
Samsung TVs should be regularly virus-checked, the company says - haxiomic
https://www.bbc.co.uk/news/technology-48664251
======
oflannabhra
The reason TV manufacturers want to have connected TVs is not to provide
utility to the user, but so that they can monetize a user's data. The "smart"
part runs recognition software to identify what content you are watching, how
long you watch it, records it, uploads it to the manufacturer's service, and
then the manufacturer can aggregate it and sell it off. The Verge interviewed
Vizio's CEO [0], who stated

> This is a cutthroat industry. It’s a 6-percent margin industry, right? I
> mean, you know it’s pretty ruthless. You could say it’s self-inflicted, or
> you could say there’s a greater strategy going on here, and there is. The
> greater strategy is I really don’t need to make money off of the TV. I need
> to cover my cost. And then I need to make money off those TVs.

Apple had to directly fight this when they brought their TV app over to smart
TVs. It's also why I will never let a TV on my network, and will always use a
separate streaming box.

[0] -
[https://www.theverge.com/2019/1/7/18172397/airplay-2-homekit...](https://www.theverge.com/2019/1/7/18172397/airplay-2-homekit-
vizio-tv-bill-baxter-interview-vergecast-ces-2019)

~~~
Illniyar
How much can you sell it for? Really - let's say you have my entire viewing
history for a year, let's say I'm from a valuable demographic, how much would
that be worth? A dollar? 10 dollars?

I've just bought a tv for thousands of dollars from the company, selling my
data doesn't seem very cost effective, especially considering the PR backlash
of some scandal that could come out of it.

~~~
droithomme
_> How much can you sell it for? A dollar? 10 dollars_

When we were a Nielsen family they would include something like $4 in cash in
each week's mailing as a gift. That's on top of the cost of producing the
surveys, mailing costs, transcribing the viewing records, assembling the
results, and then all the marketing efforts to the networks to convince them
this data is valuable. It must cost at least $50 per family per month for
their viewing data, which has at least a week latency before it can be known,
and is probably always inaccurate.

Smart TV viewing data on the other hand is completely accurate and
instantaneous. So just for the show viewing data to assemble more accurate
ratings it's probably worth more than $10 per week/$520 a year. But that's
only one sort of data that is being collected and one sort of service
provided. Nielsen doesn't sell information to advertisers about a specific
known family's interests, or to allow narrowly targeted ads. But Vizio is able
to sell that possibility. Do they make $500 a year off of each connected TV?
$1000? Even if only $150, over four years that's $600.

I recently bought a 4K HDR smart TV for $199. It was a significant upgrade to
my previous TV. The panel itself costs more than the TV. In fact buying a HDMI
monitor of comparable size and resolution, without a receiver or smart
functions, runs over $2000. It's possible these TVs are being sold with up to
a 90% up front subsidy of the cost because the economic value of voluntarily
placing such a powerful surveillance device and accepting the mandatory click
through contract is a lot more than $1800. Similar to cell phone economics. I
bought a brand new no-contract pay-as-you-go iPhone for $99. It definitely
cost more than that to manufacture. How can they sell it for this price? We
know. Because if I do use it, it's locked to one carrier and I have to buy
refresh cards from them. I have no obligation to ever activate it, but most
buyers do so, and the carrier will then in most cases make back their subsidy
manyfold. Same for the $10 no-contract Android phone I bought before this.
Both are good phones. Both cost way more to make than I paid new, as with the
Smart TV.

~~~
jcoffland
> When we were a Nielsen family they would include something like $4 in cash
> in each week's mailing as a gift.

Nielsen ratings only collected a representative sample which makes each sample
orders of magnitude more valuable.

------
petepete
Here's another case for not owning a Samsung Smart TV. Mine, which I bought
for approximately £1.3k in late 2016 received a firmware "upgrade" in mid-2017
that inserted advertising into the TV's UI.

Upon contacting Samsung to complain they informed me that it was _my fault_
that they were appearing due to _applications that I have installed_. The ads
all originated from applications that were pre-installed that were locked and
un-removable.

In the end I had to work out how to block the TV from contacting Samsung's ad
servers at the DNS level, although now a PiHole is an easier solution to this
problem.

[https://gist.github.com/peteryates/b44b70d19ccd52f62d66cdd4b...](https://gist.github.com/peteryates/b44b70d19ccd52f62d66cdd4bcef1e52)

~~~
dessant
LG TVs also contain ads in the home menu and other places, and there is no
official way to opt out. Sony TVs appear to be the most user friendly options
if you'd rather not see ads on a premium device.

[https://www.rtings.com/tv/learn/ads-in-smart-
tv](https://www.rtings.com/tv/learn/ads-in-smart-tv)

~~~
mxuribe
I've also tried my best to avoid purchasing any Sony products...ever since
around 2005 [0]. While i do acknowledged that some of their products
historically have been good quality...I've tried my best to use my wallet to
vote my conscience.

[0] =
[https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...](https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal)

~~~
ken
Thus, the problem with Adam Smith's Invisible Hand in the modern world. I
salute you for sticking to your guns, but I think we all could have predicted
that Sony wasn't going to suffer any significant consequences from that.

There's 10 major brands of TVs, and 10 attributes by which consumers decide
what to buy. Even if you could got 95% of consumers to agree (ha) that one
brand is the absolute worst at the most important attribute, it's still going
to be the best at something else.

There simply aren't a sufficient number of axes of control here to influence
change.

------
jasode
_> “Prevent malicious software attacks on your TV by scanning for viruses on
your TV every few weeks,” _

This reads like an Onion parody article but unfortunately, that security
precaution is reality.

