Samsung was lambasted and mocked in the press and on social media yesterday, after the company tweeted a reminder to owners of its smart TVs to periodically run virus scans on their panels – along with a video demonstration of how to go about it.
Let’s point and laugh at Samsung for a bit:
for anyone that didn't see it, I happen to have sent the tweet on discord, it looks a little something like this: pic.twitter.com/IpYQ430sDM
— Nicuri (@Nicuriq) June 18, 2019
If Samsung are recommending we manually dig deep in to the menus to run a virus scan every few weeks, why don’t they also have us “defrag the disk” as well?
What are they making? Retro TV’s?
Any self respecting malware creator would make the scanner actually launch the attack! https://t.co/ZR6ZloWVNQ
— Greg Price (@ObscureBug) June 17, 2019
Now we’ve got that out of the way, let’s talk about where Samsung went wrong. To be fair, the company is right to take security seriously. But its implementation of its solution presents a poor user experience, to the point that it sounds absurd.
Over the past several decades, no one’s ever had to run a virus scan on their TV set. And we’re now calling these internet-connected TVs – which come with a host of features designed to enhance your viewing experience and deliver a wide range of content – ‘smart.’ But Samsung’s smart QLED TV line – which features models priced as high as $15,000 – can’t run its own virus scan. Sounds dumb to me.
As my colleague Matthew Hughes noted, when it comes to the Internet of Things, it’s really hard to give an example of something that, at some point, hasn’t been completely and utterly hacked. So it’s good to know that Samsung prioritizes security. Over the past four years, it’s detailed its extensive measures for protecting your smart TV. I imagine that’s more than can be said for many other brands.
That said, the onus of keeping viruses at bay shouldn’t be on TV owners. Javvad Malik, a security awareness advocate at KnowBe4 (a security awareness training platform), explains:
The main issue of contention here is the way in which the anti-virus capabilities have been implemented. Putting the responsibility on the consumer to run AV on their TV is not a good strategy. Rather, there should be scans or integrity checks built into the device so that it operates as desired.
This is bad for a number of reasons. Just think about the process: you have to remember to scan your TV for viruses, hunt through on-screen menus to find the scan feature, and ultimately delay your imminent Chernobyl binge with a frustrating and unwanted side quest.
Imagine having to remember to do this every few weeks:
Sadly, we’re not done yet. Think about what happens if there is a virus. Are you supposed to sit there and figure out the next steps? Malik expands on how this could be difficult and cumbersome:
If the anti-virus on a TV detects a suspected malicious file, what should it do? Does it automatically quarantine / delete it? Or should it ask the user (who in many cases won’t know the right answer)? If it is a false positive, then it could end up deleting a file needed for legitimate functioning of the TV or certain apps.
This is why building in security from the design phase is so important, so that the right controls can be architected in from the beginning to provide robust security controls that don’t impede on the user experience.
Beyond baking security into the product from the start, I believe it’s important to automate processes like virus scanning. That way, human interaction isn’t necessary, and there’s no opportunity to blame owners for problems that arise as a result of poor security measures. That sounds more like the sort of smarts I want my TV to have. Until manufacturers figure this out, I’ll be fine with my dumb do-nothing set, thanks.