Smart TVs have earned their name due to the superb functionality they offer, being able to browse the web, stream video content, sync with other devices, play games, and even hang out and chat on social media sites. But when it comes to security, the “smart’ description is probably stretching things a little. “Stupid” might be a better word.

Why do I say this? Simply because, the security on most smart TVs is quite simply non-existent, as one German researcher demonstrated recently.

In a recent blog post, Professor Martin Herfurt demonstrates a number of easy remote attacks that can be performed on Samsung Hybrid Broadcast Broadband TVS, or HbbTVs, including such things as fake analytics, fake news tickers, Wi-Fi eavesdropping, content redirection, Bitcoin mining and others.

To begin with, Herfurt credited the researchers at Darmstadt University of Technology, who demonstrated how hackers could snoop on people’s viewing habits through a vulnerability in MAC addresses and packet lengths found within a TVs Wi-Fi Stream. Herfurt’s own research builds on this work, demonstrating a number of ways in which he can redirect the content victims are watching, based on vulnerabilities in the Samsung TV’s embedded web browser. Samsung’s main problem is that its browser is compatible with WebKit 1.1 and JavaScript, both of which are notorious for being repeatedly exploited by hackers.

Herfurt states that these weaknesses mean that it’s almost trivial for a determined attacker to hack someone’s Samsung TV. One possible attack involves injecting a different URL into the TVs stream, or else redirecting the TV to the hacker’s own content through a DNS attack. Herfurt also notes that most HbbTVs do not use SSL encryption, which makes it easy for attackers to spoof the content the victim is watching.

Of course, redirecting someone’s content is mischievous rather than malicious, but the vulnerabilities could easily be exploited by someone with more ruthless intentions.

“If hackers can redirect the TV’s HTTP requests to a controlled source, there are many possible HTML or Javascript attacks that they could carry out,” writes Herfurt.

One of the more malicious acts could be for hackers to ‘hijack’ your smart TV and use it in a Bitcoin mining botnet, working alongside other hacked TVs and computers to unravel complex algorithms and generate the cryptocurrency, before trading it in for cash. Herfurt’s colleague demonstrated this by inserting BitcoinPlus software into a compromised TV, though we’d hazard a guess that you’d need to take control of a fair few TVs in order to make Bitcoin mining profitable.

Herfurt concludes that most TV manufacturers seem to lack the IT security know-how to properly protect their users, and says that they will need to learn from other industries if they are going to do so. In particular, he suggests that manufacturers work harder to make their browsers more secure, ideally by allowing users the chance to configure them.