To generalize the Samsung example further, this is why I don't believe it's
realistic that decentralization can happen via _average homeowners_ owning a
"server appliance" that serves up webpages, social media profiles, videos,
email, etc. I made a previous comment on how disciplined security practices
are too tricky for non-techies.[0]

Yes, a bunch of techies can run personal servers (Raspberry Pis, Freedombox,
etc) to run a decentralized Q&A site to replace Stackoverflow. Or maybe run a
decentralized discussion forum to replace HN. However, a bunch of grandmothers
cannot be expected to maintain their own web appliances to run a decentralized
cooking recipes website.

[0]
[https://news.ycombinator.com/item?id=11861683](https://news.ycombinator.com/item?id=11861683)

~~~
walterbell
Grandmothers and everyone else already use edge routers/modems that can be
centrally managed and updated. Edge servers can be locally or centrally
managed. If centrally managed, they can be decoupled from the telco, i.e.
competition among "edge server management services" instead of a land-bound
monopoly. Techies can optionally enable local management.

~~~
everdrive
I don't know a single Grandmother than keeps her WiFi router updated and well
configured.

~~~
untog
More and more routers self update these days, which is absolutely the right
choice for 95% of users.

That's something I don't get about the Samsung setup here actually. Just run
the scan (from the video it takes about a second?) automatically without the
user needing to. Then you don't have to make awful promo videos about users
needing to do a scan.

~~~
ForHackernews
No, but then the HN user set would be posting outraged medium.com blogs about
how their TV is stealth-updating behind their back without their approval.

~~~
wmf
I assume Samsung TVs already auto-update which makes it even more puzzling
that the virus scanning isn't also automatic.

------
sschueller
Does anyone have a list of IPs and domains Samsung uses which I can block in
my outgoing firewall rules?

Or alternatively all IPs Netflixe uses so I can whitelist those.

EDIT:

From another comment's link.

    
    
      log-ingestion-eu.samsungacr.com
      lcprd1.samsungcloudsolution.net
      osb-apps.samsungqbe.com
      acr0.samsungcloudsolution.com
      ads.samsungads.com
      www.samsungotn.net
      osb.samsungqbe.com
      cdn.samsungcloudsolution.com
      www.samsungrm.net
      osb-eusvc.samsungqbe.com
      oempprd.samsungcloudsolution.com
      time.samsungcloudsolution.com
      noticecdn.samsungcloudsolution.com
      notice.samsungcloudsolution.com
      otn.samsungcloudcdn.com
      multiscreen.samsung.com
      gpm.samsungqbe.com
      configprd.samsungcloudsolution.net
      ypu.samsungelectronics.com
      kpu.samsungelectronics.com
      sas.samsungcloudsolution.com
      otnprd9.samsungcloudsolution.net
      otnprd8.samsungcloudsolution.net
      otnprd11.samsungcloudsolution.net
      otnprd10.samsungcloudsolution.net
      apps.samsungcloudcdn.com

~~~
andy123456
Can't you just block the TV's MAC address entirely in your router.

~~~
slig
Or just don't enter your WiFi password on it.

~~~
hadlock
Our smart TV lives on it's own wifi network, I super don't trust it to
interact nicely with other devices on our home network. All the other smart
home stuff (smart led lights, etc) lives on it's own network as well.

~~~
slig
But then it can self-update and install crapware without any interaction
anyway.

------
Someone1234
Conceptually embedded devices shouldn't even have writeable storage for
malware to persist. This doesn't require a special operating system or a
kernel patch, Linux (which is popular for these types of devices) natively
supports read only storage.

You can have a small read/write volume where update bins are placed. Upon
reboot, a pre-boot environment checks the bin's cryptographic signature, and
if it passses it then extracts the bin, overwriting the the read only
filesystem and a second reboot occurs allowing normal boot into the updated OS
where the file system is again read only.

This is how e.g. the Playstation works. Amongst several vehicle manufacturer's
infotainment units. Even Windows uses a pre-boot environment to write certain
"hard lock" files and registry areas. This is not wild "pie in the sky"
thinking, this is an industry norm or was.

Why does a smart TV that's meant primarily for streaming content directly from
the internet need a R/W file system? Settings? Couldn't that be stored in a
micro-volume without execute flag and SELinux limits?

~~~
behringer
And what if the cryptographic hashes are broken, stolen, or whatever? Once
you're in the system, if there's rewriteable storage at all, it can be
compromised.

If you want to stream, the apps need to be updated as streaming service
providers update their systems from time to time.

~~~
Someone1234
> And what if the cryptographic hashes are broken, stolen, or whatever?

You've still improved the scope of exploitation from:

\- Need an RCE (remote code execution) in any service on the device for a
persistent threat

To:

\- You need an RCE in any service on the device

\- You also need to be able to generate a cryptographically signed update
which will install for persistent threat

That's a win. That's a BIG win. Particularly as regular updates can replace
compromised cryptographic credentials.

You're essentially arguing the "if the solution is imperfect, we should do
nothing" fallacy. You haven't proposed a better alternative, just argued that
no action is better than an action that falls below perfection.

> If you want to stream, the apps need to be updated as streaming service
> providers update their systems from time to time.

Which may require a reboot. It is unfortunate, but makes the device more
secure and less susceptible to hardware originated data corruption (since the
volumes can be completely verified for correctness, compared to the source
images which can also be verified for correctness via HMAC).

There's no specific set standard for how bin updates work. They can range from
complete file system updates to incremental updates.

~~~
behringer
I really don't get what you're saying. None of your proposals would solve the
problem being discussed. Are cryptographic hashes not already completely
common-place? That was standard even 10 years ago, if only just to make sure
the files are not corrupt.

