A researcher with security firm ReVuln claims to have found a way to exploit these Samsung TVs when they are connected to the Internet, allowing him the same access the in-room user has to the TV and any connected USB drives.
“At this point the attacker has complete control over the device,” he tells Ars Technica about the hack. “So we are talking about applying custom firmwares, spying on the victim if camera and microphone are available, stealing any credential and account stored… on the device, using his own certificates when accessing https websites, and tracking any activity of the victim (movies, photos, music, and websites seen) and so on. You become the TV.”
Sure, you may not have anything embarrassing or sensitive connected to your TV, but the growing number of apps for viewing photos and externally-stored video means that people are indeed plugging in USB drives to their sets. As the video below shows, anything on that USB drive is now fair game to the hacker.
“A common device like a TV can be used for monitoring people and stealing information,” says the researcher. “In this situation it doesn’t matter if the TV is reachable by the Internet or not because the attacker has a specific selected target: a person at home or a company.”