CR Study Spurs Smart TV Security Fixes
Samsung and Roku are reportedly addressing certain alleged security vulnerabilities affecting smart TVs, and in Roku’s case, media players as well, after potential problems were identify by Consumer Reports (CR) earlier this year.
A CR study into smart TV and streaming device vulnerabilities discovered that certain Samsung smart TVs, Roku TVs, and some Roku streaming media players, like the Ultra, could be easily hacked, opening the door to outside parties to, among other things, take control of the devices remotely without the knowledge of the user.
James McQueen of CR, distributed an email announcement to other media outlets Friday, revealing the posting of an updated story on the CR website saying both TV companies are now addressing the CR-identified issues.
“Samsung’s update fixed a security flaw in a part of the TV’s software called an API, or application programming interface. Basically, an API lets two applications—on computers, online, or built into devices such as TVs—talk to each other,” the updated report states.
The article quotes Cody Feng, CR security and privacy testing project leader, saying: ” `Once we updated the 2018 Samsung smart TVs in our labs with the new firmware, we were no longer able to exploit the flaw.
The report said the official Samsung SmartThings app sends commands for basic TV operation controls to Samsung servers through the internet and then back to the television. The old firmware enabled hackers to easily exploit vulnerabilities in the devices on a home Wi-Fi network “without going through Samsung’s servers.”
The email said that Samsung released a firmware update this summer that fixed other security issues identified by CR, including the lack of standard encryption when performing Google searches.
Robert Richter who heads CR’s privacy and security testing, was quoted concerning the Samsung vulnerabilities saying: “I’d characterize this vulnerability as of low risk to consumers, but the fact that it was so easy to find was troubling.”
Similarly, certain Roku TVs and streaming devices were vulnerable to attacks from outside parties with users controlled the products using a mobile device app for remote control and program searches.
The CR article said Roku informed them that “an upcoming firmware update, Roku OS 8.2, will block third-party apps while allowing people to use the official Roku mobile app for Roku TVs. And, the company said, the change will come to Roku streaming players in Roku OS 9.0 later this fall.”
A Samsung spokesman confirmed the story and referred us to an official Samsung statement in the CR report: “As we know that consumers value data security as much as their viewing experience, our Privacy and Security teams continue to evaluate the safety of the online experience in our products.”
A Roku initially told CR: “There is no security risk to our customers’ accounts or the Roku platform with the use of this API.” Roku also told CR users have had the ability to turn off the External Control feature in device settings, although that would have removed the ability to use Roku mobile app.
The article reports that Roku said its new OS updates would prevent any such issues using its mobile device app. A Roku spokesperson confirmed its statement to CR.
By Greg Tarr
Have a question for the HD Guru? HD GURU|Email
Copyright ©2018 HD Guru Inc. All rights reserved. HD GURU is a registered trademark.