In-brief: researchers have demonstrated how a snooping Android application can turn an Android based smart television set into an omnibus surveillance device. Get ready for more IoT misappropriations like this.
The misappropriation of sensors, rather than their misapplication will be one of the big security concerns that is going to emerge from the Internet of Things – and this in the not-distant-future. Exhibit 1: the little experiment that the folks at the UK consultancy Pen Test Partners (PTP) recently completed, turning a Sony Bravia Smart TV into an omnibus surveillance device.
In a short blog post published May 20, PTP showed how a snooping Android application could be used to trick an Android-based smart TV into listening in to its surroundings. The demonstration is a good example of how future hackers – motivated by personal animus, greed or geopolitical aims – could leverage broadly distributed IoT platforms for surveillance.
In the most recent experiment, Pen Test Partners adapted an Android snooping application to run on the Sony Bravia, a smart television set that runs on the Android mobile operating system. Words captured by a mic attached to the TV were rendered as text and sent to a remote laptop. You can see the whole setup in action in the YouTube video below.
Some caveats: the researchers here are using a locally installed version of the snooping application that they wrote. They installed it by enabling a “install untrusted applications” features on the TV then loading the app directly from a USB. That’s hardly an attack vector that’s “scalable,” as they say.
The PTP researchers also relied on an external mic to capture voice data because the Bravia model PTP used for its test does not have voice activation features or an internal microphone, though other smart TV platforms do.
[Read more Security Ledger coverage of Smart TVs here.]
However, the researchers also note that it would be very possible to get a snooping application on a Sony smart TV running Android without enabling the untrusted applications feature, simply by slipping it onto the Google Play store, then tricking the TV’s owner into installing the application on their own. How difficult is it to get a malicious application onto Google Play? Not too difficult, by all accounts.
Clearly, this isn’t a “run for the hills” type demonstration of IoT security vulnerability. Rather, it’s a (successful) effort to connect some dots between the growing numbers and variety of sensing devices that are deployed in our homes, offices and physical environment and the kinds of attacks and privacy violations that could easily result when those devices, or the infrastructure that connects them, are vulnerable to attack.
In the case of the Bravia, Pen Test Partners notes that the device is running an outdated, but not ancient version of Android: Lollipop V. 5.0.2, which dates to late 2014. Still: that OS is getting older every day, and Sony’s plans or ability to keep it up to date are open questions. With each day, the risk of new, remotely exploitable holes in the underlying operating system grows and the barriers to large-scale hacks of TVs or other “things” get lower.
Of course, snooping smart TVs are nothing new. Samsung got called out in early 2015 when it was revealed that its smart televisions are capable of eavesdropping on the conversations that happen around them. According to Samsung’s terms of service for some smart TV models at the time, that the information may be “captured and transmitted to a third-party” through voice recognition features built into the set.
As this blog noted: UK privacy advocate and IT specialist Jason Huntley warned about the same risk with LG TVs, noting of voice activation features “if your spoken word includes personal or other sensitive information, such information will be among the Voice Information captured through your use of voice recognition features.” LG further indicated that voice information is among the information gathered by the device to help improve viewing experiences, understand how customers are using the LG Smart TVs and for marketing and to deliver advertisements.
If voice interaction artificial intelligence is really the next window’d interface (and Apple Killer), as some are suggesting, one byproduct will be an explosion of microphone-enabled devices in our environments. That means little demonstrations like PTP’s could be just the tip of the iceberg.