Jim Salter* says Samsung’s recent advice for users to virus-scan their televisions raises a lot more questions than the company was prepared to answer.
Photo: James McKinven
Last week on Twitter, Samsung’s US support team reminded everyone to regularly — and manually — virus-scan their televisions.
Samsung’s team followed this up with a short video showing someone in a conference room going 16 button-presses deep into the system menu of a Samsung QLED TV to activate the television’s built-in virus-scan, which is apparently “McAfee Security for TV”.
Unsurprisingly, Samsung got immediate pushback on these tweets and almost as immediately deleted them.
This may raise some questions about Samsung’s practices and what we as consumers should be expecting of modern devices.
The fact that Samsung’s malware scanner is McAfee (and that McAfee’s only customer for the service is apparently Samsung) raises questions about the real value and intent of the service: is Samsung paying McAfee for what has to be a pretty trivial application, or is McAfee paying Samsung for brand promotion?
But even if we skip the brand-related cynicism and take the concept at face value, we are left with a few questions.
Ars Technica reached out to Samsung with the questions below, but the below statement the company provided didn’t answer them.
The following statement is attributed to Samsung: “Samsung takes security very seriously and our products and services are designed with security in mind.”
“We recently shared information about one of the preventative security features on our Smart TVs, in order to show consumers proactive steps they can take on their device.”
“We want to clarify that this was simply a way to educate consumers about one of the features included in our products and was only posted because we believed that consumers would find it informative.”
Is there a real danger?
Does Samsung believe there’s a real danger of malware infection on its smart TVs?
Obviously, any computing device with random-access storage can run malicious code.
When it comes to consumer devices with almost no access to attack surfaces, though, the question becomes one of vector.
It seems extremely unlikely that Samsung is worried about some neighbourhood black hat wandering into your living room and rooting your TV by pressing buttons on the remote — but the TV does have a Samsung App Store, which hosts third-party apps.
The store is hosted by Samsung, however, and appears to contain fewer than 100 total apps.
Thoroughly vetting these applications prior to publishing them doesn’t seem like an unmanageable load for Samsung to bear … and if a malicious app does sneak past, can Samsung not simply revoke the app from the back end?
Shouldn’t it be automatic?
If anti-virus scanning your TV is necessary, shouldn’t it be automatic?
If you do a vanilla Windows 10 install from an ISO, Windows Defender is installed, enabled, and has regular and automatic updates and scans scheduled by default — with no consumer interaction required.
If the consumer decides to replace Defender with a third-party app such as McAfee, Symantec, or Malwarebytes, those apps will also automatically schedule regular scans and updates.
Expecting most consumers to regularly schedule and faithfully execute system administration tasks is out of the question even when it comes to their PCs; even more so for their televisions.
Was whoever was operating the Samsung Support USA twitter confused, as they simply didn’t realise the service already runs automatically?
Or were they correct, and it really doesn’t happen unless a determined user beep-beep-beeps 16-plus times with the remote once every couple of weeks?
If it’s not automatically scheduled, consumers may ask “why not?”.
Is there a concern over performance problems, or does Samsung just not see any actual value in a service that might only exist for branding purposes?
How long does malware stay in Samsung’s store?
How long does Samsung expect smart TV malware to stay on its store?
There’s a dirty secret about anti-virus scanning: it almost never stops zero-day problems.
Heuristics engines aren’t very effective, and the vast majority of “true positives” are signature-based detection of known malware.
The real purpose of anti-virus isn’t to block fresh malware, it’s to limit the viability window of new malware.
In an ecosystem with presumably only one vector for malware distribution — Samsung’s own App Store — there shouldn’t be any ageing malware floating around, being reused by not-particularly-talented script kiddies incapable of writing their own; the only threats possible ought to be fresh threats in the first place.
This leaves us wondering why Samsung not only feels the need to run an internal malware scanner, but also needed to contract one from a third party rather than (continuing to) run its own.
A modest counter-proposal
The best way to keep your big, expensive smart TV safe is never to allow it access to your network in the first place.
The consumer electronics space is packed chock-full with inexpensive, high-quality streaming devices that typically have better interfaces and more options than most smart televisions anyway.
Roku and Amazon 4K-streaming players both start at less than $50; in the unlikely event one of those becomes compromised, “recycle the bad one and buy a new one, probably from a competing brand” seems like a perfectly reasonable response.
* Jim Salter is an author, podcaster and coder. He tweets at @jrssnet.
This article first appeared at arstechnica.com.
