Money makes the world go round...
A few years ago, when smart TVs were slowly starting to catch on, I explored the potential for abuse - it's definitely there.
On the one hand, there was the technical feasibility: the use of known technologies - in which there had already been gaps in the past and further gaps could be statistically expected - made attacks likely.
On the opposite side, however, the economic sense: It simply made smart TVs uninteresting as a target of attack: Factors such as the still low penetration, the fragmented platform landscape, and a lack of a business model played the decisive role here.
At the time, we were still joking among colleagues about a possible business model: displaying a blocking message ("Dear viewer, against payment of an amount XY you can continue to watch the game") during the final match of the European Football Championship, for example...
Fun turned serious
Unfortunately, this joke has been caught up with reality. There is now malware for Android-based smart TVs, for normal computers it would be called an extortion Trojan.
It locks the TV and displays an alleged message from the "US Cyber Police". In the message, the viewer is accused of a crime that he has not committed, of course - and from which he can buy his way out by paying iTunes gift cards worth around 200 US dollars.
Exactly the same modus operandi infested PC users not so long ago in the form of the so-called "BKA Trojan".
So why now "all of a sudden after all" smart TVs?
While there were many different platforms in the early days of smart TVs, Android has now become widely accepted. This means that from the cybercriminals' point of view, the ratio of development effort to the number of possible victims is "better".
In addition, they have perfected the development of malware for mobile devices - and thus the learning curve for smart TVs is comparatively low.
And because smart TVs have now sold en masse, the number of potential victims has naturally also increased.
This case illustrates an important lesson with cybercriminals: Not everything that is technically feasible will be done. Just because a system is vulnerable does not necessarily mean that legions of cybercriminals will pounce on it.
From a marketing perspective, the mere existence of a risk is of course reason enough to enter this breach. The decisive aspect is the probability of occurrence! In the case of "normal" attacks, it depends on the possible profit.
We have seen this development many times in the past: Spam, phishing, Trojans, security breaches, personal data. It was only when there was money to be made from it that - to put it casually - things took off.
It was therefore clear from the very beginning of smart TVs that attacks would come as soon as a business model developed or became profitable.
Does this mean that risks whose business model is not yet viable can be ignored?
From the point of view of risk assessment: No! However, the probability of occurrence must be adjusted. So you have to keep an eye on the risk, but you must not make any panic snapshots.
We just need to be aware that sooner or later many endangered technologies will be abused on a large scale. This is also accompanied by the question of "cleanup" that is floating around in many people's heads.
And this is where it gets absolutely unpleasant at the latest. With the smart TV, you might just not be able to watch TV anymore. But while a PC, a mobile device or even a TV might still be able to be restored to a clean state with a reasonable amount of effort, it is becoming increasingly difficult with more and more embedded devices.
On the one hand, these often have neither an interface with which you can still do something, nor is there physical access to them. Just imagine a small generic device that reads sensors and operates actuators - without an interface and deeply integrated into many products.
From the cybercriminals' point of view, this is perhaps paradise. Technically, perhaps only with great effort to compromise - but if successful, priceless!