Samsung and Roku Smart TVs Vulnerable to Hackers

Smart TVsThey are even getting into our TVs now!

Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds

By Consumer Reports – “Consumer Reports has found that millions of smart TVs can be controlled by hackers exploiting easy-to-find security flaws.

The problems affect Samsung televisions, along with models made by TCL and other brands that use the Roku TV smart-TV platform, as well as streaming devices such as the Roku Ultra.

We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn’t understand what was happening. This could be done over the web, from thousands of miles away. (These vulnerabilities would not allow a hacker to spy on the user or steal information.)

The findings were part of a broad privacy and security evaluation, led by Consumer Reports, of smart TVs from top brands that also included LG, Sony, and Vizio.

The testing also found that all these TVs raised privacy concerns by collecting very detailed information on their users. Consumers can limit the data collection. But they have to give up a lot of the TVs’ functionality—and know the right buttons to click and settings to look for. (see below.)

Data Collection in the Living Room
This is the first time Consumer Reports has carried out a test based on our new Digital Standard, which was developed by CR and partner cybersecurity and privacy organizations to help set expectations for how manufacturers should handle privacy, security, and other digital rights.

The goal is to educate consumers on their privacy and security options and to influence manufacturers to take these concerns into consideration when developing their products.

‘The Digital Standard can be used to evaluate many products that collect data and connect to the internet,’ says Maria Rerecich, who oversees electronics testing at Consumer Reports. ‘But smart TVs were a natural place to start. These sets are growing in popularity, and they can transmit a remarkable amount of information about their users back to the TV manufacturers and their business partners.’

Smart TVs represent the lion’s share of new televisions. According to market research firm IHS Markit, 69 percent of all new sets shipped in North America in 2017 were internet-capable, and the percentage is set to rise in 2018. Eighty-two million of these sets have already found their way to consumers.

Internet connectivity brings a lot of appealing functionality to modern televisions—including the ability to stream content through popular apps such as Hulu and Netflix, as well as to find content quickly using voice commands.

But that functionality comes with substantial data collection. Smart TVs can identify every show you watch using a technology called automatic content recognition, or ACR, which we first reported on in 2015. That viewing information can be combined with other consumer information and used for targeted advertising, not only on your TV but also on mobile phones and computers. For instance, if you’re watching a particular sports event, you could see an online advertisement from a brand interested in reaching fans of that sport.

In 2017 Vizio got in trouble with federal and state regulators for collecting this kind of data without users’ knowledge or consent. The company settled with the Federal Trade Commission for $1.5 million and the state of New Jersey for $700,000. The FTC has now made it clear that companies need your permission before collecting viewing data—but consumers may not understand the details, says Justin Brookman, director of privacy and technology at Consumers Union, the policy and mobilization division of Consumer Reports.

‘For years, consumers have had their behavior tracked when they’re online or using their smartphones,’ Brookman says. ‘But I don’t think a lot of people expect their television to be watching what they do.’

And manufacturers are aiming to make smart TVs the centerpiece of consumers’ increasingly connected homes. Companies such as LG and Samsung have recently shown off sets with built-in digital assistants that let you control other smart-home devices ranging from thermostats to security cameras to washing machines to smart speakers.

In a recent Consumer Reports subscriber survey of 38,000 smart-TV owners, 51 percent were at least somewhat worried about the privacy implications of smart TVs and 62 percent were at least somewhat worried about the sets’ security practices.

What We Tested
We purchased five smart TVs from the most widely sold TV brands in the U.S. As we do for all products involved in CR’s testing program, we bought our samples through regular retail outlets.

Each set we bought used a different smart-TV platform.

Two of these were proprietary platforms. The Samsung UN49MU8000 incorporates the company’s Tizen system, and the LG 49UJ7700 uses LG’s webOS system.

The other sets make use of smart-TV platforms that are incorporated into multiple brands. The TCL 55P605 uses the Roku platform, which is also found in Hisense, Insignia, and other brands.

