July 1, 2014 1 Comment-
Kristian A. Bognaes, Director, Norman Safeground Development Center
– The month of June brought a couple of interesting stories that relate to hardware security from new angles. In addition, a very timely news item touching on privacy caught my eye – read on.
Smart TVs can be exploited
One product that has been going through many changes lately is the traditional living room TV. Not only are the TV manufacturers competing on providing the best and largest picture for the lowest price but also the TVs are getting ‘smart’. A trend now is to use a built-in computing platform to tie together the TV with the internet, and provide premium content through applications that run on the actual TV. Providers like Hulu, YouTube, Netflix and others are doing this. The traditional TV channel providers want to get in on the action and have introduced a system called ‘Hybrid Broadcast-Broadband Television’, or HbbTV for short. The idea is that the channels can provide digital interactive content to the viewer as part of the television program stream and the viewer can reply using the internet as an uplink. So far, it all sounds great. However, as a paper from researchers at the Columbia University Network Security Lab is showing, the television stream content may contain code that is executed by the television computer. The stream is not protected in any way, so an attacker can execute arbitrary code on the TV by replacing the data stream with his own using a transmitter and some easily available hardware. The paper will be presented at the USENIX symposium in August. Do not be surprised if your TV starts ‘liking’ YouTube videos on its own.
Electronic road signs
We have all seen the little portable information signs that road workers put up to tell you what’s up ahead. Those signs are sometimes messed with, and changing a display to warn of ‘zombies ahead’ can (apparently) be great fun. To do this, however, you would need physical access to the sign, which could sometimes be a challenge.
A news story in SecurityWeek this month talked about permanent road signs being changed along highways. Permanent signs do not have a local controller box that can be tampered with, so when these displays started showing silly messages, it was sign (no pun intended) that something more serious was going on. As it turns out, these signs are connected to private IP networks. The tampering was made possible by plain old port scanning, password cracking, and scripting. The perpetrator was located in a country far away. As with any other devices, the lesson is make sure to change any default passwords, close any unnecessary services, and implement strong authentication in your VPN. The traveling public needs a system they can trust, in case real zombies become a problem one day.
Fitness apps and privacy
Finally, a story about fitness apps appeared many places this month. Applications to keep track of your workouts, diet, age, weight etc. are abundant, many of them storing the data on central servers in ‘the cloud’. As it turns out, this data is often being shared with others. An official on patients’ privacy stated that these apps have the potential to be a ‘privacy nightmare’. Imagine how valuable such data would be to companies marketing health-related products, not to mention insurance companies. My recommendation this month is to use fitness apps that store data locally only. Also, make sure you read the license agreement before using such apps, to make sure that your health data is not being spread to others.
Norman Safeground Blogs Archive