When K-State’s IT security team investigated a compromised system detected by its Intrusion Detection System last week, they were surprised to discover that the infected device was a television! Yes, a TV. Of course it’s not just any ol’ TV — it’s a special Samsung TV that also has a computer and operating system in it, so it can be used for multiple functions. In this case, it was used as an information kiosk in the lobby of a building to provide touch-screen access to information about the building and the department housed therein.
This device is running a special “embedded” version of Windows XP that had unpatched vulnerabilities. Since it was connected to the campus network, it was exposed to hackers — who exploited the vulnerabilities, took over control of the computer portion of the device, connected it to an IRC botnet, and used it to transfer pirated movies and who-knows-what-else.
This incidents points out several security concerns of which departments need to be aware:
- Hold vendors accountable for patching systems they support. This Samsung kiosk was programmed and supposedly supported by an external, third-party vendor, but it had numerous critical vulnerabilities that were not patched, which violates K-State IT security policy.
- Beware of “behind the screen” features of new devices. Digital signage has become popular (like the new sign outside the K-State parking garage on Anderson Avenue), and it typically houses computers with operating systems that need regular patching (many seem to run some flavor of Linux). Make sure you understand all the features and the potential risks they pose.
- Address security when you configure and install the device. Digital signage, kiosks, and any device on the campus network must follow all K-State security policies. In many cases, the best way to do that may be to isolate the device — and any computer that must communicate with it — behind a firewall. Don’t assume it’s innocuous just because it’s an appliance or a TV.
This incident is likely a harbinger of things to come as more types of devices and appliances make their way onto the Internet. Do not assume these devices are secure. Take the time up front to work with the vendor to address security, so the device can operate safely on the campus network and not end up like the hacked TV — powered off, unplugged from the network, and out of commission until the vendor can completely reinstall everything, fix the vulnerabilities, and implement regular security patching.