It was always a question of if, not when. A data dump released by Wikileaks today included the claim that the CIA has the ability to hack into smart TVs manufactured by Samsung and secretly record and transmit audio. As an added twist of the blade, this feature supposedly worked even when the TV appeared to be powered down. Only pulling the plug could keep the spies at bay.
This is a serious accusation to level at both Samsung and the CIA, implying either collusion or ineptitude on the part of the company, and a desire by the agency to deploy mass surveillance. After all, Samsung sells more TVs than anyone in the world — more than a fifth of all models, according to 2015 numbers — and this single hack would potentially turn millions of flat screens into readymade listening devices, ones that targets purchase and plant themselves. It’s the perfect way to keep tabs on huge swaths of the global population.
To security and privacy experts, there’s nothing particularly shocking about this potential capability. Recently we wrote about TV-maker Vizio’s massive snooping program, wherein the company’s smart TVs gathered real-time data on the viewing habits and demographic markers — including information that could easily be used to identify individual names and addresses — of millions of users and sold them to third-party firms. This program lasted for more than two years, and involved some 11 million customers. Vizio wound up paying $2.2 million to the FTC and the state of New Jersey, but that breach of privacy was clearly just a glimpse of what is possible.
The security researcher we talked to pointed out just how vulnerable the many smart devices in our homes are due to factory settings that either can’t be changed, or would require an unreasonable amount of technical know-how to access. These are the kinds of backdoors that the CIA, or a run-of-the-mill hacker, could make short work of by exploiting the codes and settings that they know for a fact are still susceptible (because they can’t be changed).
These sort of vulnerabilities, however, can lead to more than just microphone access. According to Kurt Baumgartner, Kaspersky Lab’s senior principle security researcher, it’s only a matter of time before smart devices in the home leads to something far worse than snooping and botnet attacks. “At some point there’s going to be a kinetic or more tangible accident,” says Baumgartner. In others words, hackers doing physical damage by turning off a smart thermostat and causing pipes to freeze and burst or making a connected printer overheat and burst into flames.
The real outrage isn’t that the CIA may have the ability to hijack the microphones in connected TVs. Because as disturbing and privacy-eroding as that possibility would be, it’s just one example of the near-total lack of security in smart-home products. Unlikely though it is that you are being actively spied on, the internet-of-things is one big target of opportunity. This is as good a reason as any to start a larger, and genuinely urgent, discussion of how to secure smart gear. Because today’s fears of snooping will look quaint if and when tomorrow’s smart-home hacks turn tangible and kinetic.