Sitting in my inbox, I have a press release from one of the companies that makes TV middleware – that’s the stuff that typically does things like the interactive services, and increasingly provide access to online content, like iPlayer, LoveFilm and other material.
I’ve been thinking about what, if anything to write about it. On the face of it, their press release struck me as containing a certain amount of FUD: it essentially said that they’d included protection against viruses in their middleware, so TVs that used it would be better protected on the internet. And yes, while there might be a theoretical possibility, is it really that great? After all, what could a virus on your TV do? Force you to watch Corrie instead of Eastenders?
There are probably more important things to worry about and so, beyond chatting about it with a couple of more knowledgeable people, I put it to the back of my mind. But, following the news of the hacking of the Sony PlayStation Network, I think it’s worth revisiting.
Attacking your TV
First, it’s worth considering exactly how a connected TV works. They’ll all be slightly different, but I’ll take Panasonic’s VieraCast as an example, partly because I have one myself, but also because there’s information about there about how it works, notably here.
Essentially, when you press the VieraCast button, the set goes to a specific URL, and fetches the main page, and there’s not much in the way of security involved. Does that make it a big issue? Well, not really. In theory, if you could hijack the DNS servers, either on a widespread scale or just on a user’s home network, you could make the TV fetch content from a different site. And perhaps that content could ask people for credit card info, and some of them might enter it.
But that’s not hacking or infecting the TV, really – you’d have to attack the internet infrastructure, or a user’s home network. And if you’re attacking someone’s network, you’ll probably find richer pickings on the PC than you will by trying to work out which brand of connected TV they might have and how to subvert it.
Despite what the press release claimed, I’ve not yet seen a connected TV that actually has important information stored in it, like credit card details. My VieraCast set has my YouTube login, sure, but that’s not going to be much use to anyone. One friend’s TV offers them LoveFilm, but the only identifying information the TV has to know is a long number that’s obtained from the web site – again, no credit card details stored on the TV.
And I think it’s pretty unlikely anyone’s going to suggest your TV does store that. Of course, there is a theoretical risk – and people who know more about this stuff than I do tell me that there’s very little in the way of security included in the specifications for services like HbbTV, or many of the manufacturer portals. And yes, that should probably be addressed.
The PlayStation attack
With many of these services at a relatively young age, in fact, I think now might be the time for some of those working on them to go back and look at how security can be beefed up – but not just in the connected devices like TVs and set top boxes that will be becoming increasingly prevalent over the next couple of years.
The full details of how the Sony PlayStation Network were hacked aren’t available, and may never be – but clearly a lot of personal information has been obtained, for more people than live in the whole of the United Kingdom.
There’s no excuse for not securing your own PC with firewalls, and anti-virus software, but the Sony hack should remind us all that the richest pickings will seldom be found by attacking lots of individual computers. They’ll come from companies like Sony, or TJX (owners of TJ Maxx) – formerly believed to be the biggest hack ever, at a mere 45 million users – who have lots of data gathered in one place, and not properly secured.
Mostly forgotten amidst all the fuss over the PlayStation Network is that Sony’s Qriocity streaming service has also been affected by this hack. It provides streaming music, videos and feature films to Bravia TVs and Blu-ray players. It’s fairly new, and given the lack of fuss, I suspect not that widely used – if you’re in the US and want streaming films, the name you look for is NetFlix, while in the UK it’s LoveFilm.
But, I do wonder if the scale of the problems with the PlayStation Network will have a knock on effect on people’s willingness to use online entertainment services. It’s received much press coverage and I suspect that for an awful lot of people, it’s been their first encounter with entertainment of any sort delivered over the internet. For it to have such a spectacular security failure surely can’t be good for consumer confidence.
After Sony
In the UK, internet entertainment is still pretty young, at least in terms of paid services. It’s growing, as more people produce TVs with LoveFilm, and services like YouView will provide access to even more paid content. Across Europe HbbTV is being deployed alongside other platforms from TV manufacturers.
Some of these services are more mature than others – we’re unlikely to see anything with a YouView badge for some months yet, for instance. But I think they could all do with taking some time to consider security issues.
The potential of attacks on your TV itself is still, I think, a pretty slim chance – but that doesn’t mean that manufacturers shouldn’t stop and think about how they can make sure their systems are more robust.
The groups creating standards like HbbTV should perhaps take time to see how they can be updated to increase security – hopefully in ways which can be implemented via software updates to equipment that’s already deployed.
And, given that what seems to have happened with PlayStation Network was a problem with the service provider not taking decent security precautions, perhaps there’s also a need for more transparency, or information about compliance to be made available.
Would it be a good idea, for instance, if YouView were to have a requirement that services available via its platform never stored billing data in unencrypted form? And if encrypted connections were mandatory for transferring personal information between the box and the remote servers?
Some people might say “Won’t that lock out smaller players? Or introduce compliance requirements? And you can never be 100% secure anyway.” Yes, all that is correct. But I still think that any connected TV or online entertainment service that wants to be sure it has the confidence of customers should be thinking long and hard about how they can avoid the mistakes made by Sony, and make sure that their customers know they take these things seriously.
Connected TV platforms are still young, and deployed in relatively small numbers. It’s far better to address the question of security now than to wait until there are tens of millions of TVs and set top boxes, running on platforms that could have been made more secure.
