Privacy invasions and ad bombardments give some idea of where the smart TV market is going. But worse yet, cybersecurity experts are worried that the devices are increasingly hijacked for use in DDoS attacks and distributing illegal content.

So, what should we do to maintain convenience and security? Well, for starters, leaving your smart TV connected to the internet is asking for trouble.

Experts from cybersecurity firm Qrator Labs told Cybernews that the devices have already been observed participating in distributed denial of service (DDoS) attacks. This is because modern TVs are powerful computing devices capable of running games, apps, and other software, some of it malicious.

As such, TVs pose multiple cybersecurity risks, as their software support usually ends after three or four years – even though the devices typically hang on your wall for a much longer time. They receive less frequent updates compared to mobile phones, and the ones you do get are usually focused on improving user experience, not security.

“It’s not common for someone to have a phone that is five to seven years old, with all the vulnerabilities and potential issues,” said Qrator Labs. “But the TV set is often mounted to the wall and typically stays with people for five to ten years. You don’t just replace it. Sometimes, it’s a part of your renovation project in your living room.”

Cybernews has reported that cybercriminals are targeting TVs with malware, spreading it via apps for pirated movies and firmware. Infected TVs and set-top boxes participate in DDoS attacks and the spread of illicit content. Even some new Android streaming boxes from unknown vendors, usually in China, have been known to be shipped with malware.

Taimur Aslam, co-founder and CTO of Cytex, a SaaS-based cybersecurity platform technology company, noted that DDoS attacks using connected and IoT devices have increased steadily, with a 500% rise in the last 12 months, as shown by Nokia Cyber Security Research.

“Since the smart TVs have an operating system, in theory, they may be compromised and used in a DDoS attack. Most vendors stop patching older devices, so in theory, these older TVs pose a cybersecurity risk,” Aslam said.

Millions of TVs at the end of their life

A global consumer survey revealed that 83% of Americans aged 50-64 years owned a smart TV in 2023. For those aged between 30 and 49, the share was a bit lower, at 76%, and among the youngest adults, two-thirds (67%) owned a smart TV. All told, US citizens own more than 200 million smart TV sets.

The average TV is 6.6 years old when it is replaced, according to the latest “TV Ownership Trends Report” from Circana. A quarter of the population still uses a TV that has revolved seven times around the sun or more, while the average age now stands at 5.2 years.

“There’s for sure the need for consistent firmware updates and robust network security for smart TVs, especially older models,” said Victor Zyamzin, global head of business development at Qrator Labs. “Given the average lifespan of TVs in the US, many lack regular updates, increasing their vulnerability to security threats.”

The major risk for an old TV comes in the form of malicious apps, which can be used to exploit TV processing and network bandwidth, increase electricity bills, and compromise other devices on the network.

“People find them in ads, offering to watch pirated or free movies, so they open malicious websites, download malicious apps on their TV set, and then there’s virtually no limit to what this application can do,” expert added.

Beware trading privacy for convenience

All the cybersecurity vulnerabilities come on top of privacy issues that even the newest TVs present. While there is a risk that a connected TV could be compromised by malicious actors for DDoS attacks or even crypto mining, Aslam thinks that the most significant concerns pertain to user privacy.

“Cybersecurity is often an afterthought with most of the TV manufacturers. Many TVs also include third-party apps, voice assistants, and streaming services, which complicate the cybersecurity posture even further,” Aslam said.

Connected TVs vary by the degree of data collection they are used for. Many connected devices are still active even when they are in standby mode. Some examples include devices with voice assistants, which are programmed to always listen and wake up from standby or hibernate mode when a user says the wake word or other prompt.

“In the early days, smart TVs were easily hackable, and users could easily become a victim of malware or become part of a botnet,” said Fabian Kochem, head of global product strategy at 1NCE, an internet of things (IoT) connectivity platform backed by investor SoftBank. “In today’s world, people are mostly afraid of big companies invading their privacy, for example, by selling viewing data or spying via abusing voice-control features. Because these features can be installed remotely using firmware updates which could happen in the background.”

As manufacturers are being held more accountable for implementing robust security measures, security breaches of these devices, according to him, have become less prominent in recent years. EU laws are getting stricter, and the US is slowly but surely following suit.

“Consumers increasingly keep their smart TVs connected to the internet to enjoy easy access to streaming services (such as Netflix) or to integrate it into their smart home. Many don’t mind if their viewing habits are being sold to marketing companies over the comfort of having to use just one device,” Kochem noted.
Making your smart TV safer

So, should users disconnect the TV from the internet? Yes, in theory, says Qrator Labs – but it acknowledges that the reality usually turns out quite differently.

“You should, but we all know that you wouldn’t,” it said. “People will buy, install, connect those to the internet. It’s more about how to make it safer for you and your family – or colleagues, if TV is in the office.”

First things first: Qrator urges consumers to “go with a vendor you know and not some cheap maker you never heard of.”

Beyond that, its expert advice to consumers is as follows:

Keep automatic updates on and make sure that your TV set is updating regularly
Check the date of the latest update. Refrain from connecting to the internet any vulnerable devices, and especially, do not visit any suspicious websites or open dubious links
Do not install unknown third-party apps – or any applications at all on a TV set that is four or more years old
Disconnect the end-of-life smart device and complement it with a newer internet-connected streaming box, again from a reputable vendor
Keep the TV behind a router, isolate it from other devices on the home network, use strong passwords, and a secure Wi-Fi network

Disconnect the end-of-life smart device and complement it with a newer internet-connected streaming box, again from a reputable vendor.

Above all, Qrator has one maxim you should always bear in mind: if you care about your privacy, sometimes it comes at a higher price.

“Always make sure that the latest software is installed,” added Aslam. “If a vendor has issued a security patch, it must be installed immediately to mitigate any threats. Review which services and ports are active on the device, and turn off any apps and close ports that are not needed.”

There are limited choices when it comes to privacy. Vendors are required to mention what data is being collected as well as the retention period in their privacy policy. Devices usually allow adjusting the amount of data collected, deleting historical data, turning off personalised advertisements, and resetting advertising IDs.

Being strict with settings may hamper some of the user experience, and not everyone turns off excessive tracking in their TV settings.

“Turn off any services or applications that you do not need or are not comfortable sharing data with,” said Aslam. “Use your internet router’s firewall to block ports and services that are unnecessary but can’t be disabled from the TV.”

Kochem recommends disabling all unnecessary features, such as voice control.

“Disable settings that allow the sharing of usage data with third parties,” he said. “Use a special network configuration for IoT devices that disallows access to other devices in the network and can only talk with certain servers.”
Mozilla: Apple and Nvidia worth looking at

Mozilla Foundation reviewed the privacy policies of multiple streaming players and marked Google Chromecast, Amazon Fire TV, and Roku Streaming devices with the “privacy not included” badge.

But there were two outliers that fared better – Apple TV and Nvidia Shield.

“Apple is generally better than other Big Tech companies (cough, Meta, cough cough, Amazon, cough Samsung), when it comes to privacy,” the review states pointedly. “They seem to do a better job at collecting less data, probably because they aren’t trying to sell as many ads as Google and Facebook ­– yet.”

“Nvidia seems to do a pretty good job of protecting users’ privacy,” another review reads. “They don’t sell your data, which is good, especially in the streaming TV space. They even list users’ privacy rights right at the top of their privacy policy.”