In-brief: Samsung said on Wednesday that new security features in its Tizen-based Smart TVs would protect consumer data stored on the device, encrypt communications to- and from the device and protect the TVs from malicious software.
Security and privacy concerns have gone hand-in-glove with the advent of “smart” and connected television sets. But announcements from TV giant Samsung in recent days suggest that manufacturers have heard the message.
With the Consumer Electronics Show (CES) scheduled to start up this week, Samsung has announced new security and privacy features on its newest smart TVs – part of a strategy that will turn the smart TV into an Internet of Things hub for the connected home.
First, the security: Samsung said on Wednesday that new security features in its Tizen-based Smart TVs would protect consumer data stored on the device, encrypt communications to- and from the device and protect the TVs from malicious software.
The new suite of security features, dubbed GAIA, comprises three elements: a virtual security container called Secure Zone that provides a secure and separate environment in which the TV’s “core service operations” run.
GAIA encrypts “important” data transmitted between the TV and IoT service servers in the cloud and TVs with a hardware based root of trust used to verify the identity of the individual set.
Additionally, GAIA will include anti-malware features that detect and blocks unauthorized programs, Samsung said.
The security features follow a string of revelations about security vulnerabilities in smart television sets, stretching back more than two years. The devices, which feature data storage, memory and run off commodity operating systems are much like desktop PCs – just in TV form. Security researchers have exploited those similarities to show how malicious software can run on smart television sets.
In November, for example, researchers at Symantec showed how a smart TV running a custom version of the Android mobile operating system could be adapted for use against other “smart” and connected devices running popular smart television operating systems like Tizen, Web OS and Firefox OS. Their research, published on Symantec’s research blog, found that a flaw in a gaming portal on Android smart TV allowed users to install applications by sending unencrypted requests to the server.
To demonstrate the danger to smart TV owners, Wueest hijacked the installation of a game app and replaced it with a version that looked just like the legitimate one. This one was repackaged with the malicious component, which deployed when the game launched.
The new versions of the Samsung smart TV would explicitly prevent that, by using encryption to protect communications to and from the device, and by vetting any piece of software that attempts to install itself on the Samsung TV, rejecting any unsigned applications.
The focus on security for its smart TVs comes just days after Samsung revealed plans to make connected televisions the hub of its smart home strategy. On December 29, the company announced that its SUHD television sets will come equipped with SmartThings hubs, allowing other SmartThings-compatible devices to connect to- and be managed from the SUHD set.
“Samsung views 2016 as the year the TV will become the center for Internet of Things (IoT) extensions in the home,” the company said in a statement.
But security is just one issue that threatens to dampen public acceptance of smart television sets. Just as worrying are the privacy practices of TV manufacturers. As reported by Security Ledger and other publications, TV makers commonly link smart features to wholesale data collection: allowing them to monitor which shows customers view and for how long. Manufacturers that equip their devices with voice recognition features have also indicated that snippets of conversation occurring around a set may be captured and relayed to the company’s cloud services.
The article focuses on tracking features that Vizio has branded “Smart Interactivity.” According to ProPublica, the feature is turned on by default for the more than 10 million Smart TVs that Vizio has sold. Customers can opt-out of the Smart Interactivity monitoring by disabling it using the TV interface.
For those who don’t, Smart Interactivity analyzes both broadcast and streamed content viewed on the device, tracking information such as the date, time, channel and whether the program was viewed live or recorded. Viewing patterns are matched to the IP address for your TV.
That wasn’t the first incident raising troubling questions about smart TVs, either.
In 2014, for example, customers of electronics giant LG raised alarms about the company’s decision to use a firmware update for its smart televisions to link the “smart” features of the device to viewer tracking and monitoring. Viewers who refused to consent to monitoring would not be able to use services like Netflix and YouTube.
In February, 2015, Samsung came under fire when the company noted in its Terms of Service that its televisions are capable of eavesdropping on the conversations that happen around them. That information may be “captured and transmitted to a third-party” through voice recognition features built into the set, Samsung acknowledged.
The CES show, kicking off in Las Vegas this week promises to bring more news related to the Internet of Things, with security and privacy issues front and center. Stay tuned to The Security Ledger for coverage.