In actuality, running virus checks is a fine idea, particularly if the process
can be automated and updated for newer threats.

~~~
0xEFF
It seems you're conflating cryptographic hash with a digital signature.

Digitally signed updates via pre-boot environment with a read only post-boot
environment is an effective way to solve the problem being discussed.

------
awalton
This is precisely why my "smart TV" isn't allowed on my network.

Millions of dollars of work to theoretically save the user on a $10 HDMI cable
(but, more honestly, just to make consumers buy new TVs every couple of years
regardless of whether they need one or not, simply because the "smart" unit is
out-of-date). Sometimes this industry needs a boot to the head.

~~~
rietta
Despite all the trying I have, I cannot get my mom or grandmother to ever
understand switching HDMI sources. The SmartTV has most functions built in
with a single remote control. This is crazy significant to the appeal.

~~~
awalton
My cable box has a remote that's able to turn off and on my TV and switch the
TV's sources. I haven't taken the TV's remote out of its original packaging.

It's 2019 - this is a solution in search of a problem.

~~~
hombre_fatal
Seems by your posts you're assuming everyone already has a cable box + service
since you think the TV saves you a mere HDMI cable.

Meanwhile I'm not sure I've even had roommates or been to someone's house my
age (25-40) in the last 5 years that had cable service. It's always the same:
everyone just navigates to the TV's built-in Netflix/HBO/Amazon/etc. app and
puts something on.

If you think everyone in the world has a cable box, then I understand why you
don't understand smart TVs. But your premise is mistaken.

------
SomeOldThrow
Is it even possible to buy dumb tvs anymore? I have been hanging on to my 2014
model (and will probably try to use it for another decade) because the new tvs
I interact with have ruined basic tv interactions. All I want: on/off, input
switch, volume control.

~~~
turbinerneiter
Sadly, no. Which is a big problem, since Smart TVs are the most user-hostile
thing _ever_.

Auto-play, ads, pre-installed stuff, non-reprogrammable app-shortcut buttons
on the remote, user-tracking. And there is no control, no settings, no opt-
out.

I have to figure out if I can get an alternative firmware on my Samsungs TV.
In theory, Tizen is Open Source.

It is so frustrating.

~~~
2muchcoffeeman
What about buying a commercial display panel?

[https://www.mwave.com.au/product/lg-se3kdb-49-full-hd-ips-
le...](https://www.mwave.com.au/product/lg-se3kdb-49-full-hd-ips-led-
commercial-display-ac15890)

Some of these things look like they have API and what not, so maybe they allow
you to turn off all the things you don't want?

~~~
datenhorst
The thing is, those don't have DVB-T receiver, which some people out there
still require to watch cable TV.

~~~
ihuman
Are there external DVB-T receivers?

~~~
ascagnel_
SiliconDust makes a network-attached DVB-T tuner[0] that works with MythTV &
Plex, for DVR + live TV.

[0]: [https://www.silicondust.com/product/hdhomerun-
connect/](https://www.silicondust.com/product/hdhomerun-connect/)

------
tombert
Things like this are why I kind of despise the "smart TV" movement.

I can't blame people for using them, they're convenient as hell, but at some
level I have trouble seeing why the _TV_ needs to have the _computer_ built
into it. To me, a _TV_ should be a more-or-less "mechanical" device that does
one thing and one thing only: display video.

Obviously, though, this only defers the error over to AppleTV or AndroidTV or
whatever computer you have plugged in. I guess with the (admittedly awesome)
advent of streaming-all-the-things, stuff like viruses are an inevitability.

~~~
rietta
In my experience, a SmartTV can stream and HAS ONE REMOTE. Every family member
who is not an IT professional has struggled deeply with any TV/AV setup where
two or three remotes are needed. This same customer is also not going to have
an easy time on their own setting up some yet another third party universal
remote.

~~~
saltcured
It used to be that the youngest child had an honest job, acting on voice
commands and adjusting the controls. It seems like people won't be happy until
this experience is fully replicated with automation...

More seriously, I've found that a bluetooth keyboard with built-in pointer is
my favorite remote. I treat the TV as a monitor and operate MythTV or Firefox
to go to Netflix or Pandora from the couch.

I confess, I do have a second remote to control the audio. I could never
tolerate the sound of built-in speakers in any TV. My media computer sends the
video to the TV via one HDMI connection and digital audio to the hifi receiver
via another HDMI port. So, I change volume as well as other downmix or night-
mode options on the receiver, leaving the PC audio settings constant.

~~~
pacerwpg
What resolution does Netflix stream at with Firefox?

~~~
saltcured
I think I read that it is limited to 720p for Firefox on Linux (probably for
DRM reasons). For the most part, it looks as good to me as typical 720p or
1080i ATSC over-air broadcasts. And, I'd say both look better than the typical
digital cable or satellite TV I've seen elsewhere.

I have a 1080p TV, but the only time I've really cared is certain 1080i PBS
shows, with natural landscape scenes deinterlaced via MythTV. Otherwise, 720p
seems fine. It feels to me that every provider is optimizing their compression
levels for an audience who is less picky than me. Usually, I am bothered more
by inconsistent compression than absolute resolution.

------
fredley
Don't buy a smart TV, don't let your family/friends buy smart TVs. Buy a dumb
screen and hook it up to an Apple TV, Chromecast etc. The 'smart' software is
a privacy nightmare over which you have very little control. And sure, so is
the Chromecast, but I at least have more faith that wherever that data's going
it's going there securely and is relatively unlikely to be breached. Also, the
software on your smart TV will age much faster than the screen itself.

~~~
imgabe
Is it even possible to buy a dumb screen anymore?

~~~
bastawhiz
"Commercial displays" are the answer. A TV without a tuner or any of the
bullshit. Just HDMI.

