User Tools

Site Tools


other:iotsecurity:smarttv

Isolating a smart TV on your LAN

Note: this was contributed by a friend of mine; I have no smart TV's, so never ran into this.

The mobile YouTube app on a “smart” phone and a “smart” TV can FIND each other if they share a LAN segment. In my configuration, I have a WiFi access point built into my internet router. I placed my fancy new “smart” TV on the LAN side of the router. Updated firmware, verified that the channel guide works, and all the other neat nifty junk you really just HAVE to have in your television. Later on, I activated the youtube app on my mobile phone near the TV. Imagine my surprise when the TV cut away from the program I had on & activated the youtube app built into the TV! I suppose this is a great feature if you like that kind of stuff, but ummmm…. not my cup-o-tea.

A bit of research with our search-buddy duckduckgo showed that this “feature” is so you can intentionally tie your phone to your tv, then use the phone to watch youtube on your tv. It works because the phone and the tv are on the same LAN segment. Said another way, there are two prerequisites to this happening:

  1. your phone needs to be on WiFi on the same network as the TV,
  2. the access point / wifi router needs to not have client isolation enabled (If I am correct, most consumer wifi will not provide client isolation).

Anyway … I definitely wanted to turn this misfeature off. I tried disabling the (rather well buried) youtube screencast option in the TV to no effect. Then I spent a while looking for what protocols were in use, unfortunately also without a satisfactory level of success.

Being a fan of managed switches, I figured I could client-isloate the TV at the switch port it uses. Perhaps the recipe below will be of use to some of you who also would like shut this down.

I'm using a procurve 2530-8G (J9774A). For sake of this example, the TV is at IP address 192.168.1.11 and is connected to the switch on port 2. Using the following commands, we can allow the TV access to the router and nothing else on the subnet, and we'll also block multicast traffic to the port. The subnet block prevents the phone from actually talking to the TV, and the multicast block prevents the phone from even knowing the TV is there.

ip access-list extended "SandboxTheTV"
  10 permit ip 192.168.1.11 0.0.0.0 192.168.1.1 0.0.0.0
  20 deny ip 192.168.1.11 0.0.0.0 192.168.1.1 0.0.0.255
  30 deny ip 224.0.0.0 15.255.255.255 0.0.0.0 255.255.255.255
  40 deny ip 0.0.0.0 255.255.255.255 224.0.0.0 15.255.255.255
  50 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
int 2 ip access-group "SandboxTheTV" in

On another note, enabling client isolation on your WiFi should also disable this misfeature.

other/iotsecurity/smarttv.txt · Last modified: 2018/09/17 19:15 by 127.0.0.1