The spam came from inside the house: How a smart TV can choke a Windows PC

The curious case of a living room screen making Windows' Settings app disappear.

See full article...

 

[Steve austin]

Have you checked the business displays that various manufacturers sell? They tend to have "dumb tv" options that only have HDMI ports.

They do, but those I've seen don’t have (and aren’t intended to have) high end PQ. They may be ruggedized or otherwise adapted for commercial use, but in terms of picture quality they aren’t meant for home theater use. I’d want something with a picture like a top LG/Samsung/Sony (OLED or QD-OLED) but without any of the “smarts” (or sound, for that matter - at that level, I’m not going to use the TV’s speakers).

 

[Bring the Irons]

This isn't a Hisense problem, it's a Windows problem. More specifically, the UPnP protocol was a disaster from day one, with "security" workarounds added as an afterthought. The fix is to disable Windows from responding at all to UPnP.

 

[ERIFNOMI]

Well, I don't know about "VLAN" but simply putting those items that you don't want onto a local network as a sub-network with a router that doesn't have a gateway to the Internet works fine. Then you can connect to the sub-network when you need to.

A VLAN is how you keep subnets separate without duplicating a bunch of hardware.

And explicitly connecting to the other subnet to use a device on that subnet is a pain in the ass. Just route between them. It's simple to make a firewall rule that prevents anything in that untrusted subnet from leaving.

 

[biffbobfred]

Pours out $A9 beers for my homey…

 

[Skyssx]

Remember last week when 95% of Ars commenters were saying "wtf never ever connect your smort display to your home network!" and the Ars article author was promoting comments from the two dudes saying "suggesting you not connect your smart tv to your home network is insane, you are all insane"?

 

[sephula]

Redacted. You idiots can just go ahead and watch ads, then. They're even adding them to their subscription tiers, now. So, good luck with that.

 

[ERIFNOMI]

FYI, I don't even own a TV. I have zero interest in consuming content the ad industry decides they want me to be indoctrinated by. Everything I enjoy is available online, where it's easier to block ads and unwanted content. So, until somebody creates a FOSS TV OS and a way to jail-break most popular TV models, I won't be investing my money into a propaganda platform. The ad industry is a circular economy, like slave labor was. It's our solemn duty to break ourselves free of those chains! If other people are unable to, then we must employ what collective powers we possess to ensure freedom for all.

Remember that it takes LESS TIME to configure your network and security settings than it does to consume intrusive/unwanted content, or repair problems. Failing to prepare is preparing to fail.

You know TVs can be used for watching that same online content, right? That's the entire point of "smart" TVs. You're not special in not having cable. Cord cutting has been popular for a decade or longer.

 

[Dark Jaguar]

You know TVs can be used for watching that same online content, right? That's the entire point of "smart" TVs. You're not special in not having cable. Cord cutting has been popular for a decade or longer.

Your ONE takeaway from that is "I think they're trying to be special and I have to put a stop to that!"?

 

[sephula]

Redacted

 

[sephula]

You know TVs can be used for watching that same online content, right? That's the entire point of "smart" TVs. You're not special in not having cable. Cord cutting has been popular for a decade or longer.

Imbecile didn't even read the third sentence before commenting.

 

[Saikaici]

My pihole install blocks a LOT of DNS requests from Samsung TVs on my network. *pu.samsungelectronics.com addresses account for 70% of blocked ad DNS requests over the last 24 hours. Also have like 35k requests, it's pretty crazy to look at network and DNS stats on what Smart TVs are pulling.

 

[Marcus Andreus]

I keep seeing comments from people saying that they don't trust their "smart TV", but then go on to say that they are trusting their Apple TV box or another streaming box, which is basically just the smart TV without the the built-in monitor, as far as I'm concerned. Frankly, you can't access online content without trusting SOMETHING. What I'm saying is, there's simply no way around it. You need to get smart about networking and security in order to access online content no matter what. There's no such thing as a "smart TV". There is only a difference in the people who use these devices. Accepting that is the first step in becoming one of the smart ones.

I mean, part of the point is siloing stuff out in case (when) someone breaks your trust.

Consider some people. Alice has a Sony TV in basic mode, a PS5, and a Roku box. Bob has a Roku TV and a PS5. Then Roku starts fucking stuff up (unbelievable, I know). Alice can get rid of her Roku box and replace it with an Apple TV. Or maybe just use her PS5 for streaming. Bob needs a whole new TV, even if he just wants to keep using his PS5. Even though the screen on his TV is still fine.

Or Charlie. Charlie has a Samsung TV that's a few years old. And now Samsung doesn't want to do software updates for that model anymore. Charlie probably shouldn't connect their TV to the internet anymore. So now they either need a new TV, or a separate streaming box. But the screen still works.

The point of "not trusting" your smart TV vs your streaming box is about the cost outlay to replace them when the device maker fucks you over.

 

[ERIFNOMI]

Imbecile didn't even read the third sentence before commenting.

No, I read the whole thing. It was pretty deranged. Started with "FYI" as if anyone cares, then immediately went into "I'm too smart to own a TV because I only watch content on the internet." Brother, you can watch that same exact content on a TV. You can use a TV as a simple display for whatever device you want to use to watch that content. Prefer to use an open system as possible? Fine, throw a Linux box on there. Before smart TVs were even a thing, I used RPis on my TVs.

 

[sephula]

My pihole install blocks a LOT of DNS requests from Samsung TVs on my network. *pu.samsungelectronics.com addresses account for 70% of blocked ad DNS requests over the last 24 hours. Also have like 35k requests, it's pretty crazy to look at network and DNS stats on what Smart TVs are pulling.

I use OPNsense, with the dnscrypt-proxy2 add-on which optionally includes the same DNS block lists as PH, but without the fancy graphs. One could do both, but I've never felt the need for the fancy graphs. Any information I need could be obtained by simply turning on the optional logging, which itself becomes a possible privacy risk under certain conditions, assuming the trusted resolver is truly "no logs". The main advantage for me is the added assurance that my DNS replies are likely coming from a trusted source, and supposedly not being shared with third-parties. Even if they are surreptitiously sharing my browsing data, it's slightly more difficult for them to build a profile based on my dynamic IP address.

You can do the same thing with Unbound, if you prefer DoT over DoH.

Edit: I can't understand why anybody would downvote this. I'm only explaining that my setup blocks those same requests (checked on it), and provides additional benefits. If you think I'm making a mistake, please comment and explain.

 

[Edified]

Best thing to do is never set up the "smart" features on your smart TV. Just use it as a display.

Best thing to do is turn off the "smart" features on Windows.

 

[sephula]

@ERIFNOMI​

You are missing the entire point so obviously, that I can only assume it must be intentional.

 

[spif_spaceman87]

I have not read this entire article and comments carefully, but did no one suggest re-installing Windows instead of modifying the entire registry? Seems like an easy fix to me. IMHO.

 

[ERIFNOMI]

@ERIFNOMI​

You are missing the entire point so obviously, that I can only assume it must be intentional.

Just don't connect your TV to the internet. Problem solved.

 

[sephula]

I mean, part of the point is siloing stuff out in case (when) someone breaks your trust.

Consider some people. Alice has a Sony TV in basic mode, a PS5, and a Roku box. Bob has a Roku TV and a PS5. Then Roku starts fucking stuff up (unbelievable, I know). Alice can get rid of her Roku box and replace it with an Apple TV. Or maybe just use her PS5 for streaming. Bob needs a whole new TV, even if he just wants to keep using his PS5. Even though the screen on his TV is still fine.

Or Charlie. Charlie has a Samsung TV that's a few years old. And now Samsung doesn't want to do software updates for that model anymore. Charlie probably shouldn't connect their TV to the internet anymore. So now they either need a new TV, or a separate streaming box. But the screen still works.

The point of "not trusting" your smart TV vs your streaming box is about the cost outlay to replace them when the device maker fucks you over.

My point is that these devices provide users zero method of manually securing the device, or even verifying whether or how that is being done. You are completely at their mercy. Instead of blindly trusting, I prefer being able to personally ensure that all due diligence is being done. Until then, it's compulsory individuals take compensatory measures upon themselves.

 

[fuzzyfuzzyfungus]

Marriot does what now?

They stopped; because the FCC smacked their hand out of the cookie jar; but a number of years back Marriott was using deauth attacks against other people's APs to interfere with(literally and in the business sense) potential competition for their...optimistically...priced connectivity services.

I don't know if they were doing it in hotel rooms; they got the fine for knocking out mobile hotspots at one of their conference centers and those are typically the ones where connectivity is a massive upcharge, rather than a comparatively modest tack-on to the room fee or a 'loyalty' program thing.

 

[Fred Duck]

I can understand why the TV is generating network discovery requests. But surely Windows should be more robust and be able to handle or discard them without bogging down and breaking.

I laud your optimism.

 

[real mikeb_60]

Isn‘t Hisense a Chinese manufacturer?

I know most are focussing understandably on not using the ‘smart’ functions of modern tv’s (I don’t), but given various governments having an allergy to Chinese products on security concerns, why are the general public allowing Chinese tv’s into their homes?

Have you seen a TV for <$1000 that isn't Chinese? Even if it's one of the Big Brands the lower-priced models are nearly all made in China. That's just life, where most of the world's manufacturing is in China (or at least it seems that way when looking at what's available for sale).

