Peter A Clarke

Ars Technica reports in Philips Smart TVs wide open to Gmail cookie theft, other serious hacks regarding serious security flaws that could allow hackers to  steal information from attached USB sticks and pilfer authentication cookies which could give them access to viewers’ online accounts.

It provides:

Internet-connected TVs manufactured by Philips running the latest firmware update are wide open to browser cookie theft and other serious attacks by hackers within radio range, a security researcher has warned.

The hacks work against Philips Smart televisions that have a feature known as Miracast enabled, Luigi Auriemma, a researcher with Malta-based ReVuln (Twitter handle @revuln), told Ars. Miracast allows TVs to act as Wi-Fi access points that nearby computers and smartphones can connect to so their screen output can be displayed on the larger set. The hacking vulnerability is the result of a recent firmware update that allows anyone within range to connect to the TV, as long as they know the hard-coded authentication password “Miracast.”

Once someone has connected to the Miracast-enabled Wi-Fi network, they can use publicly available software to download any personal files that may be contained on USB drives plugged in to the Philips Smart TV. More troubling, connected devices can steal the highly sensitive browser cookies that many websites rely on to authenticate users when they access their private accounts.

In a video posted Wednesday, Auriemma showed how authentication cookies for valid Gmail accounts were siphoned off a Philips TV running the latest firmware. The video also demonstrated how videos, images, and other data stored on a USB drive connected to the TV can also be accessed. The theft took seconds to carry out, and there was no visible indication to an end user that anything was amiss.

In addition to cookie and file theft, Auriemma’s hack makes it possible for nearby attackers to carry out a variety of mischievous pranks. Imagine the horror of an unsuspecting user with a living room full of guests as she discovers her TV is suddenly and inexplicably displaying porn or other content that not everyone in attendance considers appropriate. Hackers could also change channels, mute or unmute the sound, or control any number of other functions of the TV in real time, with no clear indication to casual users how it’s happening.

The proof-of-concept attack is the latest to underscore the risks of so-called Internet-of-things capabilities, which transform thermostats, LED light bulbs, baby monitors, and, yes, TVs into networked appliances with the ability to send and receive commands and other data. Adding computing and networking capabilities to everyday devices shouldn’t automatically be dismissed as risky, but consumers have plenty of reason to be wary. After all, if Microsoft, Apple, and other companies with huge security teams regularly struggle to make their products safe, what reason is there to trust companies that are new to network security?

Remarkably, the vulnerability in the Philips TVs was introduced in a firmware version released in December. Auriemma has since confirmed that the vulnerability exists in the current firmware, version QF2EU-0.173.46.0, when it runs on model 55PFL6008S TVs. Beginning with the December update, there was no way for users to change the hard-coded password that nearby devices must have to access the Miracast network. He said he believes all 2013 Smart TV models from Philips are also at risk because they use the same susceptible firmware.

It shouldn’t be hard for Philips to release a new version that restores authentication to Miracast, and that will go a long way to preventing untrusted people from accessing owners’ sets. But even then, Auriemma said the firmware contains what’s known as a directory traversal vulnerability. It’s the bug that actually makes the file theft possible, and it has been public knowledge for at least six months. For the time being, it may make more sense not to use Miracast at all.