Are "smart" monitors/TVs a security issue?

[River~~]

Hi all

In the days of CRT monitors one way the security of a computer system
could be compromised non-intrusively (ie without amending the
installed code) was by picking up the radio-frequency leakage from the
tube in the monitor. This could only be done from near by, but where
possible it enabled the spy to see what was on the screen -- almost
everything that you typed (aprt from passwords that were blanked or
starred out). This was a remote form of shoulder surfing, where
someone looks over your shoulder in an environent like an internet
cafe.

Nowadays we do not have to worry about CRT monitors. But TVs are
increasingly delivered with their own internet connection, making it
easy to watch You-Tube (etc) without needing a separate computer or
phone. Clearly there is a computer inside which can be hacked, and if
so a remote shoulder surfing attack would be very possible.

Is the same true of monitors and of TVs that do not have an apparent
internet link? The digital tech to draw a picture from the input is
unlikely to be done by traditional electronics, but being all digital
is likely done by a miniporcessor of some kind in all digital
displays.

To put my question in the most provocative way on this forum: if there
much point securing the OS when the monitor might be an easier target
for those out to (umm) monitor our reading and our keystrokes?

This thught has only just come to me, and I wonder if there is already
some available mitigation? Any ideas?

Or am I being overly cautious?

R~~

Any ideas?

[Mark Fernandes]

Hello trueriver,

Thanks for your post. No, you're not being overly cautious. Regarding your thoughts on whether there is much point securing the OS, I had the same kind of issues after my computer was hacked earlier this year. I realised, I couldn't just do a small fix here or there, as the issue of security was a bit like a water-carrying pipe with many punctured holes: patching just one or a few holes only meant that water came out of some other holes.

The result of my encountering of these issues, was the creation of a Wikibooks book on end-user computer security, particularly aimed at individuals without much resources (resources such as money)—feel free to add/edit its content, as it is a wiki.

On Wednesday, 25 November 2020 at 14:31:55 UTC trueriver wrote:

... 

In the days of CRT monitors one way the security of a computer system
could be compromised non-intrusively (ie without amending the

installed code) was by picking up the radio-frequency leakage ...

Nowadays we do not have to worry about CRT monitors. But TVs are

increasingly delivered with their own internet connection, ...  

Clearly there is a computer inside which can be hacked, and if
so a remote shoulder surfing attack would be very possible.

Getting back to your particular issues, smart TVs (and other internet-connected devices), are clearly a security concern, and I am not convinced that these issues are adequately dealt with for general consumers. Firmware doesn't generally seem to be sufficiently locked-down, meaning that middle-men attackers can possibly reprogram devices without leaving much evidence that leads personally back to them.

 

Is the same true of monitors and of TVs that do not have an apparent

internet link? ... 

Regarding microprocessor/micro-controller VDUs without wireless-communications tech, they are probably safer. However, because you can now even get small WiFi SD cards, even at what appears to be relatively inexpensive prices, I would perhaps be concerned over whether such VDUs might have undergone tampering so as to be able to steal your information through wireless means.

...if there much point securing the OS when the monitor might be an easier target

for those out to (umm) monitor our reading and our keystrokes?

There is a point in securing the OS in spite of the other security vulnerabilities you've highlighted, but only as part of a comprehensive security solution. It only takes the weakest link in the chain...

 

... I wonder if there is already some available mitigation? ...

In terms of available mitigation, the latest idea I've had (not yet properly included in the book), is to buy computer hardware with anonymity over Amazon (see some notes about it here). You could also try using brands you trust more, or that are advertised as being more secure than normal. Also, you might think about going "barebones" in respect of the VDU: strip out the "bells and whistles" so as to reduce the attack surface.

Hope this helps,

Kind regards,

Mark Fernandes

[Andrew David Wong]

On 11/25/20 6:31 AM, River~~ wrote:
> Hi all
>
> In the days of CRT monitors one way the security of a computer system
> could be compromised non-intrusively (ie without amending the
> installed code) was by picking up the radio-frequency leakage from the
> tube in the monitor. This could only be done from near by, but where
> possible it enabled the spy to see what was on the screen -- almost
> everything that you typed (aprt from passwords that were blanked or
> starred out). This was a remote form of shoulder surfing, where
> someone looks over your shoulder in an environent like an internet
> cafe.
>
> Nowadays we do not have to worry about CRT monitors.

This is known as a TEMPEST attack:

https://en.wikipedia.org/wiki/Tempest_(codename)

Although we may not use CRT monitors any more, there are still many
other forms of this attack, many of which are still relevant today. It's
still important to be mindful of any kind of leaking emanation.

> But TVs are
> increasingly delivered with their own internet connection, making it
> easy to watch You-Tube (etc) without needing a separate computer or
> phone. Clearly there is a computer inside which can be hacked, and if
> so a remote shoulder surfing attack would be very possible.
>

Yes, definitely. Smart TV spying is already a widely-reported phenomenon:

https://duckduckgo.com/?q=smart+tv+spying

> Is the same true of monitors and of TVs that do not have an apparent
> internet link? The digital tech to draw a picture from the input is
> unlikely to be done by traditional electronics, but being all digital
> is likely done by a miniporcessor of some kind in all digital
> displays.
>

It's impossible to say without knowing exactly what kind of hardware is
inside.

> To put my question in the most provocative way on this forum: if there
> much point securing the OS when the monitor might be an easier target
> for those out to (umm) monitor our reading and our keystrokes?
>
> This thught has only just come to me, and I wonder if there is already
> some available mitigation? Any ideas?
>
> Or am I being overly cautious?
>
> R~~
>
> Any ideas?
>

Well, there's no such thing as perfect security, but you can decrease
your risk here in multiple ways, such as selecting a monitor with as few
"smart" features as possible or, if you use a laptop, sticking with the
built-in monitor. There might also be some advantage to preferring
"dumb" ports on your monitor. For example, DisplayPort and Thunderbolt
are probably bigger risks than VGA and DVI, since DisplayPort can
transmit USB and other data, and Thunderbolt combines PCIe and DisplayPort.

--
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org

[Alex Smirnoff]

For "native" thunderbolt monitors there certainly could be an issue! For HDMI/DP, honestly, do not know how much a malicious device could do.

[haaber]

> For "native" thunderbolt monitors there certainly could be an issue! For
> HDMI/DP, honestly, do not know how much a malicious device could do.

For "smart"-tv's please notice existence of ethernet-over-hdmi :) Often
these machines have microphones (for vocal commands). As well as the STB
that decodes your ip-TV. Better you own your hardware ... and harden
the linux on it :)

[Alex Smirnoff]

To my best knowledge, no PC graphic card ever supported ethernet over HDMI.

[Steve Coleman]

Without a Nation State being involved, the most likely threat would come from a permiscuous WiFi in the TV auto-connecting to any open networks in your area. If you are sure that is not the case then it should be 'safe enough' for most people. 

Side channel attacks take tools, skills, and physical location that isn’t going to happen without you already being a target of some kind. It you are a target then no monitor is going to help and its time to unplug your computer. I once saw one demo years ago where the target machine with no known public vulnerabilities at the time was rooted in less than 15s. They don't play around.

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAK3jUKoDK8kX2jhx3J-m%3D-%3DrRdVxpX7uaJCa5emwpXdSm-CWxg%40mail.gmail.com.

[Alex Smirnoff]

Assuming poor software quality of typical TV firmware and codecs, DVB should be pretty easy exploitable. However, I doubt a compromised TV could do serious harm to your computer via HDMI. Speaking on your demo.. there is a lot of factors to be involved. Chaining a Xen exploit to Chrome might be possible.. but unprobable, for a multitude of reasons.

[Steve Coleman]

On Fri, Nov 27, 2020, 6:01 PM Alex Smirnoff <ark...@gmail.com> wrote:

Assuming poor software quality of typical TV firmware and codecs, DVB should be pretty easy exploitable. However, I doubt a compromised TV could do serious harm to your computer via HDMI. Speaking on your demo.. there is a lot of factors to be involved. Chaining a Xen exploit to Chrome might be possible.. but unprobable, for a multitude of reasons.

My reasoning about the WiFi was three fold. 

1. TV's are often encoded to deliberately export use intelligence data to be utilized by the advertisers and ratings organizations. The camera and microphone, if installed, are actually designed and used to watch and listen to the family watching the programs. Zero privacy, and you may even have no way to disconnect it, so denying it any network access is your only hope to stop exfiltration.

2. Having a presence on any network leaves it open to external exploit where the above sensors are available for surveillance of the target family.

3. More recent sets are actually programmable, from the network, and can have software (e.g. android) apps or plugins installed by the adversary which that app then has complete access to all the features of the set including the display buffers,  sensors, and network. Its a computer in its own right and should be treated as such.

If the TV set programmers coded the it to auto connect to any available open WiFi then that set is actually dangerous, as it can give a foothold from which to attack other machines on that network. If its your own network that is doubly bad news. 

The question remaining is what can the adversary then do to communicate back through the video connection. Hdmi is bidirectional so buffer overflow exploits are clearly possible. But no matter what, one simply has to assume the adversary already has what is displayed on the screen. 