The Sony XBR-49X800E uses a version of Google’s Android TV, a platform also found in sets from LeEco and Sharp. And the Vizio P55-E1 SmartCast TV we tested uses Chromecast, another Google platform.

We didn’t incorporate our privacy and security findings into the Consumer Reports ratings of these televisions, and all these sets except the TCL are recommended models. But Consumer Reports is planning to include privacy and security test results in a number of products’ Overall Scores in the future.

For our security assessment we worked with engineers at Disconnect, which makes privacy-enhancing software for consumers and is one of CR’s partners in developing the Digital Standard. We conducted our privacy investigation in collaboration with both Disconnect and Ranking Digital Rights, another of our Digital Standard partners. (Like most websites, ConsumerReports.org collects user data. You can get the details on our privacy policy and our approach to privacy, including our policy positions, here.)

What We Found: Security
Our security testing focused on whether basic security practices were being followed in the design of each television’s software. ‘We were just looking for good security practices,’ Rerecich says. ‘Encryption of personal or sensitive data, protection from common vulnerabilities, that sort of thing.’

We discovered flaws in sets from TCL and Samsung.

They allowed researchers to pump the volume from a whisper to blaring levels, rapidly cycle through channels, open disturbing YouTube content, or kick the TV off the WiFi network.

The exploits didn’t let us extract information from the sets or monitor what was playing. The process was crude, like someone using a remote control with their eyes closed. But to a television viewer who didn’t know what was happening, it might feel creepy, as though an intruder were lurking nearby or spying on you through the set.

The TCL vulnerability applies to devices running the Roku TV platform—including sets from other companies such Hisense, Hitachi, Insignia, Philips, RCA, and Sharp—as well as some of Roku’s own streaming media players, such as the Ultra.

The problem we found involved the application programming interface, or API, the program that lets developers make their own products work with the Roku platform. ‘Roku devices have a totally unsecured remote control API enabled by default,’ says Eason Goodale, Disconnect’s lead engineer. ‘This means that even extremely unsophisticated hackers can take control of Rokus. It’s less of a locked door and more of a see-through curtain next to a neon ‘We’re open!’ sign.’

And, it turned out we weren’t the first to notice this: The unsecured API had been discussed in online programming forums since 2015.

To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded.

TCL referred us to Roku for questions about data collection and this vulnerability. A Roku spokeswoman said via email, ‘There is no security risk to our customers’ accounts or the Roku platform with the use of this API,’ and pointed out that the External Control feature can be turned off in the settings. However, this will also disable control of the device through Roku’s own app.

The Samsung vulnerability was harder to spot, and it could be exploited only if the user had previously employed a remote control app on a mobile device that works with the TV, and then opened the malicious webpage using that device. ‘Samsung smart TVs attempt to ensure that only authorized applications can control the television,’ Goodale of Disconnect says. ‘Unfortunately, the mechanism they use to ensure that applications have previously been authorized is flawed. It’s as though once you unlocked your door, the door would never lock again.’

In an emailed statement, Samsung said, ‘We appreciate Consumer Reports’ alerting us to their potential concern,’ and that the company was still evaluating the issue. The company also said it would update the API to address other, less severe problems related to data security that CR uncovered. Those changes ‘will be in a 2018 update, [with timing] to be determined, but as soon as technically feasible,’ the spokesman said.

What We Found: Privacy
Every smart TV we evaluated asked for permission to collect viewing data and other kinds of information.

But we found that it’s not always easy to understand what you’re agreeing to as you proceed through the setup process. And if you decline permissions, you can lose a surprising amount of functionality. In fact, one TV requires that you accept a broad privacy policy during setup before you can use the most basic, internet-free functions, such as watching TV using an antenna.

Here are some of the key findings.

Oversharing by design. Race through your TV’s setup, agreeing to everything, and a constant stream of viewing data will be collected through automatic content recognition. The technology identifies every show you play on the TV—including cable, over-the-air broadcasts, streaming services, and even DVDs and Blu-ray discs—and sends the data to the TV maker or one of its business partners, or both.

