
He pointed out that the television app stores contained "1990's basic bugs" including problems with sanity checks and flaws in installers.
For example, it would take only a single mistake in any of the hundreds of application program interfaces for compromise to occur. Another man-in-the-middle attack venue existed within a TV chat client because traffic was sent in plaintext without SSL, and did not verify the validity of certificates.
"All apps run with root privileges, which is a massive fail," Lee said.
In an example of a borked defence attempt, a smart TV vendor had introduce a so-called User Executable Preventer that would remove binaries that were not signed by vendors. In order to gain persistence on the units, Lee took advantage of the sluggish rate in which it took to find suspect binaries and deployed his own daemon to kill the preventer which lacked a watchdog, and used TV web apps to call his code.
He said the preventer only slowed down TVs.
Further efforts to restrict the design of apps for the marketplace to only HTML, Javascript and Flash also were insufficient. While it did limit some attacks, there were plenty of bugs to be found in the software development kits.
Listen to more analysis on the research via Risky.Biz.
.png&w=120&c=1&s=0)
EDUtech AU
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
