Researchers at Mocana, a security technology company in San Francisco, recently discovered they could hack into a best-selling Internet-ready HDTV model with unsettling ease.
They found a hole in the software that helps display websites on the TV and leveraged that flaw to control information being sent to the television. They could put up a fake screen for a site like Amazon.com and then request credit card billing details for a purchase. They could also monitor data being sent from the TV to sites.
“Consumer electronics makers as a class seem to be rushing to connect all their products to the Internet,” said Adrian Turner, Mocana’s chief executive. “I can tell you for a fact that the design teams at these companies have not put enough thought into security.”
Mocana and firms like it sell technology for protecting devices and often try to publicize potential threats. But the Mocana test also illustrates what security experts have long warned: that the arrival of Internet TVs, smart phones and other popular Web-ready gadgets will usher in a new era of threats by presenting easy targets for hackers.
As these devices become more popular, experts say, consumers can expect to run into familiar scams like credit card number thefts as well as new ones that play off features in the products. And because the devices are relatively new, they do not yet have as much protection as more traditional products, like desktop computers, do.
“When it comes to where the majority of computing horsepower resides, you’re seeing a shift from the desktop to mobile devices and Web-connected products, and inevitably, that will trigger a change in focus within the hacking community,” said K. Scott Morrison, the chief technology officer at Layer 7 Technologies, which helps companies manage their business software and infrastructure. “I really do believe this is the new frontier for the hacking community.”
To combat the threat, security companies have been pushing to develop new protection models. They are promoting items like fingerprint scanners and face recognition on devices, and tools that can disable a device or freeze its data if an attack is reported. But so far, such security measures have largely failed to reach the mainstream.
Enrique Salem, the chief executive at Symantec, which makes antivirus software frequently installed on PCs, said it was unlikely that his company would produce the same kind of software for all of the new products. Such software can require a fair amount of computing muscle, which would put too much burden on devices that lack the oomph and battery life of traditional computers.
And second, the attacks that Symantec and others have seen on the devices are so new that they will require a fresh approach, he said.
“With something like Android, it’s a different type of threat and it functions differently,” Salem said.
Symantec will focus on fingerprint scanners and other personal identifiers to devices, Salem said.
The company also hopes to use features in the devices to help with protection. For example, if someone logs in to a computer from Florida, but location-tracking data says that the person’s phone is in Texas, then an application might ask a security question.
Another goal is to let consumers report a possible security problem and get their data locked down or erased remotely until the problem is cleared up. “You want that ability to the wipe the data away if a device is lost,” Salem said.
The chip maker Intel recently bought Symantec’s main security technology rival, McAfee, for $7.7 billion. Intel executives say they plan to build some of McAfee’s technology . into future chips that will go into mobile phones and other newer devices.
Cell phones have been connected to the Web for years, but for much of that time, they tended to have tightly controlled, limited software and other constraints that made it difficult for hackers to do much damage. Attackers continued to find easier targets, and a larger pool of potential victims, by going after PCs running Microsoft Windows and other popular Web software.
Turner of Mocana said the maker of that television had left crucial bits of information about its security credentials and those of third parties in an easy-to-reach spot, meaning that a hacker could infiltrate some of the data exchanged between companies providing commerce services for the TV.
Mocana has notified the TV maker of the issues and has declined to reveal the company’s identity in a bid to thwart hackers. Turner would say it was one of the five best-selling Web-ready HDTVs.
“The things we found were mistakes that an inexperienced device designer would make when connecting something to the Internet for the first time,” Turner said.