ACR helps the TV recommend other shows you might want to watch. But it’s also used for targeting ads to you and your family, and for other marketing purposes. And you can’t easily review or delete this data later.

Your data or your internet. You can limit data collection, but you’ll lose functionality. Specifically, if you pay close attention, you can turn off ACR monitoring while still agreeing to a set’s basic privacy policy. But that may keep you from getting recommendations (‘You liked ‘Westworld.’ Have you checked out ‘Godless’?’) And even the basic privacy policies may ask for the right to collect information on your location, which streaming apps you click on, and more.

If you say no to these basic policies, the sets revert to old-fashioned dumb TVs: You can hook up a cable box or an antenna, but you won’t be able to stream anything from Amazon, Netflix, or other web-based services.

All-or-nothing privacy policy. The Sony television was the only one that required you to agree to a privacy policy and terms of service to complete the setup of the TV.

The set uses Google’s Android TV platform, and consumers have to click yes to Google agreements, even if they don’t plan to connect to the internet. That could be a frustrating thing to discover only after you’d bought the big-screen TV at the store, lugged it home, and maybe mounted it to a wall. Even though you can’t skip the Google privacy policy, you can say no to the user agreements from Sony itself and from Samba TV, a provider of ACR technology.

And, Sony said in an emailed statement, ‘If a customer has any concerns about sharing information with Google/Android [they] need not connect their smart TV to the Internet or to Android servers to use the device as a television, for example, using cable or over-the-air broadcast signals.’

What Consumers Can Do
You could just buy an old-fashioned ‘dumb’ TV, without built-in streaming capabilities, but these are becoming harder to find. Of the nearly 200 midsized and large sets in Consumer Reports’ ratings, only 16 aren’t smart TVs. And those are 2017 models—in 2018 we expect to see even fewer internet-free televisions.

If you do buy a new smart TV, decide whether you want to block the collection of viewing data. If so, pay close attention during setup. There, you can agree to the basic privacy policy and terms of service—which still triggers a significant amount of data collection—while declining ACR.

And, if you already have a smart TV but would like to restrict data collection, you can do the following:

Reset the TV to factory settings. Then, as you go through the setup process, say yes to the most basic privacy policies and terms of service but don’t agree to the collection of viewing data.

Turn off ACR using the settings. These settings are typically buried three or four menus deep—but we’ve compiled directions for you. ‘And,’ Brookman says, ‘if you can’t figure it out, call customer support and make them walk you through it.’ That will have the added benefit of letting companies know that you care about your privacy.

Turn off the TV’s WiFi connection. Do this, though, and you essentially don’t have a smart TV anymore. You’ll need to add a separate streaming media device to get web-based content. And, you won’t be surprised to hear, those devices may have their own expansive data collection practices.

Editor’s Note: An earlier version of this story incorrectly stated that Vizio settled a case about consumer viewing data with the FTC for $1.5 million and the state of New Jersey for $2.2 million. The settlement with New Jersey was for $700,000.”

Tablet Sales Continue to Decline

Kindle Fire TabletFolks are using phones more, tablets less. Apple is still number one in tablets, but Amazon has now taken second place in tablet sales over Samsung.

IDC: Tablet shipments decline for 13th straight quarter, Amazon overtakes Samsung for second place

VentureBeat – By: Emil Protalinski – “The tablet market has now declined year-over-year for 13 quarters straight. Q4 2017 saw a 7.9 percent year-over-year decline: 49.6 million units shipped worldwide, compared to 53.8 million units in the same quarter last year. The only silver lining is that declines for 2017 haven’t been in the double-digits, like they were in 2016.

The estimates come from IDC, which counts both slate form factors and detachables, meaning tablets with keyboards included. Apple maintained its top spot for the quarter, but Amazon for the first time managed to surpass Samsung for second place. The top five vendors accounted for 69.6 percent of the market, up from 61.3 percent last year.

Apple’s shipment numbers were basically flat, but because the overall tablet market declined, the company’s market share grew again (up 2.3 percentage points) after two quarters of growth (and following a 13-quarter losing streak). The company was able to maintain its lead thanks to its lower-priced iPad and refreshed iPad Pro.