~~~
theomega
Any recommendations for what vendor and what line to go with?

~~~
Multicomp
NEC E series for cheap, P series for the pro grade stuff.

In a past theme park life we setup our outdoor TVs for showing queue line
content and they used NEC P430(? It's been years) both outside in a case and
inside for digital menu boards in restaurants.

------
PopeDotNinja
My approach to a smart TV was just to buy a PlayStation. Anything I've wanted
to do on my TV was available as an app in the PlayStation store, with the
exception being Google Play Music. I had previously tried using a Google
Chrome, but eventually got sick of its lack of local storage & native remote.

~~~
koboll
Unfortunately, the options for non-smart TVs keep getting narrower.
Manufacturers want to inject app access into every device they can. You can't
even buy a UHD disc player without an app platform coming with it.

~~~
pwinnski
My Sony has the ability to be connected to the internet, but have never been
connected to the internet.

Do other manufacturers force a connection in some way?

~~~
hombre_fatal
Only my purist sensibilities prefer the idea of a TV that doesn't even have
apps. But I know I can simply abstain from connecting the TV to the network.
Seems like a non-issue.

An entry-level 32" Samsung is $200. I wouldn't be surprised if having "smart"
capabilities subsidized the cost because Samsung gets kickbacks from, say, new
Netflix subscriptions made from the TV itself, or some services pay for
inclusion. In other words I don't even think you'd be avoiding any serious
$premium by finding a dumb TV.

~~~
mikeryan
The costs are being subsidized by audience measurement tools such as those
provided by folks like Inscape and Samba TV which quantify viewing habits by
tracking what you watch.

[https://www.inscape.tv/](https://www.inscape.tv/)
[https://samba.tv/](https://samba.tv/)

------
sschueller
How about open sourcing the code running on it or at least letting us run our
own software?

A lot of apps that came with my TV from Samsung have been removed over the
years as they stopped supporting them. For example Skype. So I paid for a TV
with Skype, now it has no more Skype.

~~~
minimaul
No, you paid for a TV with an App Store, where there were apps (pretty much
all provided by third parties).

It’s not Samsung’s fault if a third party pulls their app.

~~~
kbenson
It depends. If the TV was advertised with a specific application, which I see
often, then the loss of that application is a loss of advertised
functionality.

The way I see it, if they used the availability of an app as a direct selling
point, that makes them somewhat liable to it's continued functionality. If
they didn't secure that contractually or with some level of assurance, they
should not have advertised it.

~~~
JustSomeNobody
No, you received an implied license for the life of the television to operate
it as a television. Samsung reserves the right to modify the software on said
television as it so chooses.

~~~
horsawlarway
I think without trying this opinion before a court, you have no idea.

Samsung may have reserved the right to modify the software, but I've literally
seen smart tvs from Samsung that have a "Netflix" button on the physical
remote.

They have shipped tv boxes that clearly and prominently display the Netflix
app on the tv.

If the Netflix button on the remote no longer works, the tv is not doing what
the user bought it to do and what it was advertised as being capable of.

~~~
fivefive55
I know you're just using Netflix as an example, but has anyone actually had
that app pulled from their TV? I have an old 32 inch Vizio smart tv that I
bought back in 2011 and all my big apps still work on it, albeit kind of
slowly. Netflix, Prime, Vudu, all still available.

------
jka
Miniature sci-fi concept pitch:

A future where the world is largely a privacy-scarce melting pot of
competition where individuals vie for leverage over each other based on the
scraps of information they can gather, barter for, or source through a myriad
of insecure networks which provide some base level of value to users (like,
say, a third-party piece of software that runs on a television after the user
grants it permission, accidentally or otherwise).

Meanwhile, VCs and technology experts have long seen this coming and retreated
to countryside enclaves where electronics are banned, and news of the world is
relayed via one-time-pad-over-horseback to ensure that the next level of
marginal gain for the elite is collaborated upon in safety from reprisal.

That's the context at least; many possible plots from there. Basically Elysium
except that the elite eschew technology because technology security is so
flawed that it unintentionally sells them out every time.

~~~
Bakary
Couldn't the elite just eliminate/enslave the rest of the population
altogether and rely on automation?

------
drspacemonkey
I simply do not want a "smart" TV. No internet access, no apps - just a lot of
HDMI inputs, CEC, and a display. Sadly, this is getting harder and harder to
find. When I went to buy last time, Costco didn't have any "dumb" TVs, so all
I did was refuse to hook it up to the internet.

I got a Roku and a Chromecast. Those provide better "smart" functionality than
any TV ever could.

~~~
scarface74
So you don’t want a smart TV but you’re okay with Roku - whose CEO said on an
interview that their entire business model is selling user data, half the home
screen has an ad, and the hard coded buttons on the remote go to highest
bidder?

Chromecast is sold by a business whose entire model is collecting user data
and selling advertising.

Don’t get me wrong, I love my TCL Roku TVs - I have three. But let’s call a
spade a spade. Also, my main one is setup to go directly to the HDMI port used
by my AppleTV.

~~~
saagarjha
I’d trust them a lot more than my average TV manufacturer to keep their
products up-to-date.

~~~
scarface74
Because Google is never known to abandon products.....

But, whether the TV is smart or not, as long as it has HDMI ports, it really
doesn’t matter.

~~~
hyperman1
Assuming it wont start to give popups because it is 6 months since the last
update so will you please connect the ethernet cable.

------
jgrahamc
I own a Samsung TV. It works great. There were apps, I used to use them but
slowly by slowly they bitrotted until the TV is simply an HDMI monitor at this
point.

It still supports legacy broadcast TV over coax etc. but anything "modern" has
rotted away. Which makes me think I simply don't want any smart at all in the
TV.

~~~
wayoutthere
This is both true and not true — yes, a great many apps have been abandoned,
but the big ones (Netflix, Prime Video, Hulu, HBO, premium sports apps, etc.)
are well maintained. The built-in apps are by far the easiest way to watch 4K
HDR video (which Amazon has lots of).

