Security in a connected TV world

Sitting in my inbox, I have a press release from one of the companies that makes TV middleware – that’s the stuff that typically does things like the interactive services, and increasingly provide access to online content, like iPlayer, LoveFilm and other material.

I’ve been thinking about what, if anything to write about it. On the face of it, their press release struck me as containing a certain amount of FUD: it essentially said that they’d included protection against viruses in their middleware, so TVs that used it would be better protected on the internet. And yes, while there might be a theoretical possibility, is it really that great? After all, what could a virus on your TV do? Force you to watch Corrie instead of Eastenders?

There are probably more important things to worry about and so, beyond chatting about it with a couple of more knowledgeable people, I put it to the back of my mind. But, following the news of the hacking of the Sony PlayStation Network, I think it’s worth revisiting.

Attacking your TV

First, it’s worth considering exactly how a connected TV works. They’ll all be slightly different, but I’ll take Panasonic’s VieraCast as an example, partly because I have one myself, but also because there’s information about there about how it works, notably here.

Essentially, when you press the VieraCast button, the set goes to a specific URL, and fetches the main page, and there’s not much in the way of security involved. Does that make it a big issue? Well, not really. In theory, if you could hijack the DNS servers, either on a widespread scale or just on a user’s home network, you could make the TV fetch content from a different site. And perhaps that content could ask people for credit card info, and some of them might enter it.

But that’s not hacking or infecting the TV, really – you’d have to attack the internet infrastructure, or a user’s home network. And if you’re attacking someone’s network, you’ll probably find richer pickings on the PC than you will by trying to work out which brand of connected TV they might have and how to subvert it.

Despite what the press release claimed, I’ve not yet seen a connected TV that actually has important information stored in it, like credit card details. My VieraCast set has my YouTube login, sure, but that’s not going to be much use to anyone. One friend’s TV offers them LoveFilm, but the only identifying information the TV has to know is a long number that’s obtained from the web site – again, no credit card details stored on the TV.

And I think it’s pretty unlikely anyone’s going to suggest your TV does store that. Of course, there is a theoretical risk – and people who know more about this stuff than I do tell me that there’s very little in the way of security included in the specifications for services like HbbTV, or many of the manufacturer portals. And yes, that should probably be addressed.

The PlayStation attack

With many of these services at a relatively young age, in fact, I think now might be the time for some of those working on them to go back and look at how security can be beefed up – but not just in the connected devices like TVs and set top boxes that will be becoming increasingly prevalent over the next couple of years.

The full details of how the Sony PlayStation Network were hacked aren’t available, and may never be – but clearly a lot of personal information has been obtained, for more people than live in the whole of the United Kingdom.

There’s no excuse for not securing your own PC with firewalls, and anti-virus software, but the Sony hack should remind us all that the richest pickings will seldom be found by attacking lots of individual computers. They’ll come from companies like Sony, or TJX (owners of TJ Maxx) – formerly believed to be the biggest hack ever, at a mere 45 million users – who have lots of data gathered in one place, and not properly secured.

Mostly forgotten amidst all the fuss over the PlayStation Network is that Sony’s Qriocity streaming service has also been affected by this hack. It provides streaming music, videos and feature films to Bravia TVs and Blu-ray players. It’s fairly new, and given the lack of fuss, I suspect not that widely used – if you’re in the US and want streaming films, the name you look for is NetFlix, while in the UK it’s LoveFilm.

But, I do wonder if the scale of the problems with the PlayStation Network will have a knock on effect on people’s willingness to use online entertainment services. It’s received much press coverage and I suspect that for an awful lot of people, it’s been their first encounter with entertainment of any sort delivered over the internet. For it to have such a spectacular security failure surely can’t be good for consumer confidence.

After Sony

In the UK, internet entertainment is still pretty young, at least in terms of paid services. It’s growing, as more people produce TVs with LoveFilm, and services like YouView will provide access to even more paid content. Across Europe HbbTV is being deployed alongside other platforms from TV manufacturers.

Some of these services are more mature than others – we’re unlikely to see anything with a YouView badge for some months yet, for instance. But I think they could all do with taking some time to consider security issues.

