Is Your Smart TV Spying on You?

Read Time:5 Minute, 58 Second

In a chilling echo of George Orwell’s dystopian novel 1984, it’s possible that Big Brother – or in this case, Big Hacker – might be surveilling you through your own television. Evidence is emerging that Smart TVs can be just as prone to hacking as home computers.

Security analysts Aaron Grattafiori and Josh Yavor from iSEC Partners have spent several months investigating this issue, working alongside Smart TV manufacturers to address potential vulnerabilities. They presented their findings at the recent Black Hat network security conference in Las Vegas. Their demonstration highlighted the worrying tendency of Smart TVs to pry into personal data, whether via web searches, app usage, or even physical surveillance through the built-in camera.

How Vulnerable are Smart TVs?

Despite their advanced technology, Smart TVs carry the same risks as their more primitive forebears. The primary culprit is the IP address, which allows these devices to connect with various web apps like Facebook, YouTube, and Skype. The issue is that these apps often run on the same code (such as Javascript or HTML5) as home computers or smartphones, making them susceptible to malware attacks when left unprotected.

While they might look like ordinary TVs, many Smart TVs bear a closer resemblance to laptops, incorporating internet-connected apps, video streaming services, microphones, and even internal cameras. Sure, these features enhance the viewing experience, but they can also present a clear and present danger to your privacy.

Potential Threats to Your Privacy

Malicious code can easily find its way into your TV through seemingly harmless chat messages or browser searches. Once it’s there, your television is open to several types of spyware. With the right code, a hacker could gain full control over your device, accessing your TV’s cameras and microphones. In essence, they could use your camera to spy on you, turning your own TV into a surveillance device.

Although manufacturers have issued fixes to reinforce the exposed code, no device is 100% secure. The scenario of hackers gaining control over a TV’s cameras and microphones is not just an invasion of privacy but can also lead to potential misuse of personal information. It’s a stark reminder of the importance of protecting our digital presence and understanding the broader implications of IoT devices in our homes. As technology continues to advance, so too must our vigilance in guarding against these emerging threats.

Staying Updated

Regular updates are crucial to maintaining the security of your TV and its apps. The digital world is full of bugs waiting for a chance to invade your device, so don’t let outdated apps provide them the perfect entry point. Ensure your apps are updated regularly to maintain your digital fortress.

→ Dig Deeper: Why Software Updates Are So Important

Also, when it comes to Smart TVs, it’s best to use social media sparingly. Video-streaming platforms like Netflix pose less of a threat than social media sites, which are notorious hunting grounds for identity thieves. These criminals often bait their traps with fake offers and tailored “phishing” messages. Whenever possible, restrict social media usage to devices (like your computer, smartphone or tablet) that have comprehensive security protection like McAfee LiveSafe™ service, which safeguards your devices, your identity, and your data. 

→ Dig Deeper: Could a Streaming Device Help Hackers Hijack Your TV?

In conclusion, while Smart TVs may be a little too clever for their own good, that doesn’t mean you can’t stay one step ahead. You just need to stay vigilant and informed about potential security threats, so you can enjoy the benefits of your Smart TV without worrying about privacy violations.

Smart TV: A Panopticon in Your Living Room?

With an inbuilt camera and microphone, Smart TVs are capable of providing a stream of surreptitious surveillance data back to both manufacturers as well as potentially unscrupulous cyber criminals. With the right malware code, hackers can turn your TV into a spying device, watching your everyday activities and listening to your private conversations. This is not some fly-by-night conspiracy theory; it is a reality acknowledged by the top security researchers in the world.

It is not just your personal data that is at risk. Smart TVs, due to their inherent connectivity, can also serve as a gateway into your home network. Once hackers infiltrate your Smart TV, they can potentially gain access to your computer, tablet, or smartphone and the personal information within them. This could lead to serious breaches in financial and personal security, making Smart TV hacking a significant threat that should not be taken lightly.

→ Dig Deeper: Are Smart TVs too smart for their own good?

How can you make your Smart TV safe?

