Researchers at Mocana, a security technology company in San Francisco, recently discovered they could hack into a best-selling Internet-ready HDTV model with unsettling ease.
They found a hole in the software that helps display Web sites on the TV and leveraged that flaw to control information being sent to the television. They could put up a fake screen for a site like Amazon.com and then request credit card billing details for a purchase. They could also monitor data being sent from the TV to sites.
“Consumer electronics makers as a class seem to be rushing to connect all their products to the Internet,” said Adrian Turner, Mocana’s chief executive. “I can tell you for a fact that the design teams at these companies have not put enough thought into security.”
Mocana and firms like it sell technology for protecting devices and often try to publicize potential threats. But the Mocana test also illustrates what security experts have long warned: that the arrival of Internet TVs, smartphones and other popular Web-ready gadgets will usher in a new era of threats by presenting easy targets for hackers.
As these devices become more popular, experts say, consumers can expect to run into familiar scams like credit card number thefts as well as new ones that play off features in the products. And because the devices are relatively new, they do not yet have as much protection as more traditional products, like desktop computers, do.
“When it comes to where the majority of computing horsepower resides, you’re seeing a shift from the desktop to mobile devices and Web-connected products, and inevitably, that will trigger a change in focus within the hacking community,” said K. Scott Morrison, the chief technology officer at Layer 7 Technologies, which helps companies manage their business software and infrastructure. “I really do believe this is the new frontier for the hacking community.”
To combat the threat, security companies have been pushing to develop new protection models. They are promoting items like fingerprint scanners and face recognition on devices, and tools that can disable a device or freeze its data if an attack is reported. But so far, such security measures have largely failed to reach the mainstream.