The potential of attacks on your TV itself is still, I think, a pretty slim chance – but that doesn’t mean that manufacturers shouldn’t stop and think about how they can make sure their systems are more robust.

The groups creating standards like HbbTV should perhaps take time to see how they can be updated to increase security – hopefully in ways which can be implemented via software updates to equipment that’s already deployed.

And, given that what seems to have happened with PlayStation Network was a problem with the service provider not taking decent security precautions, perhaps there’s also a need for more transparency, or information about compliance to be made available.

Would it be a good idea, for instance, if YouView were to have a requirement that services available via its platform never stored billing data in unencrypted form? And if encrypted connections were mandatory for transferring personal information between the box and the remote servers?

Some people might say “Won’t that lock out smaller players? Or introduce compliance requirements? And you can never be 100% secure anyway.” Yes, all that is correct. But I still think that any connected TV or online entertainment service that wants to be sure it has the confidence of customers should be thinking long and hard about how they can avoid the mistakes made by Sony, and make sure that their customers know they take these things seriously.

Connected TV platforms are still young, and deployed in relatively small numbers. It’s far better to address the question of security now than to wait until there are tens of millions of TVs and set top boxes, running on platforms that could have been made more secure.

4 Replies to “Security in a connected TV world”

  1. This is something that I highlighted some time when it appeared in the press (link below) ago as it was clearly an issue from the very start of interactive television and connected devices using the Internet and WWW as a secondary transmission path. The DVB looked at this in the DVB-GEM spec and has a clear security framework that considers these issues. HbbTV is a very weak offering and what on earth would we want to see Firewalls and Virus Software on TVs for…We are really heading in the wrong direction!

    The Internet has proven itself fragile for data let alone television with computer viruses and malware in abundance yet the industry forges ahead regardless.

    http://tvangelist.wordpress.com/?p=299

    History Repeating Itself

    * 1995 WebTV Founded based on HTML (failed)

    * 1998 (ATSC) HTML is a poor environment for television (really?)

    * 2000 Major goals of “ATVEF” was to create a specification that relies on existing and prevalent standards (HTML/JS) (failed)

    * 2002 Broadcast HTML was created from ATSC-related work to develop the DTV Application Software Environment (DASE) (failed)

    * 2006 The DVB-PCF embodies a high-level declarative model that is based on industry standard formats, including XML syntax, MIME types and UML (failed)

    * 2009 TV manufacturers bet on WEB TV with CE-HTML (?)

    * 2011 Sony Games Network and OTT TV Services Hacked and Millions of Personal Data including Credit Card Details Stolen

  2. My first thought when I saw the press release from a company trumpeting their anti-virus for TV middleware is probably not printable. And as you say, it’s rather going in the wrong direction.

    A TV is not a general purpose computer, and we shouldn’t be trying to make it into one. And rather than trumpeting “our middleware includes anti-virus functionality” it would be better, surely, to design things from scratch to be more secure.

    I wonder if some of these issues are arising because companies see connected TV as a chance to become the gatekeeper; when the emphasis is on providing extra features to tick boxes for the marketing department with each product cycle, and on trying to position the manufacturer as the one who’s operating the platform, rather than a cable co, then the temptation to create something of your own, and tie people to your brand may well be enough to make other considerations secondary.

    That’s not a position I condone, of course, but it’s all too easy to see how it happens. Security isn’t terribly sexy to consumers – or hasn’t been until now, and engineering often seems to be driven less by engineers than by marketing.

  3. I heard about anti virus middleware and found it somewhat perplexing as to how it would be of any use. Unless there are known signatures for real TV or STB viruses then what will the AV software look for?

    Regarding security of Connected TV devices, I think there may be a need for some kind of security testing as part of device qualification. For example YouView could require a device to pass a series of hack attempts such as buffer overruns, malformed content, etc. Should a compromise happen it could be analysed and the techniques used be incorporated into security testing for new device qualification.

    The juiciest targets for hackers will remain the service providers themselves as they store more personal details and once in, you are free to harvest as much information as you want until you are cut off.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.