Roku, Samsung devices vulnerable to hackers
Hackers can potentially gain control of millions of popular Roku streaming media devices and Samsung smart TVs by exploiting “easy-to-find” security flaws, according to a report published Wednesday by Consumer Reports magazine.
Security researchers for the magazine, published by the nonprofit Consumers Union, found the vulnerabilities affect smart TVs made by Samsung and models made by China’s TCL that include Roku’s streaming media technology.
In addition, the magazine said the flaw affects the popular stand-alone streaming media devices made by Roku, which is based in Los Gatos.
The security flaws do not allow a computer hacker to spy on or steal information from the device’s owner, the researchers concluded.
“We found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume, which might be deeply unsettling to someone who didn’t understand what was happening,” they wrote. “This could be done over the Web, from thousands of miles away.”
Roku said that it “enables third-party developers to create remote control applications that consumers can use to control their Roku products. This is achieved through the use of an open interface that Roku designed and published. There is no security risk to our customers’ accounts or the Roku platform with the use of this (interface).” People can turn the feature off on their Roku player or Roku TV, the company said, adding that “any characterization of this feature as a security vulnerability is inaccurate.”
Representatives from Samsung did not immediately respond to The Chronicle’s request for comment Tuesday. Samsung, in an email to the magazine, said the company was still evaluating the issue and would update its technology to address “less severe” problems uncovered by Consumer Reports.
“We appreciate Consumer Reports’ alerting us to their potential concern,” the Samsung statement said.
The magazine said it tested several brands of smart TVs, including Sony and LG, but found the hackable vulnerability only in sets made by Samsung and TCL. The vulnerability in the TCL model applied to all devices running Roku’s TV operating system, which included monitors made by Hisense, Hitachi, Insignia, Philips, RCA and Sharp. The flaw was also found in Roku’s Ultra and other streaming media players.
Researchers were able to remotely “pump the volume from a whisper to blaring levels, rapidly cycle through channels, open disturbing YouTube content or kick the TV off the Wi-Fi network,” the report said. “The exploits didn’t let us extract information from the sets or monitor what was playing. The process was crude, like someone using a remote control with their eyes closed. But to a television viewer who didn’t know what was happening, it might feel creepy, as though an intruder were lurking nearby or spying on you through the set.”
The magazine said activating the flaws requires the TV or Roku device’s owner to become victim of a phishing attack.
Roku owners would have to be using a phone or laptop connected to the same Wi-Fi network as the TV. Owners would also have to download an app containing malicious code, which could happen if they also fell for a phishing email or visited a suspicious website.
The security flaw in Samsung TVs was “harder to spot,” the magazine said. The TV could become vulnerable only if the owner had previously used “a remote control app on a mobile device that works with the TV” and then opened a malicious website with that device.