
Ransomware Spreading onto Smart TVs, Is a Pain to Fix - kogir
https://consumerist.com/2017/01/06/ransomware-spreading-onto-smart-tvs-is-a-pain-to-fix/
======
noonespecial
Its the same sickness as the "infotainment" systems in cars. Its obsolete the
moment it leaves the factory floor and the device lasts for years.

The screen should be the _screen_. It you want to make it smart, plug in a
Fire Stick, Chromecast, Apple TV or roll your own with Kodi and a Raspi.

This is getting stupid. Its to the point that I bought one of these(1) and
neutered an older smart TV that we had by replacing its "motherboard" just so
it would act as a simple screen.

(1) [http://www.ebay.com/itm/Universal-V29-LCD-Controller-
Motherb...](http://www.ebay.com/itm/Universal-V29-LCD-Controller-Motherboard-
Board-TV-VGA-HDMI-AV-TV-USB-
Interface-/222133043154?hash=item33b8293fd2:g:Q34AAOSwepZXSmhd)

~~~
StavrosK
Wait wait wait. Are all screen interfaces the same? You can just replace the
motherboard of any brand TV and it will work? Do all panels use the same
voltage/pins/protocol? That's huge, if so.

~~~
erentz
Woah woah woah. I'm also interested in this. I have a 47" LG Google TV that is
horrible to use, very slow, terrible interface that keeps crashing, and seems
to never get any updates. The screen is great though, I have a Roku plugged in
and would love to just flash the Google TV OS off it with something dumb that
booted it into dumb screen only mode. I didn't know I could replace the
motherboard like this so easily.

~~~
khedoros1
I've done something similar with an old laptop LCD panel, using an LVDS
controller that I bought on Ebay. I assume that's basically what noonespecial
did, but hopefully with a board that has more TV-useful features (mine just
takes HDMI, VGA, and RCA video input, if I'm remembering correctly).

------
izacus
The fact that's completely impossible to buy a dumb TV anymore (the only
company I know of that does something like that is Vizio, which isn't present
in the EU market) is starting to become a huge problem - if you want a big
screen in your home, it's impossible to not install the greatest malware
vector and security risk in the house.

Btw, from an application developers perspective it gets even better. For
example Samsung locks down the application store updates after one year for
each SmartTV models. So right now, SmartTV app developers aren't allowed to
update ANY applications for 2015 and olders models of Samsung TVs. At all!
When 2017 lineup comes in a month or so, all current Samsung SmartTVs will
stop receiving app updates as well.

So your applications WILL stop working and start rotting after a year or so
after you buy their TV.

~~~
mike-cardwell
A smart TV which you don't plug into the Internet, is the same as a dumb TV.

~~~
izacus
Well it isn't. First of all it's the obvious software deficiencies - it'll
still boot a heavy OS (boot times can exceed a few minutes from col start),
even operations like switching HDMI inputs take significantly longer.

Also several manufacturers (I know of some Samsung versions and Phillips) will
position web services in first-level UX navigation making those TVs annoying
to use as dumb TVs. There are even some models that will constantly nag you to
connect them to the internet!

~~~
foobarian
You know what I miss? When my CRT TV would turn on in 2s, and channel switches
took < 100ms.

~~~
StavrosK
That was great, wasn't it? Channel switching was _instant_ , why can't we have
that now too? :/

~~~
nitrogen
It's probably because of the span between consecutive I-frames (or intra-block
sweeps if not using I-frames) in the video stream, but audio should switch
"instantaneously" (within 1 frame).

~~~
StavrosK
Hmm, if that were the case, wouldn't the time spent waiting be variable? That
would mean that you'd sometimes get instant switches, when the I-frame was the
next frame you received after the switch.

~~~
tinus_hn
It is variable, the stations are multiplexed on channels, so sometimes you can
use the same stream and sometimes you have to switch. That takes time.

I presume the TV hides that by always taking the same amount of time to change
stations.

------
robert_tweed
Personally, I'm wary of ideas like software engineers facing unlimited
personal liability like hardware engineers, because computer science just
hasn't advanced to a point where we can say with confidence that any non-
trivial piece of code works correctly (or even define what that means).