Amazon shipped 2.5 million more tablets, gaining a massive 6.0 percentage points. The holiday quarter is typically the company’s strongest, but this year was a standout as the company managed to steal second from Samsung. IDC explains this was possible thanks to steep discounts as well as the fact Alexa is available on Amazon’s latest tablets.

Samsung shipped 1.0 million fewer tablets than in the quarter a year ago and ended up losing 0.8 percentage points. Detachable tablets accounted for a growing number of devices in its portfolio, but those gains were outweighed by the declines among its slate models, according to IDC. Its lower-cost Tab A and E series will be a challenge to replace as vendors promise better value and the market shifts to detachable devices.

Amazon wasn’t the only one who managed to move up in the tablet market. Huawei overtook Lenovo for fourth place (yeah, those are typos in the table above and below). Huawei gained 1.2 percentage points while Lenovo fell 0.4 points as they both still shared about 3 million units each.

For the full year, the same players were in the top five.

This isn’t a huge surprise given that the same tablet trends ran throughout 2017. Namely, the replacement cycle for tablets is still closer to that of traditional PCs than smartphones, and detachable tablets is the only category seeing growth, which is good news for both Apple and Microsoft.

‘To date, much of the trajectory of the detachable market has been attributed to Microsoft and Apple pushing their wares in the U.S.,’ IDC research analyst Jitesh Ubrani said in a statement. ‘However, continued success of this category hinges on the willingness of other PC vendors to participate and more importantly, consumers from other countries to adopt the new form factor over convertible PCs.'”

Nvidia Will Concentrate on Gamers

Nvidia GPU
I imagine that they will still sell to crypto-miners, though!

Nvidia Will Focus on Gaming Because Cryptocurrencies Are ‘Volatile’

SlashDot – “Graphics card manufacturer Nvidia made almost $10 billion dollars in the last fiscal year, that’s up 41 percent from the previous period. The GPU company broke the news to its investors in a conference call on Thursday, and said that video games such as Star Wars: Battlefront II and Playerunknown’s Battlegrounds as well as the unprecedented success of the Nintendo Switch led to the record profits. That and cryptocurrency. From a report:

Graphics cards are the preferred engine of today’s cryptocurrency miners. It’s led to a shortage of the GPUs, a spike in their prices, and record profits for the company that manufactures them. ‘Strong demand in the cryptocurrency market exceeded our expectations,’ Nvidia chief financial officer Colette Kress told investors during its earnings call yesterday. ‘We met some of this demand with a dedicated board in our OEM business and some was met with our gaming GPUs.’ But Nvidia is having trouble keeping up with the demand and it’s recommended retailers put gamers ahead of cryptocurrency miners while supply is limited. Kress acknowledged the shortage on the call and reaffirmed Nvidia’s commitment to gamers. ‘While the overall contribution of cryptocurrency to our business remains hard to quantify, we believe it was a higher percentage of revenue than the prior quarter,’ she said. ‘That said, our main focus remains on our core gaming market as cryptocurrency trends will likely remain volatile.’ When Kress finished her statement and opened up the line to questions, the first question was about cryptocurrency. ‘Is crypto being modeled more conservatively?’ An investor from Evercore asked. ‘We model crypto approximately flat,’ said Jensen Huang, Nvidia’s chief executive officer.”

Nintendo Switch Linux Hack

Switch Hack
Someone has hacked the Switch, but it is not all goof news.

Nintendo Switch Linux hack offers good news for homebrew

SlashGear – By: Eric Abent – “For as long as consoles have been around, people have been hacking them. Nintendo in particular has a long and storied history with hackers, especially with its more modern consoles. Healthy homebrew scenes popped up around the Wii, DS, and 3DS, and now that the Switch is on the scene, hackers have turned their attention to it.

Toward the end of last year, a team of hackers created an exploit tool that allowed for homebrew on the Switch, but there was one major drawback. As the exploit ran on Switch firmware version 3.0.0, it meant that those who applied it (and wanted to keep it) weren’t able to play Super Mario Odyssey, one of the console’s must-own games. The fact that there isn’t a significant amount of homebrew applications for the Switch just yet is also a problem, but it’s one that will fix itself as time goes on.