If the thought of your living room turning into a hacker’s surveillance paradise sends a chill down your spine, you’re not alone. The good news is that there are measures you can take to safeguard your privacy and make your Smart TV safe. First and foremost, it’s important to regularly update your TV’s firmware. Manufacturers often release patches that can fix security vulnerabilities, so keeping your TV updated is a crucial step in maintaining your privacy.

Consider disabling certain features on your TV. For instance, if you never use your TV’s camera, it would be prudent to tape it up or disable it entirely in your TV’s settings. Likewise, if your TV has ‘voice recognition’ or ‘motion control’ features, disabling them might be a good idea, as they can potentially be used to spy on you. Remember: the fewer features you activate, the fewer opportunities hackers have to exploit your TV.

Stay Aware, Stay Safe

One of the best ways to protect yourself is to stay informed about the latest developments in Smart TV security. Attend webinars, read articles, and follow experts in the field to keep abreast of the latest security threats and fixes. By educating yourself, you can stay one step ahead of the hackers and keep your Smart TV safe.

Secondly, make sure to use secure, unique passwords for all of your apps and online accounts. Avoid using personal information that could be easily guessed, such as your name, date of birth, or common phrases. Instead, opt for a mixture of uppercase and lowercase letters, numbers, and special characters to create a strong password. Always remember, a strong password is your first line of defense against cyber attacks.

Final Thoughts

Today, in the age of hyper-connectivity, even our televisions aren’t just for watching shows anymore; they are portals to the internet, complete with all the associated risks and threats. While Smart TVs offer a myriad of exciting features and functionalities, they also present new avenues for hackers to invade our privacy. But by staying vigilant, regularly updating our devices, using strong passwords, and carefully managing our TV’s features, we can enjoy the benefits of Smart TVs while steering clear of the risks. So, is your Smart TV spying on you? With the right precautions, you can make sure the answer is a resounding ‘No’.

The post Is Your Smart TV Spying on You? appeared first on McAfee Blog.

Read More

USN-6473-1: urllib3 vulnerabilities

Read Time:31 Second

It was discovered that urllib3 didn’t strip HTTP Authorization header
on cross-origin redirects. A remote attacker could possibly use this
issue to obtain sensitive information. This issue only affected
Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-25091)

It was discovered that urllib3 didn’t strip HTTP Cookie header on
cross-origin redirects. A remote attacker could possibly use this
issue to obtain sensitive information. (CVE-2023-43804)

It was discovered that urllib3 didn’t strip HTTP body on status code
303 redirects under certain circumstances. A remote attacker could
possibly use this issue to obtain sensitive information. (CVE-2023-45803)

Read More

Cybersecurity hiring and retention challenges in 2023

Read Time:6 Minute, 4 Second

Scott Scheppers, chief experience officer for AT&T Cybersecurity, weighs on how his team is addressing the cybersecurity talent shortage. This is part one of a two-part blog.

The boundaries between the physical and digital worlds are decreasing. The Internet of things (IoT), artificial intelligence, blockchain technology, and virtual reality are buzzwords that have already made their way into everyday language. Services that were traditionally hardwired, such as copper landlines and traditional PBX systems, are being brought online through cloud computing and Voice over Internet Protocol services. For many businesses, the chosen catchphrase to describe this movement is ‘digital transformation’. According to Forbes, this transformation is not only growing at an exponential pace but is also one of the most impactful business trends in 2023. 

While this shift promises increased efficiency and growth, it also opens more opportunities for cybersecurity attacks and, consequently, an accelerated need for cybersecurity experts. Unfortunately, the latter part is where the industry is facing a challenge.

The (ISC)2 2022 workforce study revealed there is a shortage of 3.4 million cybersecurity specialists, an increase of 26% from the previous year. On the other hand, the Bureau of Labor Statistics reported that the field is expected to expand by more than 33% from 2020 to 2030. The industry’s need for skilled cybersecurity practitioners is, in fact, growing faster than the number of people entering the field.

To address some of these pressing issues, Scott Scheppers, chief experience officer (CXO) at AT&T Cybersecurity, lends insight on how his team is meeting the challenge of hiring and retention.  Scheppers has more than 30 years of experience in security, and his team staffs nine global network and security operations centers that run 24/7/365. Throughout his career, Scheppers has witnessed the industry’s explosive growth firsthand. He was on the front lines of National Defense before Cybersecurity was even a fully developed concept.

