SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
Samsung asks users to please virus-scan their TVs
Yesterday on Twitter, Samsung's US support team reminded everyone to regularly—and manually—virus-scan their televisions.
Samsung's team followed this up with a short video showing someone in a conference room going 16 button-presses deep into the system menu of a Samsung QLED TV to activate the television's built-in virus-scan, which is apparently "McAfee Security for TV."
Unsurprisingly, Samsung got immediate pushback on these tweets and almost as immediately deleted them.
This may raise some questions about Samsung's practices and what we as consumers should be expecting of modern devices. The fact that Samsung's malware scanner is McAfee (and that McAfee's only customer for the service is apparently Samsung) raises questions about the real value and intent of the service: is Samsung paying McAfee for what has to be a pretty trivial application, or is McAfee paying Samsung for brand promotion? But even if we skip the brand-related cynicism and take the concept at face value, we are left with a few questions.
Ars reached out to Samsung with the questions below, but the below statement the company provided didn't answer them. The following statement is attributed to Samsung:
Samsung takes security very seriously and our products and services are designed with security in mind. We recently shared information about one of the preventative security features on our Smart TVs, in order to show consumers proactive steps they can take on their device. We want to clarify that this was simply a way to educate consumers about one of the features included in our products and was only posted because we believed that consumers would find it informative.
[...] The best way to keep your big, expensive smart TV safe is never to allow it access to your network in the first place. The consumer electronics space is packed chock-full with inexpensive, high-quality streaming devices that typically have better interfaces and more options than most smart televisions anyway. Roku and Amazon 4K-streaming players both start at less than $50; in the unlikely event one of those becomes compromised, "recycle the bad one and buy a new one, probably from a competing brand" seems like a perfectly reasonable response.
(Score: 5, Informative) by NotSanguine on Thursday June 20 2019, @02:59PM (8 children)
Some minimal research
https://duckduckgo.com/html?q=which%20devices%20support%20HEC [duckduckgo.com]
https://duckduckgo.com/html?q=HEC%20cables [duckduckgo.com]
https://duckduckgo.com/html?q=HDMI%20HEC%20security%20considerations [duckduckgo.com]
https://duckduckgo.com/html?q=hdmi%20hec%20ip%20forwarding [duckduckgo.com]
allows me to draw a couple of conclusions:
1. Unless each connected device supports HDMI HEC, there is no ethernet connectivity;
2. Unless every HDMI cable supports HEC, there is no ethernet connectivity
Since (AFAICT) very few devices support HEC, risk is limited there. What's more, risk can be *eliminated* by using HDMI cables which do not support HEC, regardless of device capabilities.
I'm absolutely not saying that there are no security issues WRT to HDMI HEC. Just the opposite, in fact. However, such risks can be mitigated and/or protected against with minimal effort.
Running all your HDMI through a receiver that doesn't support HEC (as I do) is a good start. Ensuring that the cables connected to a device with Internet access, (like a DVR or laptop) don't support HEC (as I also do) will eliminate that threat completely.
That's not to say there won't be additional risk as more manufacturers start supporting HEC, but given that they haven't done so in the more than a decade since HEC was standardized is telling.
AFAICT, most manufacturers rely on Wifi or direct wired ethernet connectivity, which is easily disabled. All the same, making sure that at least one link in the chain (HDMI cables or devices) don't support HEC will eliminate the threat.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Thursday June 20 2019, @04:32PM
I think you did a good job of outlining those points. It seems like a good solution conceptually but if put in place without regard to the details you mentioned it might not have the desired prophylactic effect.
(Score: 3, Interesting) by krishnoid on Thursday June 20 2019, @07:20PM (6 children)
I just hope Samsung doesn't make a deal with Comcast to let them connect to any available Xfinity WiFi hotspot [xfinity.com], in which case you'll just hop over to your neighbor. I'm thinking I'd prefer a foil patch over the antenna or something involving a screwdriver. Helpful info, though.
(Score: 5, Insightful) by NotSanguine on Thursday June 20 2019, @07:39PM (5 children)
Is it just me, or is sad and scary that coming up with a scenario like that isn't all that far-fetched?
Sigh.
In ten years (or however long it may be) when I purchase another television, I guess I'll need to do the sort of risk assessment I'd normally do for enterprise-grade networking equipment.
Surveillance capitalism is a disgusting tumor on society.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Informative) by MostCynical on Thursday June 20 2019, @11:22PM (4 children)
Running your own router, take care configuring firewall rules, use custom iptables etc..
Ensure your wifi is running "properly" secured..
The challenge then is to find all the aerials inside the tv or other set top box, to ensure they can't connect to any other wifi or 3G/4G/5G networks..
Only to get an error message and a device that refuses to boot when it can't phone home..
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by NotSanguine on Friday June 21 2019, @02:24AM (3 children)
Fortunately, those spying scumbags at Vizio didn't put xG into the TV I have. So I just give it a static IP address via the wired LAN and do egress filtering on it. Fortunately, there's no open Wifi in range. And I blackhole all the DNS names it tries to resolve as well.
But as I said, it's sad and a little horrifying that I even need to worry about this stuff. It's not a big deal for me, as I'm a networking and InfoSec guy. But it's really bad news for most folks.
More's the pity.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by MostCynical on Friday June 21 2019, @03:19AM (2 children)
"Most folks" just don't care.
Cf. articles on SN over the last year and more about inseure IoT devices, spyware on phones, etc, etc..
Worse, they see people who do care as loonies.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by NotSanguine on Friday June 21 2019, @04:20AM (1 child)
You don't have to tell me. I've tried to explain this stuff to my family members. My generation listens respectfully then look and say, "sure NotSanguine. I totally get it." and then look at me as if I'm an idiot. The younger generation does the same, except they say, "I know, Uncle NotSanguine. But that's how it is, so who cares?"
The strangest part about it is that they all call me NotSanguine, which isn't even my real name. Creepy.
And it's not like these folks are ignorant or uneducated either. They all have at least a bachelor's and at least half have advanced degrees. A bunch are software devs and engineers, too.
So I've stopped talking about it with them. It's no skin off my nose.
But more's the pity.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by MostCynical on Friday June 21 2019, @04:36AM
The best response I have had is "so what?"
Humans are crap at risk assessment, if it isn't about immediate threat of being eaten.
Evolution hasn't caught up with the last 200 years of technology (yet?)
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex