Commenting on the security vulnerabilities uncovered in smartphones, internet-connected TVs and other devices, Martijn Verbree, partner in KPMG’s cyber security practice…
It may come as shock but security vulnerabilities exist in pretty much every internet connected device. When internet connected devices are made, security may be an afterthought in the design process and not part of the initial thinking. Many connected TVs were designed to be TVs first and then with some computing functionality, an operating system, apps, a few sensors and Wi-Fi connection bolted onto it.
The lack of security by design will change over time when the industry matures: we have already seen this take place with smart phones, which are now a lot better protected and better patched, although far from secure.
The vulnerabilities uncovered pose a low risk to the general public at the moment. However, you can imagine that a lot of security folks will try to reverse engineer it right now – including criminals, hostile nation states, universities etc. With the exploits most likely requiring a piece of malware to be installed on the TV itself – either through physical access, or the consumer clicking on a bad link or by downloading an infected app – it makes it relatively hard to target specific individuals.
Fixing this will be hard and the most likely fix will be via a software patch. But the challenges are, what other vulnerabilities already exist and how manufacturers get the patches out? Yes, some TVs are internet-connected and could have the firmware updated remotely. However this typically requires some consumer intervention and that being manually done by a consumer isn’t easy to achieve.
Vendors will need to take responsibility and provide fixes to vulnerable devices, even if they’re over their normal warranty period.