“When the cyber domain began growing in the late ’90s,” says Scheppers, “it wasn’t even called cybersecurity. There was just a bunch of IT professionals worried about keeping the IT department running. They didn’t think operationally. They just had to service desks, close tickets, and make emails work. Then, in the late ’90s and early 2000s, we had demonstrations of how easy it was to hack someone’s email. That was just the beginning.”

He continues, “When I first started in the air force, I was an intelligence offer. In intelligence, you focus on what the adversary is doing, collect information, and analyze it. This is different from the IT department, that is mainly focused on keeping things running.”

“In the intelligence team, our focus is the adversary. We needed to be constantly thinking strategically about how to combat the rise in cybercrime. And so, our team was perfectly positioned to transition into cybersecurity. I entered the Air Force as an intelligence officer and was the head of cybersecurity by the time I left. During this time, I watched the transformation of cyber into a critical warfighting domain. It was a crazy time of sick or swim. I am grateful to have been part of teams that led our national response to key cybersecurity events.”

After Scheppers’ time of service in the government, he accepted a position in AT&T’s Cybersecurity department. Today, he oversees the operations team that runs all of AT&T’s managed security services. AT&T is, in fact, among the top cybersecurity services companies in the world, providing cybersecurity consulting and managed network and security operations for small to large enterprises, as well as mid-size business and government organizations.

Scheppers saw a difference in leadership style in his transition from government to civilian organizations. “In the Air Force, leaders essentially ‘own’ every aspect of their airmen’s lives; when you want to move someone for vitality or the betterment of the unit, they don’t get a vote.  In civilian organizations, people do get a vote on who their boss is.  In fact, people often follow a boss from job to job.  This adds a wrinkle to leading the organization.  You must win the hearts and minds of your team daily by growing and delivering for them.”

He describes his current position of leadership. “Today, I have great people that are doing great things in my organization. If I set the table correctly, I hope for a relatively boring day where I can focus on touchpoints or strategize on higher levels to plan the next steps of the organization.”

What are the biggest misconceptions about hiring in Cybersecurity?

According to Scheppers, one of the biggest misconceptions in entry-level Cybersecurity recruitment is that certifications equate to potential and capability. “People often think they need to hire someone with a bunch of certifications to be successful,” Scheppers states, “But I don’t think entry-level workers need to come in with piles of certifications. If they have them, that’s great, but these certifications alone don’t translate to a great hire.”

“In my organization, we look for people with inquisitive mindsets who like to solve problems – like the detectives in CSI,” Scheppers adds with a chuckle. “Of course, you can’t loathe IT-related things, but the truth is, you don’t need a cybersecurity degree to get started. If you have basic computer skills and an inquisitive mindset, you are off to a great start.”

Scheppers believes this common misconception is one of the reasons companies struggle with hiring cyber professionals. “Right now, there is a shortage of people in the field and it’s highly competitive to hire existing professionals. If companies only accept entry-level people with all the right certifications, they’re going to end up paying a high price. The key is to train your people. Then, you can also build your own culture in the process.”

“A few of the characteristics I look for are from Patrick Lencioni’s definition of an ‘ideal team player’,” Scheppers adds. “Ideal team players are people who are hungry to learn, humble, and people smart. These qualities are foundational to healthy organizational cultures.”

When recounting previously successful hires, he shares that they have hired people who came from selling entertainment packages door-to-door or pulling fiber lines in the attics. “Although they weren’t your typical cybersecurity hires, they had the qualities we look for. So, you bet we brought them onboard. Not only have they been outstanding performers, but they have also grown into key leaders of our operation.”

While this hiring mindset may apply to entry-level hires, Scheppers clarifies that this is not a rule across the board. “If I need someone with specific experience who can hit the ground running from day one, I’ll have to find someone more experienced.” In such cases, those specialized, verifiable skills and training are important.

He adds, “Certifications and courses are valuable, and they matter in this industry. They help provide credibility and sharpen skills. For those who come in and don’t have the education needed to succeed, we provide them with opportunities to grow here! Just note that certifications are not the only metric for bringing an entry-level hire onto the team.”

Read More