Generic selectors
Exact matches only
Search in title
Search in content

Improving Smart TV Security with Simpler and Stronger Authentication

11/12/2014 / 0 Comments

Smart TVs already enable users to connect to a wide variety of Internet services such as Facebook, Twitter, Skype, Netflix, Hulu, and YouTube. All of these services require the entry of passwords or other credentials to authenticate user access to the app from the smart TV device, and the use of these services may involve the transmission, storage, or sharing of personal or private information.

Of course, this means that protecting logins and user access to these services is critical for data security, but traditional authentication methods pose a significant burden on smart TV users and provide an ideal opportunity for attackers to compromise accounts and steal sensitive data.


The Problems with Password Authentication through Smart TVs

When authenticating their access to an Internet service on their smart TV, users are often left with the difficult task of entering a secure password through their remote control and a virtual keyboard on their TV screen.

A truly strong password is typically complex and should include a combination of upper and lower case alphabetical letters and special characters or symbols. Some services even enforce minimum password lengths and character requirements to maximize security.

However, this imposes difficulties on the user, and anyone who has ever tried to enter complex passwords through a virtual keyboard, even on a mobile device like a smartphone or tablet, has likely experienced the frustration and annoyance that this can cause. Using a smart TV remote control to enter the same credentials is even more difficult.

More importantly, the use of passwords and other credentials potentially creates new opportunities for attackers to steal sensitive data and information if they can compromise user accounts or capitalize on smart TV security vulnerabilities to deploy malware.

In an interview with The Telegraph of London, Eugene Kaspersky, founder of anti-malware company Kaspersky Lab, said, “The threats will diversify to mobile phones and to the home environment, such as through televisions, which are now connected to the internet. It’s just a question of time.”

Attackers have already succeeded in rendering passwords obsolete for security purposes, and their success in bypassing traditional authentication to compromise web-based services, such as online banking, and point-of-sale payment systems, like those used by Target, is an indication of the data security threats that will confront smart TV owners in the future.


Growing Adoption of Smart TVs Points to New Security Threats

With the rapidly growing popularity of smart TVs, the potential data security risks are becoming increasingly apparent.

Smart TVs continue to be one of the biggest technology trends, particularly in the U.S. market. According to research firm Parks Associates, smart TV adoption increased 31% in just one year, and over one-third of U.S. broadband-equipped households now have one of these devices.

The firm also estimates that over 70% of smart TVs are connected to the Internet, and as security researchers continue to uncover security vulnerabilities and weaknesses that leave the devices open to cyberattacks, it is clear that the privacy and data of smart TV owners are potentially at risk.

Earlier this year, in a response to an email from a reader, Rick Maybury, a UK tech security journalist, summarized some of the security flaws in smart TV operating software and hardware, and he provided advice on how users can avoid them.

“There have been several well-publicised proof of concept demonstrations that have allowed ‘white hat’ hackers (i.e. the good guys) to gain access to various parts of some TVs’ operating software, including configuration menus, firmware, attached USB drives and most worryingly, secure storage,” Maybury wrote.

But he also pointed out that, for now, there may not be enough devices in use or any easy ways for hackers to infect and attack smart TVs.

“At the moment, though,” Maybury wrote, “the threat is very low and you can easily avoid it becoming a problem simply by not using your Smart TV’s Internet connection for anything that involves personal or private information, banking and on-line transactions or any secure site that requires PINs or passwords for access.”

Unfortunately, though it may be well-intended, this advice is impractical and unrealistic. It runs counter to one of the core purposes of smart TVs, which is to allow users to connect with Internet-based services while they are watching content or as an alternative to using their smartphone, tablet device, or personal computer. And it ignores the reality that millions of smart TV are already connected to the Internet and likely being used to enter, transmit, and store sensitive data.


Smart TV Security Begins with Secure Authentication

The more realistic and practical solution to improve smart TV security is to bolster authentication technology and cryptography rather than expect users to avoid using their devices to access popular Internet applications.

