Streaming TV has been a boon for consumers. Programming is everywhere, right at our fingertips, as soon as we get our screens online. But that connectivity comes with a big risk: wherever there’s an internet connection, there’s a possibility for bad guys to show up. And now they are showing up in the real world, holding TV sets hostage with ransomware and demanding cash to let you access your own stuff.
It’s basically a looming disaster waiting right at the nexus where two worrisome trends meet.
First: Many of the things that make up the so-called Internet of Things are infamously, woefully vulnerable and insecure. It’s a big enough problem that the FTC is now running a $25,000 contest to see if someone can help make it better. Criminals who want to launch traffic-based attacks are already looping “smart” devices into their botnets by the millions, mainly because they can.
A whole pile of increasingly common consumer items, from dishwashers to toasters, now ships with some kind of internet connectivity built in. For a huge percentage of those items, either the software that runs them is out-of-date and vulnerable before you even get your hands on it, or else the default password is hard-coded, absent, or easy to guess. Or both. It adds up to a giant, easily-accessed web of stuff out there in the world that basically any hacker with time and know-how can manipulate.
The second trend: The spread of ransomware, which has been on the rise for phone and PC users for a few years now. That’s malicious software that doesn’t just access your private data to use, sell, or exploit; instead, it locks it up and charges you for the key. It’s a form of extortion: if you don’t pay up the requisite sum (usually in bitcoin) by the stated deadline, then your personal data is either deleted forever or exposed to the whole, seedy world.
Ransomware hits everyone, everywhere. It’s common to find on the web, when otherwise-legitimate sites have their ad-serving software go bad or deliver malicious ads. Apple users are not immune, and it has hit systems as large as the San Francisco transit system. Hospitals, in particular, get slammed with ransomware attacks surprisingly regularly.
Now add to those two trends the existence of smart TVs: insecure, likely not-updated devices hanging out in your living room, that can do the things you want but annoy you when they don’t work, and you’ve got the problem we’re starting to face today.
Back in 2015, one Symantec employee described how quickly he was able to find a brand-new TV filled up with ransomware. That TV, he explained, came with a preinstalled gaming portal, where you can select and install games.
But that connection wasn’t encrypted, meaning basically any man-in-the-middle type attacker can hope into the request and redirect the user to install malicious software instead. The TV the Symantec employee was testing with was running Android-based software, and so Android-based ransomware worked, displaying a ransom note on the screen and rendering the set unusable.
In recent weeks, we’ve seen a real-world case of exactly that. One software developer, Darren Cauthon, shared the story on Twitter.
It began, Cauthon said, when a member of his family downloaded an app for watching movies on the family’s LG smart TV. Shortly thereafter, the TV rebooted — and was being held ransom for $500.
Since 2015, LG has used a different operating system for its devices, called WebOS. But at the time Cauthon’s family got their TV, LG was still using Android-based software. And so their TV was rendered useless by a variant on common Android malware that first started being seen on phones in 2015.
The nice thing about a TV is that it probably isn’t holding a whole lot of data you can’t bear to live without. Your phone has passwords, photos, and other sensitive, personal information on it. A hospital’s computer network has vital, impossible-to-recreate patient data on it. But a TV is mostly just letting you log into accounts that store whatever history and payment information you have on them elsewhere anyway, so one set — or a factory reset on your existing one — is as good as another, unless you’ve connected a USB stick or external hard drive to it for accessing personal files.
But there was another catch: LG doesn’t publicly share the steps to factory resetting its devices. So Cauthon contacted LG for support and was told that he could bring it to a service center where, for $340, an employee would run a factory reset.
As you can currently buy a brand-name 40″ HD smart TV for less than $400 online, that did not strike him as a particularly good deal. So he eventually talked LG into sharing the process for booting the TV into recovery mode with him — which he then uploaded to YouTube for others to follow.
Cauthon’s story, then, ended well. But his family, as PC World notes, was lucky: as a software engineer, Cauthon was comfortable with messing around in the virtual guts of his Android-powered TV in order to repair it (once he knew how to get there). And the malware that infected the TV only locked the screen and prevented functions from being accessed; it didn’t encrypt or delete any files.
But unfortunately, he’s not alone. While Cauthon’s tale of woe seems to be the first known case of TV-bricking ransomware in the U.S., such attacks are on the rise elsewhere. As Infosecurity Magazine reports, Japanese consumers are being particularly hard hit. In 2016, Japan saw a “spike” in ransomware attacks on TVs, the magazine reports. Over 300 TV-based attacks were reported in that nation over the course of the year — and the more people that get hit, the higher a chance that some of them will pay up because they don’t see any other choice.
The good news is, consumers can protect themselves in a few ways.
First, make sure your TV is always up to date. You can search for the make and model and in many cases, find manufacturer directions for updating your set as needed. (LG’s support page on the topic, for example.)
Second, be very, very careful about what you download to your sets. Stick with reputable sources and known apps and if anything seems fishy, just… don’t.
And third, make sure you always have your personal files backed up somewhere recently. That way if someone threatens to delete them, you may just be able to call their bluff.
Was this helpful? We’re a non-profit! You can get more stories like this in our twice weekly ad-free newsletter! Click here to sign up.