Anything you pay for can and will be used against you. When smart TVs get too smart
Samsung has recently announced that they can now block their smart TV devices. The company has developed the TV Block technology — a remote security solution. It cross-checks the serial number of every connected device with a list of serial numbers of devices that had been stolen or bought in some improper way. This is designed to reduce device theft, as the company claims, so that only the rightful owner would be able to use the TV.
All this seems quite reasonable at first sight: Samsung makes an impression of a company that cares about their users, and they even sell this feature as a competitive advantage. Though we see it as a part of the growing trend: vendors gain more and more control over devices they sell, more options of interfering in how these devices operate.
Besides, it is not clear what happens to a bona fide purchaser of a stolen TV. Will the device they have just bought with their hard earned money simply get disabled? Can they dispute this decision or is everything done automatically and irrevocably? This is one of the many possible ways a user can get hurt. Considering that the vast majority of stores are insured against theft, it's even less clear how actually this TV Block technology actually protects anyone.
"This technology can have a positive impact at this time, and will also be of use to both the industry and customers in the future", Samsung's representative has said to the press. There are several important words in this phrase: "can have" and "in the future". Adjusted for the natural evasiveness of corporate statements, it sounds more like "we are not sure users need it, maybe it will come in handy somehow".
Smart TVs are in the vanguard of the "smart home" technology that is invading our homes right now. Vacuum cleaners, fridges, baby monitors, climate control sets, and even smart Q-tips replace their dumb predecessors. Unfortunately, the high level of market competition and the desire to save money on production and maximize profits stop vendors from equipping smart devices with powerful security protection suits.
On the other hand, there is strong doubt that the remote control features would only be used by the vendor and only for the stated purposes of user protection. Numerous studies have discovered plenty of vulnerabilities in such devices, and a vast variety of malicious actors are potentially able to get access to a device.
What danger do these technologies pose?
Ransomware is a type of malware that's been rapidly spreading recently. The best known subtype of it is encryption viruses. A malefactor invades the network or otherwise gains access to a remote device, encrypts its data with the specific software, a user sees on their screen a banner demanding payment for decrypting the information. The exact ransom amount varies greatly depending on the hacker's skills and their opinion on the value of the data.
Another popular type of ransomware simply blocks access to the device. It simply stops working, all it is still capable of doing is showing you the same banner commanding to transfer a certain sum in bitcoin to a certain wallet.
There are also human factor risks, especially since we aren't fully informed on how Samsung remote blocking works, as well as other similar remote control mechanisms of other vendors. It is quite possible (and it actually already happens) that an unprincipled employee gets an idea of making some extra money by selling the data gathered by your smart TV on the darknet. And there are plenty of vulnerabilities allowing to get even more information. All smart TVs are equipped with a microphone for voice control, and high-end models have a webcam. A hacker gains remote access, and here you are, being eavesdropped at best, and becoming a star of a reality show broadcasted somewhere on the darknet at worst.
Is the vendor actually on the user's side?
There is no need to strain your imagination, though, thinking of possible abuse scenarios. Samsung has already been caught spying on its users and harvesting huge amounts of data. The age of smart devices heralds the dark age for privacy. Vendors interfere remotely with devices' functions and declare it as an advantage and user care. Meanwhile, there's no guarantee that the vendor or other actors will not, or do not already exploit these capabilities in their own interest.
It is already almost impossible to buy a TV not stuffed with smart functions, and the gadget you've paid for literally does not belong to you. The only guaranteed solution right now is simply not to connect the device to any network. No data will be transferred, no remote access gained, no hack or abuse possible.
Samsung keeps a solid share of the smart TV market but it's not the only major player. Its competitors haven't yet announced similar remote control features, but technically they have everything ready for it. Besides, they have the same thirst for data and the same, quite flexible understanding of user privacy protection principles. LG, yet another TV market giant, has repeatedly been caught tracking users and has also recently spoken on remote blocking options.
If you listen to what people say on this situation, it's easy to notice that they do not feel the urging need for such technology. Nevertheless, it is they who pay from their own pocket for the ability of their TVs to turn into a pumpkin on Samsung's command.
Remote control and data harvesting potential of modern technologies, the quality and quantity of existing vulnerabilities, the level of corporations' disdain for user privacy, the desire of vendors to have their tentacles in every home through their smart devices — all of it comprises a huge threat to people's and public security.
There is probably no need to stress that we at AdGuard are strongly opposed to stealing devices or any other ways of acquiring them illegally. But we are no less strongly opposed to the idea of remote access and control features added without users' knowledge and consent. Our approach comes down to the simple idea that introducing new technologies, especially sensitive and potentially harmful, can be only done in the interests and at the request of users, not because of corporations' desire for profit.