According to Falk Goossens, CTO of SecSign Technologies, it all begins with simpler and more secure authentication for smart TV apps.

“There are authentication technologies that already exist and that can be easily integrated with smart TVs, websites, and applications to eliminate data security risks and the burden of password entry,” Goossens says.

“By using mobile push technology and public key cryptography, developers can provide simple and highly secure logins for smart TV apps that provide two-factor authentication without using passwords and without ever transmitting or storing any sensitive credentials.”


Integrating Public Key Infrastructure for Secure Smart TV Logins

SecSign Technologies is a data security and cryptography company and a U.S. subsidiary of SecCommerce Informationssysteme GmbH, a German security firm that has spent over 16 years pioneering and developing public key infrastructure and electronic signature solutions for companies like IBM, Siemens, Johnson & Johnson, Fujitsu, T-Systems, BMW, and Audi.

The newest product from SecSign’s security engineers is SecSign ID, a solution for two-factor authentication using public key infrastructure (PKI).

“Our technology replaces traditional, password-based logins with vastly better and more convenient security” says Goossens. “Our solution uses encrypted, asymmetric software keys and mobile push technology that allows users to quickly authenticate access to secured services without entering sensitive credentials or data through a website or app login.”

The encrypted software keys are generated using algorithms that are mathematically impossible to compromise with any known or anticipated technology.

The first software key is a public key that is stored on the authentication server and invoked when the user enters a non-confidential user ID through the secured service’s login process.

This generates an authentication request, and a mobile push notification is sent to the user through a free mobile app on the user’s mobile device. The app also contains the second key, which is a 2048-bit encrypted private key that is used to digitally sign the authentication request. The private key is stored on the device with a patented SafeKey mechanism, which protects the key against brute force attack, even if the device is lost or stolen.

Users can verify their identity by entering a simple 4-digit PIN or passcode or by scanning their fingerprint, all within the SecSign ID app on their smartphone or tablet. Users also have the option to combine the PIN or passcode with their fingerprint biometric to create an additional layer of login security.

Once this verification step is complete, the private key is able to digitally sign the authenticate request, and the user is shown a set of four symbols in the mobile app. The user must tap the symbol that matches an image shown on the secured service’s login interface, and this provides the final verification of identity and allows the authentication server to grant access.


Simplifying the Smart TV Login Process with Stronger Authentication

Despite its two-step authentication, the SecSign ID login process is quick, simple, and intuitive. Authentication can be completed in just a few seconds, and there is need to memorize, remember, or enter long, complicated passwords. Using an option as simple as scanning a fingerprint with Apple’s Touch ID and then tapping an access symbol, a user can verify identity and gain access to a secured account.

This approach, using public key cryptography, not only meets industry-leading specifications for the future of data security, but it also has added usability benefits for smart TV owners. It removes all of the difficulties of entering passwords through a smart TV remote control and virtual keyboard.

Now, however, by removing passwords and replacing them with stronger yet simpler mobile authentication, SecSign ID can avoid the problems of entering credentials with remote controls and virtual keyboards, and is it poised to revolutionize smart TV security.


Expert Advice and Implementation for Smart TV Security

To learn more about two-factor authentication using public key infrastructure and advanced cryptography, visit the SecSign Technologies website for technical details, videos, consultation, and an opportunity to download the SecSign ID mobile app and test the secure login process for yourself.

SecSign Technologies is a sister company of SecCommerce Informationssysteme GmbH, a pioneer of cryptography solutions with more than 16 years of experience in developing public key infrastructure (PKI), electronic signature, and smartcard technologies. SecSign’s security experts and cryptography engineers have developed, deployed, and maintained systems that have successfully protected confidential business data and user access for numerous major corporations, including IBM, Siemens, Johnson & Johnson, Fujitsu, T-Systems, BMW, and Audi.


SecSign 2FA