 

[InsanityOnABun]

I guess I'll be the odd one out then — I really don't care if my TV is reporting my watching habits to LG, and they're selling them off to whoever. I do not care. They can try to advertise whatever they want to me based off of it. There are much more sensitive, critical pieces of data that are actually worth the effort to protect. My TV watching patterns are not in that category. Assume all your data is being sold to the highest bidder and nothing but your SS number or your country's equivalent is truly private (ideally but even then not really). You're also kidding yourself if you think an Apple TV, Fire stick, Nvidia Shield, or any other external streaming boxes aren't doing just as much spying as your TV would be doing.

So that's privacy out of the way, which leaves security. Disable wifi, disable ad-hoc no-network device streaming, and hardwire your TV. The only entry point your TV is exposing at that point is on the local network. If someone who is going to compromise your TV is already in your local network, you're already screwed no matter how dumb your TV is. Potentially the app services or TV manufacturer could get compromised externally and exploits distributed through them, but that's just a fact of life at this point for every digital device.

Harden your network where it makes sense to do so, limit your attack surface, and understand that there's an infinitesimally small chance that your home TV will ever be an actual attack target. And just relax for a half a second.

 

[TaxiZaphod]

I keep seeing comments from people saying that they don't trust their "smart TV", but then go on to say that they are trusting their Apple TV box or another streaming box, which is basically just the smart TV without the the built-in monitor, as far as I'm concerned. Frankly, you can't access online content without trusting SOMETHING. What I'm saying is, there's simply no way around it. You need to get smart about networking and security in order to access online content no matter what. There's no such thing as a "smart TV". There is only a difference in the people who use these devices. Accepting that is the first step in becoming one of the smart ones.

I wonder if the differentiator is that the OS on the SmartTV (take your pick) seems to be geared toward generating profit for the TV manufacturer, and when you use that OS, you are kind of stuck at that point. At least with a 3rd party streaming box, you have some control in which one you purchase.

Personally, I use an Apple TV 4K (Even though my TV is an old 1080p plasma that still looks decent) because it has good app support, there are no ads, and I don't worry that Apple is going to mess up my LAN.

 

[real mikeb_60]

If this is a case of uPNP going crazy, perhaps don't enable it? Or, make sure your Windows computer defines your LAN, as it should by default, as "Public" which, again by default, should disable Network Discovery (aka uPNP). If it's not doing that, you may have a misconfiguration issue.

 

[sephula]

I wonder if the differentiator is that the OS on the SmartTV (take your pick) seems to be geared toward generating profit for the TV manufacturer, and when you use that OS, you are kind of stuck at that point. At least with a 3rd party streaming box, you have some control in which one you purchase.

Personally, I use an Apple TV 4K (Even though my TV is an old 1080p plasma that still looks decent) because it has good app support, there are no ads, and I don't worry that Apple is going to mess up my LAN.

You have the same control, whether you purchase a smart TV or not. Nothing is stopping you from being able to add a third-party device to it. So, I'm not sure what your argument is.

The risk isn't in which one you choose, but that ALL of them are deeply flawed.

 

[oldskooltech]

I’ve tried for several years to get a large (say 65”) dumb monitor. I explained to the salesdroids that I didn’t want “smart”, but they couldn’t cope with that idea. I said I’d pay just as much - I’d just want a better picture and nothing built in - that I wanted to use external “smarts”, but they offered nothing . I’m not sure that such things exist - perhaps because without the smarts the manufacturers don’t have a path to the additional revenue stream.

Try searching for "Business Video Monitors". Found a 65" non-smart right away.

 

[Hezio]

They do, but those I've seen don’t have (and aren’t intended to have) high end PQ. They may be ruggedized or otherwise adapted for commercial use, but in terms of picture quality they aren’t meant for home theater use. I’d want something with a picture like a top LG/Samsung/Sony (OLED or QD-OLED) but without any of the “smarts” (or sound, for that matter - at that level, I’m not going to use the TV’s speakers).

Really? Because I thought I've seen some business OLED displays as well QLED 4ks, but maybe I misunderstood what I had seen?

 

[jbthepaysonite]

I learned the hard way that my Samsung Smart TV was garbage. It automatically downloaded so many shovelware apps that it filled up the laughable 1GB onboard storage.

Eventually it was so full that I couldn't delete apps, update apps, or download new apps for services I actually used. While you could move many to a USB drive, the unmovable shovelware and lack of free space on the onboard storage broke this functionality--and you can't download direct to USB.

I did my best to purge the shovelware through hacks and resets, but it always came back and I got tired of fighting it.

 

[sephula]

I learned the hard way that my Samsung Smart TV was garbage. It automatically downloaded so many shovelware apps that it filled up the laughable 1GB onboard storage.

Eventually it was so full that I couldn't delete apps, update apps, or download new apps for services I actually used. While you could move many to a USB drive, the unmovable shovelware and lack of free space on the onboard storage broke this functionality--and you can't download direct to USB.

I did my best to purge the shovelware through hacks and resets, but it always came back and I got tired of fighting it.

We a had a similar experience. Also, the company stopped releasing updates less than 2 years after we bought the device from a major retailer. Not that it was doing much good, since they never patched any of the issues the TV had from day one.

 

[mmiller7]

Most new smart TV's nowadays will only work with either wired or wireless connection. I just bought a new 50" Samsung last week to use as a monitor, as soon as it "booted up" that was the first and only choices i had, connect then update then move forward, since i don't use any of the apps i have the TV blocked from connecting to the net now.

That seems wild...wonder what they expect people to do if you don't have a network for it to connect to where you plan to install it

 

[Flipper35]

Some smart TV want to talk to the mothership upon first boot to ensure that your unit isn't flagged as stolen property. After that, you might be able to disconnect it from the network.

If one had to, I guess you could use the hotspot on a phone to connect it.

 

[sephula]

That seems wild...wonder what they expect people to do if you don't have a network for it to connect to where you plan to install it

Yeah? You'd think that somebody would create a common sense law that says that you can't make products which arbitrarily require an internet connection to use.

 

[sephula]

If one had to, I guess you could use the hotspot on a phone to connect it.

What would that solve?

Edit: Besides a lack of connectivity, which is beside the point.

 

[vernonblack]

From the article:


"Windows just screws up because I try to use it too much." I've heard plenty of variations on that over the years. It's kind of like an abusive relationship.

Anti-Windows posts always get downvoted on this site. (Self-hating readership?) But you’re right.

 

[Flipper35]

What would that solve?

Edit: Besides a lack of connectivity, which is beside the point.

It wouldn't be connected on your home network to get it turned on and you turn the hot spot off again.

 

[mmiller7]

Has UPNP ever actually been used significantly? All I've ever done with it is disabling it because I don't want shit randomly being added or remotely controlled and having an extra attack surface for features that I don't need. I disable Windows scanning the network for random devices that may or may not even belong to me and adding them with its own shitty generic drivers, too.

Not everything offers a way to disable it, guessing a TV doesn't give you the option. I don't think my HDHR has that option (so its broadcasting itself as an available device to everything on the network)

 

[dtremit]

I took a quick look at that site. The TVs shown (even the “recent arrivals “) appear to be serviceable, but lower end panels (standard VA LED backlight). I’m really looking for a high(er) end dumb unit - OLED, QD, or QD-OLED, with multiple HDMI ins, no sound or tuner required, and haven’t found any of those.

Here's 164 potential 65" options to leaf through. You...probably won't like the prices.

I know most are focussing understandably on not using the ‘smart’ functions of modern tv’s (I don’t), but given various governments having an allergy to Chinese products on security concerns, why are the general public allowing Chinese tv’s into their homes?

You'll be hard pressed to find a lot of options not made in China, from any brand (and when you do, they're usually the highest-end models).

My wife is fairly technical (she was a systems programmer on S/370 mainframes and is now a Sharepoint admin and Power Automate developer) but still sometimes shoves her laptop/iPhone/iPad at me with the demand "fix it and why is it doing that?"

My dad was a mechanical engineer by trade (and a good one), but is flummoxed by his laptop and TV. The thing that seems to trip him up is the idea of having to set multiple devices correctly to do one thing. (They have a receiver for surround sound, and a DVR, but use their smart TV for streaming.)

 

[dtremit]

Has UPNP ever actually been used significantly?

It's used by a lot of multiplayer games to punch holes through routers. (Getting OPNsense to allow my partner to play Mario Kart online was...interesting.)

I wonder how many new TVs come with Ethernet ports? I would suspect it's fairly common, considering the obvious pitfalls with wireless

Even those that don't have them will often work with a ~$10-15 generic USB-Ethernet adapter.

What the actual fuck! That's insane! How is it legal for them to try and force you to use their network?

It isn't, and the FCC slapped their wrist over it.

And explicitly connecting to the other subnet to use a device on that subnet is a pain in the ass. Just route between them. It's simple to make a firewall rule that prevents anything in that untrusted subnet from leaving.

Even a lot of local control schemes break when a network is routed — as an example, an app-based remote for a TV or receiver. They typically use some kind of broadcast to advertise the TV to the app or vice versa.

 

[ERIFNOMI]

Even a lot of local control schemes break when a network is routed — as an example, an app-based remote for a TV or receiver. They typically use some kind of broadcast to advertise the TV to the app or vice versa.

You can forward mDNS between subnets if you need it.