Now, however, we’re hearing of new progress on the homebrew front. A group called fail0verflow (which some of you will already be familiar with) posted a very intriguing image to Twitter a few days back, showing the Switch running Linux. The folks over at Nintendo Life got in touch with fail0verflow today, and the group makes some pretty big claims about the potential longevity of this exploit.

According to fail0verflow, this exploit can’t be fixed by a future firmware update by Nintendo. That’s big talk, but if it’s true, it means good things for a homebrew community that has been trying to gain a foothold when it comes to hacking the Switch.

Of course, the flip side of that benefit for the homebrew community is that an exploit that can’t be patched is bad news for Nintendo, as it opens the platform up to piracy. Indeed, whatever advances the homebrew community makes always seem to go hand-in-hand with an increase in piracy, so you can bet that Nintendo will be looking for a way to fix this exploit regardless of fail0verflow’s claims. Stay tuned.”

Chromecast on VLC 3.0!

VLC 3.0What we have waited so long for, Chromecast on VLC, is finally here!

VLC 3.0 lands on Android, Chrome OS, and other platforms with Chromecast support in tow

9to5 Google – By: Ben Schoon – “VLC is one of the most used media programs on the planet, and today it’s getting its first major update in nearly 2 years. VLC 3.0 is available now, and it’s going to be available on all major platforms at once with some big features in tow.

VLC 3.0 is the first concurrent release the player has ever had across all its supported platforms including Android, Chrome OS, Android TV, Linux, macOS, iOS, Apple TV, and Windows.

This new update features over 1,500 bug fixes, support for HDR, 360-degree video, optimization for the iPhone X, hardware accelerated decoding, and the big one, support for Google’s Chromecast.

VLC users haven’t been quiet over the years in expressing their desire for this functionality, and after briefly showing up in a beta update last month, the functionality is now official. Unfortunately for some, this functionality is limited to the Android app only, but that includes support for Chromebooks and Samsung’s DeX environment.

As you’d expect, Chromecast support on VLC allows you to play native media on your big screen with the tap of a button, with ‘formats not supported natively’ even working with this functionality. It’s a welcome addition, no doubt, and one you can easily try out now by downloading the update via Google Play.

VLC explains in another post why Chromecast support took as long to arrive as it did, but it really comes down to the fact that Google’s streaming platform is meant for just that, streaming. Local files were never supposed to work properly with it, despite the attempts we’ve seen over the years. Video formats also proved to be a challenge.

…Chromecast only supports very few codecs number, let’s say h264. Google ensures that your video is encoded in h264 format on youtube.com, so streaming is simple. With VLC, you have media of any format. So VLC has to be a http server like youtube.com, and provide the video in a Chromecast compatible format. And of course in real time, which is challenging on Android because phones are less powerful than computers.

VLC v3.0 is available now on Google Play, and for other platforms, you can head over to VLC’s site for the respective download links.”

VLC Player Download!

To use your Chromecast to play from VLC 3.0, in VLC select “Playback,” then “Renderer” and then choose your Chromecast device. Cool!

“Starman” Heads Toward the Asteroid Belt!

Elon Musk shot a dummy called “Starman” toward Mars in his own Tesla Roadstar using his “Falcon Heavy” rocket. It is going to miss Mars and is heading toward the Asteroid belt! And, it looks cool!

“That was epic,” said Mr Musk. “That’s probably the most exciting thing I’ve ever seen, literally.” And, how cool is this: the driver’s seat contains a dummy wearing a spacesuit, nicknamed “Starman.” The in-car sound system is paying David Bowie’s “Space Oddity” on a loop, and, a “Don’t Panic” sign on the dashboard references Douglas Adam’s “Hitchhikers’ Guide to the Galaxy!” Ah, a touch o’ whimsey!

Serious OpenVMS Security Issue!