Denial of network access is the key to keeping *most* adversaries out. Testing the sets WiFi situation would be the absolute bare minimum to be sure you are safe (enough?). But if you think you are being targeted by some advanced adversary for some reason then I would simply not use one of these as a monitor. There are just too many ways to hack one.

I can not discuss that specific demo I previously spoke about other than to say, I know exactly what they did, and they can not use that same trick today. I have worked with people quite capable of waltzing through your system and you wouldn't know they were there. They reverse engineer hardware and play a form of "capture the flag(the file contents stored on some chosen hardware/machine)" for fun and recognition, and the choice of hardware is often quite amusing. Spooks like to have fun too. I'm retired now, but the stories I could tell if I were only allowed to. 

I'll just say there is a reason I use qubes. 

[River~~]

hi Steve

Steve:

> Without a Nation State being involved, the most likely threat would come
> from a permiscuous WiFi in the TV auto-connecting to any open networks in
> your area.

Good point. Which links to my thought if you wanted to keep a Qubes
box secure it would be a really BAD idea to plug it into someone
else's TV (like in a motel for example) or a conference room
projector.

My mitigation at home is to use the oldest flat panel TV I can find;
however that has its own difficulties (not security-related but to do
with the picture overscanning the screen).

> If you are sure that is not the case then it should be 'safe
> enough' for most people.
> Side channel attacks take tools, skills, and physical location that isn’t
> going to happen without you already being a target of some kind. It you are
> a target then no monitor is going to help and its time to unplug your
> computer.

There are degrees of Nation State interest ahd more than one level of
being a target; it is not all or nothing.

Presumably the top three tiers of interest are other Nation States
(especially those perceived as hostile), suspected terrorists, and
suspected paedophiles. Below that (I hope) in a fourth level would
come people with a non-violent agenda for significant political
change.

We know that many well known states put effort in to infiltrating such
groups in this fourth level -- to the extent where (for example) State
Infiltrators have been known to have long term, child procreating,
relationships with female activists while popping home to see their
real wives when they can -- so it is reasonable to suppose that there
is also some cyber-infiltration to their computers as well. Equally it
would be paranoid to imagine that any Nation State throws the full
range of their surveillance capability at every individual identified
with such groups.

> I once saw one demo years ago where the target machine with no
> known public vulnerabilities at the time was rooted in less than 15s. They
> don't play around.

Agreed -- in fact it is worse than that.

Those who know how to access to the Intel ICE processor or the AMD
equivalent (whose name I forget) have millisecond access whenever they
want it whenever an Intel or AMD machine is directly net-connected or
connected via routers that are themselves compromised in other ways.
That is after all the hidden-in-plain-sight message on the sticker:
Intel Inside ;) and why Qubes certify so few recent machines.

Apart from avoiding TV's that connect to random unknown Wifi or that
are owned by someone else, I think that I would have to stop using a
recent AMD box other risks of entry via the TV became the biggest
security issue.

Warmly,
R~~

[Andrew David Wong]

On 11/27/20 7:08 PM, Steve Coleman wrote:
> [...]

> 1. TV's are often encoded to deliberately export use intelligence data to
> be utilized by the advertisers and ratings organizations. The camera and
> microphone, if installed, are actually designed and used to watch and
> listen to the family watching the programs. Zero privacy, and you may even
> have no way to disconnect it, so denying it any network access is your only
> hope to stop exfiltration.

Physically disabling the camera and microphone may be an option in some
cases. Cameras can be covered, but covering a microphone doesn't do
much. I recently got a new smart TV that has a microphone in the remote.
Since I never planned to use the voice features, I simply found a sewing
needle, inserted it into the mic hole, and used a flat piece of hard
plastic on the other end to apply moderate force. There was a single
"click" sound. After that, voice commands were no longer recognized by
the TV, but the remote and everything else still worked perfectly.
Hopefully that's good enough.

By the way, this reminds me of when Joanna removed all the microphones
and front camera from her iPhone:

https://twitter.com/rootkovska/status/547496843291410432

[awokd]

Andrew David Wong:

> Since I never planned to use the voice features, I simply found a sewing
> needle, inserted it into the mic hole, and used a flat piece of hard
> plastic on the other end to apply moderate force. There was a single
> "click" sound. After that, voice commands were no longer recognized by
> the TV, but the remote and everything else still worked perfectly.

Reminds me of a lobotomy procedure.

Thread related- if you want a big screen picture, but not "smarts",
sometimes projectors can be the way to go.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots