Spoiler alert: Your TV will be hacked

Last week you may have read a headline that blared “100 million TVs will be Web-connected by 2016.” Regular readers of this blog know I’m always on the lookout for new threats, so the question naturally arises: Will Internet TVs will be hacked as successfully as previous generations of digital devices?

Of course they will!

[ Also on InfoWorld: No system is immune, as proven by the recent Mac malware attacks. | Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld’s expert contributors in InfoWorld’s “Malware Deep Dive” PDF guide. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Nothing in a computer built into a TV makes it less attackable than a PC. Internet-connected TVs have IP addresses, always-on network interfaces, CPUs, storage, memory, and operating systems — the details that have offered hackers a bounty of attack choices for the last three decades.

Can we make Internet TVs more secure than regular computers? Yes. Will we? Probably not. We never do the right things proactively. Instead, we as a global society appear inclined to accept half-baked security solutions that are more like Band-Aids than real protection.

I’ve successfully hacked Internet-connected TVs before. When I worked at Foundstone, my penetration-testing team got paid to try and break into the world’s largest cable television provider’s set-top box — one of the first so-called IP TVs. Regular televisions were connected to set-top boxes, which were simply a custom personal computer appliance running a specialized version of BSD.

Our goal was to see if we could hack into the set-top box, steal customer personal information, pirate services, and incur denial-of-service conditions. Just for yucks, I added two more objectives: to see if we could steal porn (typically, one of the biggest revenue streams for cable companies) or force porn onto another television that was watching Disney content, with the idea that offended customers would drop their service.

It was three guys locked in a computer room with two simulated home cable connections running IP TV. We sat around for days and — I’m not making this up — looking at porn on one television and Disney on the other. The Disney channel turned out to be more watchable over time — porn gets monotonous.

Anyway, using the excellent open source utility Nikto, I located a Web server running on a high-range port on the set-top box. Nikto found a few handfuls of possible Web server vulnerabilities, but each turned out to be a false positive. Still, I had zeroed in on a Web server, and Nikto correctly identified the brand.

I’d never heard of the Web server, so I did some quick Internet searches and learned it was an open source project abandoned about seven years prior. What were the odds that the set-top box creators had patched it since, even against what we now know to be common website vulnerabilities? Do you need to ask? In a few minutes, I was able to root the box using a directory traversal attack, while a colleague of mine discovered a simple JavaScript cross-site scripting attack.

With those two vulnerabilities, we not only owned the box, but ended up taking root of the entire cable system. It was an awesome day and week — perhaps the most fun I’ve ever had professionally. Pen testing is always fun. But cracking your main target while pirating porn with your buddies and taking over the whole company? Priceless.

The future of Web-connected TV is going to be just like today’s world. We’ll have global malware takeovers, constant patching of our TVs, DoS attacks, and all the other ugly stuff that comes with our always-connected world. In my line of work, job security is guaranteed.

This story, “Spoiler alert: Your TV will be hacked,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.