Dear Philips… or how to communicate a security issue with your TV firmware (Update 2)

Dear Philips,

the last days you were as often in the press as when you announce new TV models. But this time it was about a security issue in your Miracast functionality of your 2013 high-end TV models (6xx8 – 9708). However, only the press is talking about this serious issue. From your side no word at all. As in January with you SmartTV maintenance issue, it seems, that you don’t know how to communicate with your customers.

So, what’s exactly the security issue with Miracast?
In short words: The aforementioned TV series did not check who is connecting to the TVs via the Miracast functionality. So, one is able to establish a direct connection to these TVs without letting the owners know. A hacker can now access a USB connected device (such as USB stick or USB HDD) and the stored data. Furthermore, it is possible to steal browser cookies.

So, what did you do?
Nothing… from customer’s point of view.

What you should do?
From my point of view, such a serious security issue needs to be communicated:

1. Let the customers know, that there is an issue
2. Let the customers know, how one can temporarily secure the TVs (in this case: an tutorial to disable Miracast)
3. Provide an update as soon as possible
4. Communicate that there is an update available which fixes this issue

Nowadays, almost every day security issues were found (e.g. internet routers). And companies learnt, that communication to its customers has top priority. If this doesn’t happen, you will be always remembered as the ones, who did not inform people, when something is not okay. Security by obscurity is not state of the art.

And this is not the first time this year, that you have a security issue with your SmartTVs. End of January 2014 the German IT magazine c’t tested the privacy of current SmartTV. You last years top model 65PFL9708 (Ultra HD) was one of them. The magazine found out, that your TVs don’t check if SSL certificates come from a trusted CA. However, they wrote, that you were informed and that you will provide an update on this. So people/customers who read this article now waited for an update on this issue. And what are customers waiting for? Right, a message from you, that this has been fixed. Since this doesn’t happen, they took a look at the firmware changelog. But the following firmware update (in this case 173.46) does not indicate anything regarding this issue in the changelog.

Questions: Is this still open or already fixed? And since the firmware is all the same for all TV models 6xx8 till 9708 it’s a huge amount of TVs which does have this problem. Furthermore, if this SSL issue is based on the integrated web browser: is this issue also present in 2012 high-end series (Fusion R1)? Or even in TV550 based TVs (since 2010)? These questions won’t arise if you communicate in a right way with your customers (which TV series, which affected firmware versions)!

Same holds for the Miracast issue. You just released an update for the affected TVs. Customers could expect, that this update will fix the security hole. But the changelog does not state anything regarding this (well, in this case the firmware was compiled before the issue hit the public).

So how could you communicate such issues? From my point of view you have at least two options: use your forums or use your SmartTVs. You can create a “Bulletin Forum” to post messages regarding such issues (such as Microsoft’s security bulletin). Your forums are a direct communication with your customers! Or just use your SmartTVs by sending a pop-up via IP-EPG or SmartTV – it’s all web based. That means, it’s easy to implement such a thing. A warning message could contain an easy description to deactivate Miracast temporarily. And don’t forget to make such message multilingual – not all customers can read English! Maybe it’s even possible to send a “Miracast switch off” via IP-Push.

Changelogs…
Speaking of changelogs. From my point of view, you were really funny to release an update on 1st April (April Fool’s Day) where the changelog states “Improvements for reboots“. What kind of English is that? You improved the reboots? Do the TVs reboot in a better way as with previous firmwares now? Do we have now even more reboots? You should consider to invest more than one minute in a changelog. Especially when you need over two month to release an update with one improvement. If you also fix some minor issues, just state them! Even “Fixed some minor issues” is worth to be put into a changelog.

Final words…
Well, I hope you might consider some of my ideas… there is always space for improvements! So, please start to communicate…

Toengel@Alex

Follow me on Twitter (@PhilipsToengel)

Update 1 (3.4.2014):

A fix for the Miracast issue is included in firmware update version 173.49

Update 2 (4.4.2014):

A statement about the availability of the new firmware including the fix for the Miracast issue has been made.

Die Bewertung des Beitrags ist durch reCAPTCHA geschützt und es gelten die Datenschutzbestimmungen und Nutzungsbedingungen von Google.