> The root cause is the TV generates random UUIDs for UPNP network discovery every few minutes. That means it poses as a new device. This caused windows to add it to the device list (Device Association Framework, aka DAF) as a new device. This means now 1000s of devices (which is the same device) filled the device tree causing it to enumerate forever. Thus the "deadlock".
Pretty sure Mac randomization is part of the ipv6 spec, and our Apple products have been doing it for years now. The tv can do whatever the heck it wants because if it’s not this thing malfunctioning it’ll be your toaster. Anything concerning networking needs to handle bs like this and not fall on its face. My question would be why are windows installs tracking every device on the network? Sure file server discovery, etc, but why’s it storing them long term, esp if it is overloaded with them, why would it not be setup to do LRU or otherwise purge records. Seems silly to store entries until you have a critical failure.
We aren’t talking about MAC randomisation (which itself would cause issues if it happened every few minutes) but UUID randomisation in UPnP. It’s a completely different protocol that sits in a completely different layer on OSI to the data link layer (where MAC addresses live).
UPnP is literally just a protocol that sits on top of HTTP.
I glossed over it being upnp. Ok, but the questions till remains why is windows tracking things to the point of deadlocks surely the folks at MS are aware that rouge misconfigured or malicious devices can exist on a computer network (they wrote the OS used by a majority of them after all), especially one which is doing upnp, the firewall hole poking protocol.
Caching is a pretty reasonable thing for software to do. Windows could have done a better job with cache invalidation (if it’s even doing any at all) but retaining a cache of available devices via UPnP is a perfectly reasonable expectation. For one thing, it massively speeds up device discovery. However having a device randomise their UUID isn’t a reasonable expectation.
This why I said in a different comment that both Windows and Hisense are at fault. Windows could have handled this kind of edge case much better but that doesn’t absolve Hisense TVs responsibility for behaving badly too.
As far as I understand it's not a cache (but I have not touched Windows for a long time and haven't developed UPnP devices yet).
It's more similar to how you have a list of all paired Bluetooth devicees, even if they are currently not connected. Or a list of networks configs for every network you connected to, even if it was a public one.
But there are 2 issues:
- it's automatically set by "external" local network "events" (which isn't the case for the things I mentioned above, as long as you don't automatically connect to public networks, never do so)
- it's not bound, which is in general not the best idea but in context of the 1st point is really really bad. I.e. it should have some bound related to it's resource cost and expected usage. (If I have to widely guess a bound of 250 or so would be over the top enough to accommodate all edge cases and not lead to issues, most users would be more then fine with idk. 25 or so). Through what to do if the count is exceeded needs some careful considerations, i.e. you would need to drop the "oldest unused entry" but for that you need to determine and propagate what "unused" means here.
To be fair I wouldn't be surprised if that isn't just a problem for Windows. Like e.g. I have heard multiple times people arguing that UPnP shouldn't be enabled (by Windows/Linux/Mac) as it wasn't designed for a modern security context where you can't just trust your local network a lot.
I get it’s cool to be critical of FAANG and point out their obvious (from hindsight) mistakes but the fact is engineer teams are a finite resource and this bug is an edge case from a misbehaving service on a trusted network (UPnP wouldn’t work like this on a “public network”, by Windows definition).
We’ve all, yourself included, made plenty worse fuck ups in our career. So let’s show a modicum of pragmatism here please.
What we should be more critical of is how this gets reported and handled by Microsoft and Hisense. Do they choose to ignore this bug / close it as “Won’t fix” (working as intended)? Or is this something that will be patched in a relatively recent software update?
Right I wasn’t saying don’t cache network topology, IO is slow, cache it. That’s why I wondered why they didn’t have LRU or some other eviction policy to deal with a full cache, stale entries, etc.
I’m not defending Microsoft here, but in fairness, we are talking about 1000s of entries when normal use might only see a few dozen over several years of Windows usage even under extreme circumstances. So I can see why cache invalidation probably wasn’t at the forefront of their mind.
However, as this incident demonstrates, there’s always an edge case that breaks things.
This is 100% unacceptable behavior of windows. You hmare looking at it from the wrong angle. This isn't a case of "Windows is broken because it crashes when the user does something and the work around is, 'dont do that's"
The correct way to look at this is that the OP has discovered a significant flaw in the windows network stack. The correct description is:
"A flaw in windows PnP discovery allows a denial of service attack against the windows networking stack. Windows PnP service track and caches the UUID and Mac address of all entities that appear in the local network and fails to purge old or outdated services until it deadlocks"
> This is 100% unacceptable behavior of windows. You hmare looking at it from the wrong angle. This isn't a case of "Windows is broken because it crashes when the user does something and the work around is, 'dont do that's"
That isn’t remotely what I said though.
My point was: It’s both vendors fault.
If youd bothered to spend even 30 seconds longer to properly read my comment instead of knee jerk reacting to anything that’s even remotely sympathetic to evil Microsoft then you’d realise that I’m not letting MS off the hook for this. I’m just saying there’s enough blame to go round on this particular fault.
I don’t disagree with you per se but software development is error prone and we are talking about traffic from trusted networks (if you’re on a “public network” — to use Wi does terminology — then UPnP behaves very differently).
