Samsung Smart TV record your conversations
Research from OpenDNS shows that Samsung smart TVs constantly communicate with a unsecured web server giving hackers easy access to corporate secrets Reuters

Research into the security risks of Internet of Things (IoT) devices has revealed that Samsung smart TVs pose a worrying risk to enterprise.

Without any interaction by a human, Samsung smart TVs "incessantly" communicate with a server which uses an untrusted security certificate, opening up the potential for hackers to target these devices which are increasingly used in many highly regulated industries including healthcare, energy and government.

The risks are potentially huge, allowing hackers to use the TVs to spy on corporate boardrooms, monitor video conferencing and even steal sensitive data from USB sticks and PCs connected to the smart TVs.

Samsung said it was "reviewing the claims" made in the report, adding that it "takes consumer privacy and security very seriously and our TVs are designed with privacy in mind".

In February controversy surrounded Samsung smart TVs when it was revealed that the terms and conditions of using the device allowed the company to record what you were saying and send it to a "third party". Samsung attempted to diffuse the situation by saying the "third party" mentioned was text-to-speech service Nuance, and that the system can be switched off at any time.

The latest controversy comes from a report entitled The 2015 Internet of Things in the Enterprise Report and published by security company OpenDNS. It shows the prevalence of IoT devices being used in the enterprise, by drawing on the network traffic from the company's 10,000 enterprise customers around the globe.

Samsung TVs are "extremely chatty"

Andrew Hay, who conducted the research, spoke to IBTimes UK in London ahead of publication of the report and described Samsung's smart TVs as "extremely chatty" even when they are not being used. He says that when they are turned on, they are essentially web servers or "expensive big-screen computers" and if they are compromised could give hackers access to a huge amount of sensitive corporate data.

According to the report, the TVs contact IoT domains (known as fully qualified domain names or FQDNs) without user interaction 10 times in a row (with each call five minutes apart) before taking a break for 45 minutes and starting all over again.

To look at just how these televisions communicate with remote servers, Hay used a Samsung smart TV (model UN32H5203AF) which was running the latest software and was representative of Samsung's 2014/2015 TV range.

One of the domain's the TV reached out to was which the researcher discovered was using a untrusted certificate (signed by Samsung Hubsite CA) which leaves it at increased risk of attack.

Monitoring video conferences

Indeed as far back as 2013, University of Amsterdam researchers were able to remotely install software on a Samsung smart TV by impersonating one of Samsung's update servers which was also using a certificate signed by Samsung Hubsite CA.

With smart TVs increasingly being used in all areas of business, the potential for a serious security breach is high and once inside a corporate network, that risk increases greatly.

Some ways the hackers could leverage these devices include using the built-in webcams to take pictures in the boardroom, listening to conversations taking place in an office, monitoring both ends of video conferences and even accessing potentially sensitive information stored on USB sticks or PCs connected to the TVs for presentations.

Hay says that one way vendors like Samsung are able to push back against claims that their connected products are insecure is by saying the devices were designed for the consumer and not to be used in enterprise situations, adding that he believes Samsung's smart TVs are "chatty" because the company is seeking to gather a lot of analytical data on their customer base, including "seeing how big their footprint is across the globe".

No logical use case

In the report Hay says there was "nothing directly malicious" found, but how the TVs communicate with these domains "does not ft into any logical use case".

"It is our opinion that the average user does not expect their Smart TV to make incessant external calls to various services without any interaction. The fact that a Smart TV does so almost every minute it's powered on – even without user interaction – is concerning because it makes the use of these devices much easier to determine from outside a corporate network," Hay adds.

Hay said his research set out to answer the question: "Are these [IoT] devices making it into the enterprise?" and he says the report shows categorically that they already are with 69,000 queries by so-called smart devices to IoT domains over the sample period.

The adoption of Internet of Things devices in the enterprise is predicted to expand exponentially in the coming years, with research from Verizon and ABI Research earlier this year predicting that by 2020, there would be 5.4 billion connections globally, with more than 13 million in health and fitness alone being introduced to businesses by 2018.

Despite this huge growth, Hay says that businesses will really only pay attention to the issue of securing these devices after a major breach:

"I think it is only going to be a big deal in the enterprise when [someone uses] a smart TV to obtain sensitive information before an acquisition or merger, or [steal] some sort of devastating financial information."