Smart televisions connected to the internet are among devices in the home that are under constant attack from hackers. A test home set up with a range of devices received over 12,000 scanning attempts in a single week, with an average of 14 attempts by hackers to log into devices every hour. Proposed legislation in the United Kingdom plans to outlaw security vulnerabilities such as default passwords. A new assurance scheme aims to provide independent certification for television devices.
SafeShark is a joint venture between the Digital TV Group and security experts Connect Devices that aims to certify products to international standards that will support these legal requirements. They have partnered with the national standards body BSI to provide a combination of expert assessment and automated testing for internet-connected products.
The scheme is designed to support and guide manufacturers through market access and best practice requirements for internet-connected products.
The consumer organisation Which? recently set up a smart home with a range of consumer devices, from televisions to security systems connected to the internet.
A Samsung smart television was targeted but was not compromised. A printer surprisingly attracted the most attacks but had a reasonably strong default password.
Alarmingly, researchers found that the video feed from a wireless security camera was accessed. The product was an Amazon Choice with more than 8,500 reviews, over two thirds of which gave it five out five stars. Amazon has since withdrawn the product.
A new European Standard on connected product security, EN 303 645, was adopted in 2020. This identifies several security requirements, including a ban on universal default passwords, a requirement to manage reports of vulnerabilities, and transparency on how long a product will receive security updates.
Legislation is planned that will make it a legal requirement for any company producing or selling smart devices in the United Kingdom to ensure that they meet minimum security standards.
Among the proposed provisions is that default passwords on connected products, such as ‘admin’ or ‘123456’ will effectively be made illegal. The legislation is expected to be introduced in 2022. It will apply to all consumer connected products, including televisions and speakers with a network interface.