However, I do think there needs to be some serious financial penalties for
companies like LG, Samsung, D-Link, etc., who ship flagrantly insecure
firmware that in many cases is uneccessary, is almost never supported for
anything like the realistic lifetime of the device, and where it is clear to
anyone with industry expertise that they have demonstrated a negligent lack of
basic competency.

For example, back in 2007 it _might_ have been acceptable to store passwords
as salted MD5. Nowadays, not good enough. Any hardware made competently then
might have used a salted MD5 password store. Fine. But really, patches should
be provided for at leat 10 years and those patches should bring firmware into
line with the current state of the art. Thus I think it would be reasonable to
sue a hardware manufacturer for a device made in 2007, still in service in
2017, which cannot be updated to have better password security than salted
MD5.

It of course goes without saying that things like default passwords
(admin:admin etc) should be considered outright unacceptable in any network-
enabled consumer device.

Obviously we can't hold device manufacturers liable forever, nor can we expect
NSA-proof levels of security, but I think it is reasonable to hold all
hardware to a standard of "basic competency" for at least 10 years from the
date of manufacture. The standard warranty period of 1-2 years is not
sufficient.

There is at the moment a serious risk/reward imbalance where it makes
financial sense to ship "features" (even if nobody asked for them) at the
expense of security, because the subsequent issues are someone else's problem.
This is bad for device owners and bad for society as a whole, since
compromised devices are commonly used for DDOS attacks, sharing child porn,
etc.

If device manufacturers knew there were serious financial consequences and
that all features must be kept secure for 10+ years, they would certainly be
more interested in making things modular and reducing potential attack surface
areas than they are now.

~~~
pdimitar
I agree 100% -- but you outlined the problem yourself by using the phrase
"suing the companies".

Consumers cannot and will not do that. It takes time, it takes money, and a
company can drag it on forever and just exhaust you financially or
psychologically. IMO the justice system's rules on "citizen vs. company" needs
an overhaul, badly, for quite a long time now.

I should be able to call Samsung in court and have my interests protected in
one week. Does this happen right now? No. I can't see any hope for the future
in this regard.

There's no _real_ punishment for companies being sloppy. One might think the
capitalistic market would auto-correct things by people flocking to
competitors, right? But I find this to not be the case; as you and others in
this thread have pointed out, it's becoming harder and harder to buy non-smart
TVs. Every OEM seems to be in the same dirty bed with everybody else, and the
poor security becomes more and more excusable by "but everybody else does it
too!" with each passing day. And we as consumers practically have no choice.
You want the best picture quality on the market? Sorry, it comes with a lot of
software (requiring internet connection) that you never asked for and you
won't ever need.

Furthermore, governments are by default awfully incompetent to help with
issues like these. Even if we assume zero company lobbyists, most governments
simply have no idea what is the problem at all, let alone take any measures. I
hope I am wrong, though.

Sorry if this is too pessimistic but quite frankly, I can't see any reason for
hope at this point.

~~~
wernercd
> Consumers cannot and will not do that. It takes time, it takes money, and a
> company can drag it on forever and just exhaust you financially or
> psychologically.

Yeah... but large lawyer companies are more than willing to fight on the
behalf of consumers doing class action lawsuits for the little guy. On the
behalf of you and me.

As in, they be-having all the rewards after lawyer fees get paid on the win.

For reference, don't forget to get your $9 if you are a PS3 owner. (the
situations aren't the same... but it is an example of "That's not worth it for
'individuals' to sue... but big company gets sued and loses anyways)

[http://www.forbes.com/sites/davidthier/2016/06/22/lawsuit-
so...](http://www.forbes.com/sites/davidthier/2016/06/22/lawsuit-sony-agrees-
to-pay-playstation-owners-millions/#251308661835)

~~~
pdimitar
It's good to hear there are organizations fighting these good fights. ^_^

Which countries do they operate in?

~~~
wernercd
I assume they are everywhere, but this is just "standard operating procedure"
in the US.

Look up anything that happens to a group of people - PS3 features being
removed, salmonella in food, Microsoft forcing updates on Windows 10, Samsung
batteries exploding, etc.

