Major Internet TV Brand Can Be Hacked: Security Vendor

Author:
Publish date:

Internet-connected HDTVs from one major manufacturer -- which appears to be Panasonic -- have security holes that could allow an attacker to trick users into giving up credit card information or other private data, according to a report by Mocana, which sells embedded security software solutions.

In its testing, San Francisco-based Mocana said it was able to intercept and redirect Internet traffic to and from the HDTV. That could allow a hacker to fool consumers into thinking that "imposter" banking and e-commerce websites were legitimate.

The name of the HDTV vendor is redacted in the Mocana report, which was released last week and is available to download here: www.mocana.com/tv.pdf.

However, details in the report indicate that the HDTV vendor in question is Panasonic.

Mocana identifies the apps available through the Net-connected televisions it tested as including The Weather Channel, Twitter, Picasa, YouTube, Amazon Video On Demand, Tageschau, Pandora Radio, Bloomberg, Fox Sports, Bild.de, Netflix and Skype -- a list that corresponds to services Panasonic offers through its VieraCast service.

In addition, the Mocana report said the vendor's update services use ".tv" and ".eu" domain-name extensions; Panasonic uses vieracast.tv and vieracast.eu to send data to its Net-connected HDTV sets.

A Mocana rep declined to confirm whether the HDTV vendor in its report was Panasonic. Mocana said it has met with the vendor, which requested it not be identified until a security fix is available.

Panasonic representatives did not provide a response by press time. Panasonic is among Mocana's investors and also is listed as a customer.

The Mocana researchers "believe it's likely that similar security flaws exist in other Internet TVs and recommend that consumers seek out third-party security tests of the appliances before they are purchased and installed in the home," the company said in announcing the report last week.

Mocana said it found in its testing that an attacker could intercept transmissions from Internet-connected HDTV to the network using common "rogue DNS," "rogue DHCP server," or TCP-session hijacking techniques. The firm demonstrated that JavaScript could then be injected into the normal data stream, allowing attackers to obtain total control over the device's Internet functionality, rendering the product unusable and extending (or limiting) its functionality without the manufacturer's permission.

During the test, Mocana's researchers also were able to recover the manufacturer's private "developer keys," which in many cases were transmitted unencrypted. That would let a hacker access third-party search, music, video and photo-sharing services using the TV manufacturer's access privileges for free.

Mocana, founded in 2002, offers a suite of embedded security software for what it claims are more than 1,000 different silicon/operating system combinations.

Other Mocana customers include Cisco Systems, Motorola, Alcatel-Lucent, Broadcom, Dell, Harris, Royal Philips Electronics and Siemens, according to its website. Additional investors include security software vendor Symantec, Southern Cross Venture Partners and Shasta Ventures.

More than 40 million Internet-accessible TVs will be shipped worldwide in 2010, increasing to 118 million global shipments by 2014, according to research firm DisplaySearch.

Manufacturers "are rushing Internet-connected consumer electronics to market without bothering to secure them," Mocana CEO Adrian Turner said in a statement. "I think this study demonstrates how risky it is to ‘connect first, worry later,' and suggests that consumer electronics companies that might lack internal security expertise should seek it out, before connecting their portfolio of consumer devices to the Internet."

Related