But yeah, all that said, the “smart TV” functionality would be better off in
an external box. I trust that Netflix will update its app because I pay them
every month. I don’t trust Samsung will update the TV software for the 10-year
life of the TV because I paid them all up front. Such is life in the modern
world :)

~~~
darrenf
> I trust that Netflix will update its app because I pay them every month

I pay each month for the WWE Network, yet last week the app stopped working,
with a "no longer supported" message, on my 2013 Samsung TV.

~~~
wayoutthere
Oh, I totally agree that a lot of smaller services (including most of the
cable / TV companies) stopped building apps. IMO it’s only worth it for global
services because smart TV apps are far more heavily used in Asia and Europe.

The client I worked for (a big US cable provider) killed all their smart TV
apps when they realized they were spending ~$500k a year on a bunch of apps
that were being used by _maybe_ 3,000 people a month. They do continue to
support apps for external devices like Roku and Fire TV.

------
MobileVet
Not news to this crowd... but I think it is pretty significant that a major
consumer electronics manufacturer would come out and say this to the
mainstream public.

What can a hacked tv do besides relay viewing information or connect to
Hoolinet? Clearly it could be added to a botnet, but would Samsung be liable
for that? Do the TVs have microphones or cameras... that would open Samsung up
for a lawsuit.

What is to gain from this announcement?

~~~
hombre_fatal
> Clearly it could be added to a botnet

This is why I believe in metered data plans. Certainly not ridiculously
expensive ones, but not "unlimited" access either.

If your IoT devices become open relay DDoS machines, it should show up on your
bill. I'm convinced it's the only solution that aligns incentives correctly.

~~~
verisimilitudes
So, people shouldn't have ''unlimited'' access to the Internet, because
they've had IoT garbage forced upon them and its their ''responsibility'' to
manage it, when they usually can't actually control it anyway?

Not only that, but a DDoS is usually only an issue for a large central
location that is perhaps part of this manner of problem, anyway.

They can go to Hell.

~~~
0xffff2
Nobody has had IoT garbage forced upon them. They bought it and connected it
to the network, therefore it's their responsibility to manage it. Ignorance of
basic network security is no more a defense against allowing malicious code on
your network than ignorance of the law is a defense in court.

~~~
dewey
Some people have though, there are flats and houses rented and sold that come
with all these things. Either by having smart blinds, lights and fridges
already coming pre installed.

------
jandrese
I guess it would be too difficult for Samsung to have the TV run it's own
checks? They could be run while the TV was off to avoid impacting the user
experience.

But honestly if it's anything like PC antivirus software those scans are
useless. If you don't intercept the virus before or while it is installing
it's too late. Once it's in there it can hide from regular AV software all day
long.

------
fabian2k
Having a manual virus scan button on a TV is ridiculous. It wouldn't entirely
surprise me if it doesn't do anything useful at all and is purely a placebo.
If a signature-based virus scan tailored to TVs is available, it should just
run in the background, requiring manual interaction is entirely insane.

Securing the TVs well in the first place would be the best option, but that is
unlikely to happen.

------
tomc1985
"A better solution would be for Samsung to automatically update its operating
system for you."

An even better solution is to stop making unnecessary appliances "smart" and
not handing bad actors a surface area to attack when companies aren't willing
to invest in security

But of course this runs contrary to the bread-and-circuses mode of operation
that dominates tech "innovation" nowadays. Nobody is content making a really
good TV anymore; now they've been infected by the same featureitis that
corrupted software development decades ago

------
dewey
I wish there was a company selling TVs without any “smart” software on it.
100% of the time I use my TV through the Apple TV and even the changing of
input to switch to a console is done through HomeKit.

I guess it would be way more expensive if they can’t subsidize the price
without all the stock apps and ads they ship with it.

~~~
0xffff2
Isn't this basically a monitor (with built-in speakers)? A quick look at
Newegg suggests you can get a 43" monitor for pretty a pretty reasonable
price.

~~~
dewey
Yes but 43” is not really TV size material. They are made for different use
cases.

~~~
0xffff2
What is TV size material to you? A friend of mine has a 60" TV and it's
_huge_. I really can't imagine that most people have TVs that big. You can go
even bigger with monitors, but the selection is thinner so it's hard to tell
if it's really economical.

The whole point of my comment is that average size aside, they really don't
seem to be different use cases at all for a lot of people.

~~~
dewey
My point is that most monitors are not made to be TVs and in the size of a TV
also not competitive based on the price. I’m also not sure there’s a lot of
OLED monitors in that size but I haven’t done much research on that as I’m not
in the market right now.

By TV sized I’m taking about 50+, right now I’m using a LG OLED in 55” and I’m
pretty happy with it. With HomeKit and Apple TV I never see the ads and the
rest of the smart garbage.

------
retrac98
Is there a market out there for a modern dumb TV? A good panel, decent
speakers and a load of I/O in a slick enclosure?

I think I’d buy this.

~~~
scarface74
No because just like Windows PCs. They operate on small margins and make money
by bundling software in the case of consumer Windows PCs or selling viewing
data in the case of TVs.

~~~
retrac98
I know there’s not a mass market for it, but I think a lot of privacy
conscious folks would pay extra _not_ to have apps on their TV.