Look for anything that's affected a lot of people... and then watch as a
lawyer or group of lawyers kicks up a class action lawsuit.

[https://topclassactions.com/lawsuit-settlements/open-
lawsuit...](https://topclassactions.com/lawsuit-settlements/open-lawsuit-
settlements/)

------
matt_wulfeck
The UI on smart TVs is so jenk anyway. I can't stand to use it. I always leave
it unplugged from the net and use an Apple TV.

~~~
greggman
I recently got a Sony Bravia 4k hdr running Android TV. I would have preferred
a dumb TV but I've been plesently surprised so far.

it's got Chromecast built in which has been great at my last party (would like
to know how to bridge that to the guest network so I don't have to let users
on the main network)

Kodi installed from the Play store and works pretty well. A few hd movie can't
stream without skipping over the network from my nas but I can also plug in an
hd directly to the TV as storage for Android.

Has built in DVR just add hd which I did and have been using to grab a few
things.

Installed an Airplay app which seems to work. Have use it from both my phone
and my Mac.

Netflix and YouTube work fine.

My original plan was to use it as a dumb TV and get a mac mini but Apple
hadn't updated it in years. Thought about getting a NUC but so far it's doing
everything I needed.

Was able to turn off all the ads by going to every app and turning off
notifications.

It's supposedly going to get and Android 6 update soon so will see if still
like it then.

------
acd
Smart tv should have open boot loaders allowing open operating systems and
then this would not be an issue. There should also be a http boot firmware
recovery option.

Open operating systems can receive security updates by the community long
after the manufacturer has lost their interest in the device.

Should it even be called a "Smart TV" if its hard to recover?

~~~
untog
IMO, smart TVs shouldn't exist. You should buy a dumb TV then plug in whatever
Chromecast, Roku, Amazon, Apple you want into it. Coupling the two together
just means the software gets outdated long before the hardware does.

Up until now I haven't really cared, since I ignore all the smart TV junk and
use my device anyway. But if it's going to start getting ransomwared no matter
what I do... just let me buy a dumb TV.

~~~
angry-hacker
What stops you not connecting the device to network in the first place?
Serious question, I haven't bought one yet but probably soon have, because
there's no other choice.

~~~
izacus
Well, just like for many modern phone OSes (e.g. iOS for example in some
cases), you're not able to finish the setup wizard and start using it without
connecting it to the internet for inital activation.

~~~
teacup50
What manufacturers require internet activation? That's a non-starter for _any_
product I purchase.

~~~
izacus
I've seen a single Samsung TV up until now, but it was a rather non-common
model. Luckly (FOR NOW!) vast majority of TVs still work offline.

In the future this may change - at this point some Samsungs already overlay
their ads on volume change UI (and some other parts) to get additional
revenue. With such incentives, I'm worried just how long you'll be able to buy
a TV that can function offline.

------
21
In the near future someone will hack your shower, hold it for ransom and
demand $10 in bitcoin or else you'll have to go dirty and smelling to work.

More seriously, this is bad news for bitcoin. Governments will move in and
require tracking of all transactions.

~~~
drvdevd
Aren't they all already tracked on the public ledger?

If governments move in, it's my understanding that it would be at the points
of currency exchange.

------
walterbell
Buy a short-throw projector and connect an easily upgradable media device.

~~~
nommm-nommm
Projectors are nice if you have a huge blank wall. My TV needs to go off to
the side due to the layout of my living room, the fireplace is the focal point
of the room. Plenty of other rooms the TV has the best viewing angles from a
corner. They can't replace TV's in all situations.