VAX OpenVMS
I include this news item for personal nostalgia reasons! I started my computer career working with OpenVMS and the DCL Command language. In fact, my first professionally published article was in DEC Professional magazine on a menu system I wrote in DCL! Amazing that people are still using OpenVMS!

Mission-critical system alert: 40-year-old OpenVMS hit by exploitable bug
ZDNet – By Liam Tung – “A patch is available for a privilege-escalation flaw affecting the 40-year-old OpenVMS operating system on hardware powered by ancient VAX and Alpha processors from Digital Equipment Corporation.

The OS, which has been supported by HP, is known for its reliability and has historically been used for core business systems that require high availability, including nuclear power plants and process-control systems.

The Register reports that a patch for the privilege-escalation flaw, CVE-2017-17842, has been made available ahead of a detailed description of the issue due in March. The delay is to give admins time to patch affected systems.

VMS Software Inc (VSI), the company to which HP licensed OpenVMS in 2014, said a ‘malformed DCL command table may result in a buffer overflow allowing a local privilege escalation in non-privileged accounts’. DCL is the VMS shell.

The vulnerability affects all versions of VMS and OpenVMS dating back to version 4.0, when it was just called VMS.

While this vulnerability is exploitable on VAX and Alpha hardware, it only causes a crash on Intel Itanium-based hardware and isn’t directly exploitable.

However, according to Simon Clubley, the researcher who found the flaw, a different version of the same vulnerability could make Itanium systems exploitable.

‘The only reason Itanium is not compromisable with this specific version of the exploit is because the return address is handled very differently on Itanium,’ he wrote.

‘It is not beyond the bounds of possibility that someone could find a different variant that could be used to compromise an Itanium system. For example, if you can overwrite a pointer to a data structure, then you can force code within DCL to process memory that you control.’

Additionally, Itanium systems can be indirectly compromised using the exploit he has if they’re part of a cluster with affected VAX or Alpha processors.

‘If your Itanium systems are part of a mixed-architecture cluster, then you can use the vulnerability to compromise a vulnerable cluster member and then use that cluster member to compromise your Itanium systems,’ he noted.

Clubley told The Register that anyone with shell access can compromise any version of OpenVMS released for VAX or Alpha architecture in the past 30 years.

There are different courses of action to remedy the issue for different customers, according to VMS Software’s VP of software engineering, Eddie Orcutt.

Alpha customers running VSI OpenVMS V8.4-2L1 or VSI OpenVMS V8.4-2L2 for Alpha need to contact VSI support.

Customers with Itanium running VSI OpenVMS V8.4-1H1, VSI OpenVMS V8.4-2, or VSI OpenVMS V8.4-2L1 can contact HPE if they have a HPE support contract for their version. Otherwise customers need to contact VMS Software VSI support.

Customers running HPE OpenVMS versions prior to and including V8.4 must contact HPE customer support.”

Tablo DVR Now Supported on Samsung TVs

Tablo DVRs Now Support Samsung Smart TVs

Cord Cutters News – By: Luke Bouma – “Today Nuvyyo, the maker of Tablo DVRs, announced a new native app for Samsung smart TVs that run the TIZEN OS and are built from 2015 to today.

‘Tablo offers the widest breadth of fully functional DVR app support of any over-the-air TV solution on the market,’ said Grant Hall, CEO at Nuvyyo, the makers of Tablo. ‘Now more than ever, Tablo gives cord cutters the opportunity to enjoy their favorite TV programs including network dramas, comedies, news, and sports like the Olympics from channels like NBC, ABC, CBS, and Fox, on any screen, anytime, anywhere—including Samsung TIZEN Smart TVs.’

You will no longer need a separate streaming player to access your OTA DVR if you use Tablo with a Samsung smart TV. Now you will be able to access DVR recordings, live TV, and pause, play, and rewind live TV natively on Samsung smart Tvs.

Samsung smart TVs join a growing list of devices the Tablo DVR will work with including Roku, Fire TV, Apple TV, Android TV, Android, iOS, laptops, and desktop PCs.”

1 54 55 56 57 58 394