A vulnerability found in Samsung Tizen OS could allow users of Samsung smart TVs running that particular operating system to execute arbitrary code at an OS level on the devices, researchers say.

Yes, exploiting the vulnerability required that the TV had developer mode enabled and that the exploitation was performed from the IP address configured as the developer mode host IP on the smart TV, which would require close proximity to the television. Direct risk seems minimal.

But researchers from Bishop Fox, a private cybersecurity firm specializing in offensive security, say the issue nevertheless allows circumvention of the controls Samsung uses to restrict operating system access on Tizen-based smart televisions.

“Samsung’s branded Tizen images are configured to prevent device owners and users from accessing the underlying operating system,” said Bishop Fox in a blog post.

“The identified vulnerability demonstrates that these controls can be bypassed, indicating that the intended security boundary is not fully enforced as designed.”

Besides, the presence of OS-level command execution capability expands the theoretical attack surface of the device.

That’s because smart TVs are frequently deployed as shared, network-connected devices in corporate offices, conference rooms, healthcare facilities, hospitality environments, educational institutions, and other public or semi-public settings.

In such environments, physical proximity and shared network access are more plausible than in private home use, Bishop Fox said.

Finally, arbitrary command execution may provide an opportunity for further experimentation, reconnaissance, or chaining with other vulnerabilities.

Bishop Fox urges Samsung smart TV owners to update their Tizen OS when a patch is made available. Researchers recommend placing TVs located in public places or within range of public access into Kiosk mode to prevent access to developer tools.

Bishop Fox’s research is another proof that any smart device is hackable. Another study last year showed that most smart TVs on today’s market come with an embedded web browser running extremely outdated versions.

This, of course, exposes device buyers to cyberattacks as soon as they turn on their new gadgets – smart TVs from Samsung, LG, or Philips, as well as e-readers such as Kindle and Kobo or gaming consoles.

Some devices were actually released with vulnerable browsers from day one. Researchers found eight products that shipped with three-year-old browsers at launch, essentially exposing their buyers to attacks as soon as they turned on their products.

---

Unlock more exclusive Cybernews content on YouTube.