------
shultays
Also apparently Samsung support has a twitterbot that replies something
similar

> `Hello there! Thanks for reaching out! Could you please send us a DM with
> the TV Model code and more details about this concern? ^Nick`

to every tweet it gets.
[https://twitter.com/SamsungSupport/status/114041514667572838...](https://twitter.com/SamsungSupport/status/1140415146675728384)

~~~
catherd
Chase bank has one of these as well. Pretty awesome to get a canned response
(then ignored all weekend) when you get locked out of your bank while in a
different country.

[https://twitter.com/ChaseSupport/status/1139899780283469825](https://twitter.com/ChaseSupport/status/1139899780283469825)

> 'Hi there. We're here to lend our support. Please DM us with your full name,
> zip code, and additional details regarding your concerns. ^EL'

------
UI_at_80x24
You know that special feeling of vindication and moral superiority when you
are proven correct years-later? There's got to be a German word for that.

~~~
hombre_fatal
aka the need to let others know that you were right about something no matter
how little they care. If there was a word for that, I feel like we'd already
be seeing it daily on HN.

------
kevinherron
I'm sad that the next TV I buy will probably have to be a "smart" TV. I went
out of my way to find a dumb one the last time around, and I had to settle for
a lower end model because all the higher end ones have a "smart" component.
All my apps are via an attached Apple TV.

Oh well. As long as it works without being connected to my network I guess
it's fine.

------
thom
Given that we do everything via HDMI and use a Chromecast for anything fancy,
what would people recommend if someone doesn't need these doodads? Computer
monitor plus a soundbar or something? Or does anyone in the UK know of a non-
smart TV that can do FreeView and nothing else, but has a decent spec panel?

~~~
luxpir
Had a similar thought before recently buying a new TV. I had heard of Samsung
ads, LG's slow interface so was looking for something else. I do use a PiHole
in the house, but didn't want to rely on it.

Ended up finding the Philips 50PUS6753/12 50in 4k - the previous version got
What Hi-Fi's TV of year award and does a much better job than a PC monitor.
Under £400 on Amazon atm. In-built sound is, for me, enough to avoid the
soundbar. Also the Ambilight is a nice touch, sort of extending the picture
beyond the screen. Responds to screen, audio or custom colour.

Main thing though is there are no ads that I've noticed and it's a fast enough
interface. Currently using the TV itself for catchup/freeview/youtube and the
rpi as a media centre. You can just not plug the TV in too if you want it
truly dumb.

------
duxup
I recently bought a new TV. After reading all the messes with smart TVs I just
didn't connect mine to my local network. It's just not connected to the
network and I don't intend to connect it.

I do every "smart" activity through a Chomecast device or similar devices
anyway.

Now that alone could in theory be a security risk as it could be out of date
and vulnerable to someone else messing with it in that sense ... but I felt
connecting it was the bigger risk / hassle.

I kinda wish there was just a switch to power off the "smart" options and just
have it operate in monitor only mode. I feel the same about microphones and
cameras on phones. Give me a physical power off switch and led indicator for
those things.

~~~
Isamu
Same here ... don't let your smart TV connect to the network, just use it as
an hdmi endpoint for devices you can (hopefully) control better.

------
CommanderData
I remember reading an obsecure paper hacking a smart TV through the radio
antenna after which WiFi could be turned on.

It was a work of art and sounded almost fictional. In the end the attacker
would turn on WiFi and control the TV for not just one, any TV in radius, or
execute a payload to connect back to a CnC for tvs out of range. It would work
even if the TV was in standby.

Patching this particular vuln would have been difficult, though the attacker
would have to craft a payload specific to the make and model. It's a nice
example where adding features increases attack surface, and protecting against
such hacks even for the experienced is near impossible.

Would make for a good HN submission.

~~~
jethro_tell
Man, If you have any clues about where this could be found or any other info
I'd really appreciate it. I'd love to read this.

~~~
CommanderData
Found. Did get some coverage in the end. PoC:
[https://www.youtube.com/watch?v=bOJ_8QHX6OA](https://www.youtube.com/watch?v=bOJ_8QHX6OA)

DVB standards updated their specification after the disclosure too. [1] DVB
announcement:
[https://www.dvb.org/resources/public/pressreleases/dvb_pr263...](https://www.dvb.org/resources/public/pressreleases/dvb_pr263_steering_board_approves_updates_to_prevent_man_in_the_middle_attacks_final.pdf)

Someone found another vulnerability using the same vector - will post if I can
find it.

------
koolba
Also insane is that there is no “disconnect and forget” option for the WiFi on
these TVs. The only method I’ve found that works is to trick the TV into
joining a different network and then turning off that other network.

~~~
jtmarl1n
I have discovered the same thing, had to factory reset the one TV I connected
before I realized this. Now I have a "dummy" SSID I start up anytime I do want
IoT devices to connect to the internet.

------
codedokode
Slightly unrelated, but maybe we should start calling TVs with cameras
"telescreens"? Like, "don't forget to check your telescreen for viruses every
several days".

------
JustSomeNobody
Our Samsung TV isn't allowed to speak to the internet. Hopefully, by the time
we are in the market for another TV, there will have been a swing in the
market away from Smart TVs.

~~~
ksec
If we could somehow standardise on the panel cable, like the one used in LG
OLED Thin and Samsung. Then the panel maker concentrate on making better
panel. While we get a choice and more competition of "Smart".