(I also prefer the picture quality of my plasma TV over a projector... But
that's personal preference. Too bad plasma went the way of the dodo)

~~~
walterbell
In some cases, you can use a screen, even in a corner. But yes, projectors and
TVs have different roles, even if one of them is a privacy/security risk.

------
Tempest1981
> First, make sure your TV is always up to date.

I always cringe when I see this "simple solution" because A) I know so many
people who don't even know that updating their TV is a "thing", and B)
eventually we'll have more devices than we can keep track of, each requiring
weekly updates.

------
cletus
The solution here is pretty simple: just don't connect your "smart" TV to the
Internet.

Not only does this avoid malware/randomeare/becoming part of a botnet but it
also avoids the stupid pop ups about "The terms and conditions [sobething you
don't use, care about and probably didn't know existed] have changed.
<OK|Cancel>".

If you're using DVRs, STBs, etc you're getting the same effect.

Connecting to the Internet gains you nothing.

------
mnglkhn2
The case referenced in the story is about an old LG tv set that had the
Android OS for its "smarts". The question is what is the app that the relative
did download and from which app store? Also, this might explain why LG chose
to switch to WebOS, where it could actually control how "smart" the TV could
get.

------
WalterBright
Sounds like a "factory reset" button for the TVs is all that is really
necessary.

------
nitrogen
A question regarding what to do about this problem:
[https://news.ycombinator.com/item?id=13348211](https://news.ycombinator.com/item?id=13348211)

------
xaduha
Somewhat related, look up SamyGo.

------
throwaway2359
Sorry if this is a really dumb question, but what exactly is the point of a
TV?

Is it for having a monolithic assemblage of computer monitor plus one-way
modem that only works for certain data content streams? Do people get
substantial price discounts by going the monolithic route rather than buy
these devices as separate interconnecting functions that can be independently
sourced for specific features and conveniently upgraded? What exactly is
motivating people to buy a TV other than being susceptible to advertising?

Obviously, I've never bought a TV hence asking this question. But I've had
friends who buy them, and although I've inquired about their purchase decision
making I've never received a reply other than "it was on sale last Black
Friday."

~~~
intopieces
>Is it for having a monolithic assemblage of computer monitor plus one-way
modem that only works for certain data content streams?

Yes. Most people do not care to assemble their own little batch of boxes and
cables just to make television happen. Most people would rather purchase a
unit that makes video play in the living room, because their lives are filled
with other things to do.

------
logicallee
Remember that this kind of ransomware is a pyramid scheme: if you pay it,
you're not really paying for your stuff back. You're paying to infect your
friends and other people. Who financed the attack on your stuff? Anyone who
payed the ransom previously.

Never pay a ransom. Turn the request over to the government:

the government _literally_ exists to assure rule of law.

If we were okay with a "might makes right" world, we wouldn't need government
or the rule of law. The government literally exists so this stuff doesn't
happen.

If you finance it, you're a criminal and a terrorist, and you are paying for
them to infect me. You are literally paying for cyber attacks. Not
metaphorically but in the most direct possible terms.

Don't do it. And if you're a criminal, don't develop it. I feel this is not
being stated clearly enough these articles - the people developing it are
obviously talented engineers: they could be using their skills constructively.
It's important to make it very clear that what they're doing is wrong, and
supporting them is wrong. This isn't an optional thing. They need to stop
doing this, shut down their networks, and go do something constructive with
their skills. It's people's duty to let them know this, and to report these
things. It's a waste of everyone's time, especially theirs.

~~~
tekromancr
I'm not sure how effective asking criminals not to crime is going to be.

~~~
logicallee
Why not? Asking men not to rape reduces rape.

By the way it takes considerable intelligence and engineering skill to be
technically able to hold for ransom a device at a distance. I am certain that
these engineers are reading this comment.

I can easily consider that they did not even consider the ethical side in
evaluating the list of requirements and completing them. Articles which don't
call their attention to this don't help.

This isn't a nuisance: it's criminal behavior that needs to be reported to the
government, and never, ever paid for or encouraged. My grandparent comment got
downvoted heavily but I am keeping it. If you're a programmer who is doing
this, stop.

~~~
21
> If you're a programmer who is doing this, stop.

Wow, that's the solution we need. Telling criminals to "stahp" being
criminals.

~~~
wernercd
That's why Chicago is so safe. because of all the laws making it harder to get
guns.

And why it's so hard to get drugs. Because of all the laws that say "You're a
bad person if you use Weed" and put people who deal with drugs into prison for
their first offense.

All we need to do is expand that mindset and we'll have no hackers before we
know it.