------
mrbonner
I bought a samsung SmatTV in 2017 in Costco. The tv is ridden with software
bug: it would turn off itself randomly or cannot turn on the tv unless I
remove the remote batteries and reinstall them. The ui is really slow. I also
owned a series of samsung Android phones since the S2 to S5, a samsung
security camera. They are all ridden with a lot of bugs. I have vowed not to
buy a single samsung product anymore.

~~~
whymsicalburito
I got my TV at costco and it came with a 2 year warranty. Take it back if it's
broken!

------
yongjik
Last year my teenage daughter decided to trip over the cord of a perfectly
good TCL television, ruining it, so we ended up buying a Samsung TV. It has a
slightly bigger screen and sturdier legs that wouldn't trip over so easily,
but man, it's an exercise in software disaster.

Simply starting Youtube is an exercise in frustration with six or seven arrow
keys, and it comes with a dozen built-in advertisement channels that will
start auto-playing when powered on. After I finally got fed up, I looked up
how to disable them, and turns out I have to click each channel individually
to disable them. Also, I don't know if it's the fault of Samsung, Youtube app,
or my phone (made by Samsung, haha), but trying to cast a Youtube video from
my phone is a total shitfest - sometimes it takes a minute and the streaming
still doesn't start. (Come on, you guys are sitting next to each other!)

It's sad to see such a great brand being ruined for shitty software, but I've
had enough. My next TV won't be Samsung. Maybe it will have a slightly smaller
viewing angle, but who cares.

~~~
SketchySeaBeast
That's frustrating. My LG smart TV is one click away from Netflix and Amazon,
and I've got mapped buttons to YouTube and google play - it's a half second
away, and there are no built in advertising channels. The worst we have is
occasionally we need to exit out of whatever Netflix or Amazon stream we're on
and go back in.

------
CSDude
What is the attack surface for a Smart TV? Any exploits? This is scary and
disappointing. I disable my TVs wifi and only use Apple TVs.

~~~
ahje
My TV (Finlux) has an undocumented API, that allows anyone to pull information
about what I'm watching at the moment. That same API can be used to launch a
telnet daemon which can then be used to log in as root without using a
password. Needless to say I've disabled wifi on it and I don't intend to ever
connect it again.

But hey, the TV runs Linux, which is nice I guess.

------
rock_artist
The biggest issue is lack of software/security updates. They treat those
products as dumb TVs. they've compiled an OS build ("firmware") and you'd
might get a year of updates and that's it.

Any Smart TV will eventually become a security hazard. meaning "dumb" TV with
an AppleTV or a reasonable modern streaming device is safer :)

------
dawnerd
This comes from the same company that pushed advertisements through their
notification system and when called out they denied it like crazy until some
news articles came out. Also the same company that was injecting ads into
plex.

Basically, don't connect your Samsung (or any tv) to the internet.

------
myself248
I think this makes the case for not owning ANY smart TV.

Are there ANY manufacturers that have a strong track record of out-of-the-box
configs that aren't total swiss cheese, combined with years of prompt updates
to address issues discovered later, going out to the lifespan of a typical
dumb TV?

------
petee
And yet Samsung stopped providing updates for my 2014 SmartTV 1 year in, so
that's 4 years of NO JAVA UPDATES! Yes, it is permanently disconnected.

I've complained to support and they don't seem to care much, and that I'll
just buy a new TV every 2 years...

------
gumby
This is what drove me off Windows (in the 1990s* ): having to spend too large
a proportion of time _managing_ my computer rather than using it (AV, disk
optimizers etc). Although I love writing code and designing hardware I didn't
like the "computer" experience.

Nowadays nobody sysadmins their phone and barely their tablet. And TV users
want to do even less maintenance. In the quest to "add value" these TV guys
have lost the plot.

* I assume things have improved dramatically since then. No slur against Windows implied by my comment, it's merely how things were.

------
cmod
Somewhat tangential and not workable in all situations, but the best "TV" I've
found is a projector bolted to the ceiling. It's out of the way. There's no
"black mirror" taking up space or pulling on your gaze. Project against a
white wall and it's like having a magic wall that turns into a cinema on
demand. The fact that it doesn't work well in daylight is a forcing function
to keep from watching TV / movies during the day. I have an Apple TV plugged
into it, wedged into the ceiling mount, bluetooth audio to the stereo, no
wires anywhere. I love it.

------
xfitm3
Samsung TVs should not be online: it’s proven you can’t trust them. It phones
home and reports your usage - even every time you press the volume button.

Login to Smartthings and you can see some of the data it collects.

------
linachka
I have a Samsung TV but I've never thought of scanning it for viruses. So,
thank you for this piece of news. Looks like we should take care of ourselves;
at least, thanks to Samsung for warning.

~~~
obituary_latte
I don’t understood with how cheap chromecast/Apple TV/whatever streaming
machines are these days why people don’t use one of those and just not hook
the TVs to the network? Is there something specific on the tv that’s not
available on these other platforms?

~~~
antidaily
It's one less remote.

------
Bucephalus355
I worked for a large network company at one time as a contractor. I was pretty
horrified at _some_ parts of their security. That being said they had a great
attitude towards security I haven’t encountered since, so maybe they’ve
improved. But still very little stopping even a small determined country like
say Monaco from hiring 2-3 decent sysadmins and hacking them to pieces.

Anyway it would surprise me if the TV companies even had bare minimum
acceptable security, because even the net security guys are struggling.

------
Lowkeyloki
My TV is a 42" 1080p LG TV I've had for almost ten years now and I fear the
day it gives up the ghost. I don't really care about 4K or the thinner bezels
(although having a physically lighter, as in less heavy, TV would be nice).
But the last thing I want is a "smart" TV. I just want a dumb box that pushes
the pixels I give it. Are there any of those left out there? Will I have to
sacrifice quality otherwise just so my TV doesn't spy on me or get viruses?

~~~
pard68
Different TV, same situation. I just figure I won't ever plug it in.

------
morpheuskafka
Why would you have a scan-based security approach? Why not just enforce code-
signing of all executables like on iOS? It shouldn't be too hard for a closed,
embedded platform.

~~~
saagarjha
That sounds like extra work.

------
CDSlice
Many of the comments here say that you can just not give your TV access to
your network and you'll be OK. This may not actually be true thanks to
Ethernet over HDMI(1), which could let your Roku/Fire Stick/Apple TV give your
TV internet access over the HDMI cable.

(1)
[https://www.hdmi.org/manufacturer/hdmi_1_4/hec.aspx](https://www.hdmi.org/manufacturer/hdmi_1_4/hec.aspx)

~~~
unwiredben
As far as I know, no Roku device has ever implemented Ethernet over HDMI. It's
too poorly supported by devices to spend money on implementing, and WiFi just
works better.

------
lykahb
Recently I did some research to choose a new TV. I plan to use it as a regular
one, with HDMI input and don't need any smart stuff. Unfortunately, most
models are smart and there is no information about their behavior when
disconnected. It may still show popups to make an account or connect to the
network. Choosing a smart TV feels like choosing a blind box with crap.
Perhaps I'd spend more and buy a commercial monitor instead.

------
ksec
I am willing to pay additional 30% mark up on top of the current price of
Samsung SmartTV for an Apple TV Set.

Benedict Evans has been saying TV market has slim margin, and long replacement
cycle. I doubt the HomePod addressable market is any bigger than TV, and
likely has similar long circle. Why not TV? Clearly there is something the
Apple could bring value to the TV market. ( Although he has been right every
time I disagree with him )

~~~
rchaud
Apple now has 8k displays with $5000 price tags. A 4k TV, would cannibalize
that pretty heavily, even if it was priced at 2-3x the competition.

~~~
ksec
You mean 6K?

The thing is, that monitor is actually compared to Reference Monitor, and as
far as the initial preview from those who have seen it, most can't believe a
LCD could be as good if not even better than the OLED. And if the spec is
actually as good as they say ( Apple has always been very conservative in Spec
listing ) may be they are really targeting Reference Monitor?

If so, then a normal monitor / tv would not cannibalise it, since they are
completely different segment.

------
anm89
It's funny to me how clear the divide is in terms of valuing this technology
vs being scared of it for people working in tech vs not

------
scarface74
On a related note:

“The CIA Spied on People Through Their Smart TVs, Leaked Documents Reveal”

[https://www.vice.com/en_us/article/8qbq5x/the-cia-spied-
on-p...](https://www.vice.com/en_us/article/8qbq5x/the-cia-spied-on-people-
through-their-smart-tvs-leaked-documents-reveal)

------
amiga-workbench
This is absolutely comical, I'm grabbing a second hand NEC commercial panel
when my current TV kicks the bucket.

------
georgebarnett
Years ago I switched to a dumb short throw projector. Now I get a huge clear
picture connected to an Apple TV and a decent set of speakers. I do not regret
my decision. No crappy smart software. Just on and off.

------
achillean
There are nearly 20,000 Samsung Smart TVs directly hooked up to the Internet:

[https://www.shodan.io/report/3AhBQ8hu](https://www.shodan.io/report/3AhBQ8hu)

------
skocznymroczny
I feel glad I own a "stupid" TCL TV. If I feel the need to have "smart"
features, a Raspberry PI running Kodi/OSMC connected by HDMI is more than
enough.

~~~
rchaud
These types of TVs are rapidly becoming unavailable. It's not just 4K TVs,
anything above 24" is going the SmartTV route.

------
wnevets
Wanna guess which brand of tv I won't be buying when I upgrade to 4k? Is it
still possible to buy "dumb" TVs with the latest display tech?

------
FerretFred
Wow! Who designed that UI to get to the virus scanner?!

------
WarDores
Precisely the reason that I just disable the network connection on mine and
use my Xbox for media. The convenience isn't worth the hassle.

------
aphextim
Surprised they don't come pre-loaded with McAfee

~~~
lozaning
They do though, [https://www.howtogeek.com/406177/samsung-is-bloating-
everyth...](https://www.howtogeek.com/406177/samsung-is-bloating-everything-
with-mcafee%E2%80%94even-smart-tvs/)

~~~
aphextim
That made my day. Thank you.

------
Sophistifunk
Honest question - this is a technical audience, why on earth are any of you
guys ever letting your TV connect to the internet?

------
leoh
Dumb question: why doesn't the TV just run antivirus without user
intervention?

------
anbop
I never give my TV Wi-Fi credentials, only the Roku and Prime stick.

~~~
CDSlice
Unless your Roku or Prime Stick passthrough the internet access to your TV.

[https://www.hdmi.org/manufacturer/hdmi_1_4/hec.aspx](https://www.hdmi.org/manufacturer/hdmi_1_4/hec.aspx)

~~~
unwiredben
Again, no Roku device has ever implemented Ethernet over HDMI. It's too poorly
supported in TV hardware to be worth doing.

------
pharrington
The obvious solution is to write an ad-blocker for your TV.

~~~
jethro_tell
Don't have a smart tv, but I assume something like PieHole would do the job

------
flexie
How do I check my Samsung TV with my Samsung remote?

------
pmh
Earlier discussion here:
[https://news.ycombinator.com/item?id=20201485](https://news.ycombinator.com/item?id=20201485)

~~~
dang
Thanks! Comments moved thither.

Edit: actually, the BBC article seems to contain more information, so let's
keep this submission instead.

------
diminoten
Or else what? Not exactly the end of the world if my TV is pwned as long as I
can still, you know, use it.

The ability to move laterally in my home network is about as valuable to
anyone sophisticated enough to use it as walking around my apartment complex
would be to a real life Danny Ocean. Could Danny get into my house and take my
PII? Sure, but like, why the fuck would he?

It's not wonderful to potentially be contributing to some botnet, but that's
on Samsung not me.

~~~
saagarjha
I would rather my device not contribute to a DDoS, especially as there may be
legal implications to allowing this, but you do you I guess…

~~~
Cannibusted
You do you? I would lose that ridiculous phrase. It's super condescending and
not needed. No one needs your permission to be themself, or even a 'reminder'.