My point is: it’s very easy to post on message boards like this about what best practices should be when reviewing fuck ups from other companies. While at the same time ignoring the fact that we fuck up plenty of times ourselves too. In an ideal world software engineering would be held to the same rigour as other forms of engineering. But when software fails people don’t (usually) die. So what happens is developers end up getting overworked, given unrealistic deadlines and have to fix problems with software updates. those kind of scenarios will breed bugs like the aforementioned. So yes, you’re technically correct — but only in a universe that doesn’t have our current tech culture.
This is why I’m a little more pragmatic about my criticism.
MS shouldn't have anything "unbound" which can increase due to external events, even if it's limited to the same local network (but MS (and probably not just them) has also a long history with security issues on local network exposed interfaces).
At the same time regenerating a new UUID for UPnP every few minutes is buggy to a point it can be seen as a DOS attack. So ... also not okay. (It also doesn't add any relevant degree of privacy to "very frequently regenerate UPnP ids for devices always there in the same fixed local network AFIK.)
I didn’t say “OSI protocol”. In fact is there even such thing as an “OSI protocol”? There are OSI layers. Those layers will have protocols and other such standards attached. Of which MAC addresses are a standard which sits inside a sub-layer of the datalink layer. And UPnP is a protocol that utilises HTTP, which itself resides in the application layer of OSI. But I don’t recall ever hearing the term “OSI protocol” before. However I’m also not a networking specialist.
That's a very uncharitable way to phrase that. It's not like Apple was lying or doing this on purpose. It was clearly a bug, a bug that was not wide known for 3+ years. It's not as if it was some open secret that everyone was taking advantage of. I'm not saying no one knew or that no one took advantage of it but I'd imagine the average consumer was complete unaffected by this bug.
I agree with you that it was probably unintentional, and an embarrassing failure, though not malicious. I mostly like Apple products and am tolerant of their business model and practices. But I was struck by your phrasing to wonder whether we really owe charitable interpretations to companies. I do think most people employed anywhere are probably well intentioned, and maybe we owe them something. But companies are almost algorithms that run on a substrate of people.
MAC randomization prevents the local network from trivially tracking you based on access point logs. Of course, if your device runs software that broadcasts some unique identifier, the network may deploy some collector service to query/capture these but that's already extra effort. On iOS I don't believe apps can run a persistent network server in the background, so background tracking would actually be quite tricky even if you had a cooperating app.
Fingerprinting is absolutely an issue for device-based trackers (whether apps or websites), but from the perspective of a passive network observer they're usually quite airtight and don't leak the collected data over insecure channels.
Not just access point logs, this isn’t WiFi specific. It’s to make packet inspection harder to link to a device. But, if I run say an airport network and control dns for dhcp I can track your dns requests (non encrypted dns) and interface info across MAC addresses and maybe even tag packets somehow. Also, if every device that connects is routed through a dedicated vlan only containing that device, it can randomize itself all it wants, it’s on a network by itself so it can’t “hide in the crowd”. Those are just things off the top of my head and am not a network person. I’m sure it’s not preventing the motivated from tracking you if they want to.
I don't disagree that a motivated attacker can set up advanced infrastructure to collect network-related fingerprints, but this requires active effort. MAC address randomization is designed to at least prevent multiple unconnected networks from trivially tracking a user by making up a per-SSID MAC address.
Ideally, Apple would randomize MACs within the same SSID too, but this would break a lot of "free wifi for X time, then pay up" schemes that rely on consistent MAC addresses, and despite the appearances Apple is still very much in bed with the establishment and doesn't want to rock the boat too much by giving that much control to the users.
in general devices from time to time pretending to be a new device can be preferred as a form of privacy protection
E.g. with IPv6 we have enough addresses to give every device in the world today and for decades to come unique addresses and using devices MAC you can reliably generate them collision free. So you don't need NAT so routers can well only route instead of routing and proxying IP Address/Port. Problem is that leaks a lot of private information. So a schema was added which while upholding the properties allows "randomizing" (and changing over time) addresses.
But coming back to the smart TV I don't think this is the case here as it changes the address _far_ to often and it's a UPnP i.e. local network only Id. Furthermore UPnP also advertises devices descriptions so de-anonymizing randomly changed IPs is more then trivial.
My guess is the UPnP software module is started anew every few minutes and generates a new uuid every time. This might be due to it not persisting the uuid. Weather that is because they just didn't bother implementing persistent device ids or weather it regenerates it after every time it crashes and it crashes every few minutes I can't say. But it looks a huge lot like a software bug.
What also is a 100% a but is that this external device misbehavior can mess up Windows (through I wouldn't be surprised if it isn't just Windows which has problems with that).
It means that there is a resource controlled by external events which isn't "bound" which from a security POV is always a terrible idea, even if it might at most cause a DOS attack (not just because DOS is bad but also because it's not rare that people find ways to use DOS attacks alongside other found attack vectors to more reliably succeed).
Yes. If you built a UPNP spammer, it could effectively create a persistent DOS. Considering how many corporate networks rely on UPNP for printers and the like, you could really make life hell for IT departments if you were to embed this in a malicious invoice.
My main TV is a Philips OLED TV, which has some weird Android derivative baked in, but I've never connected it up to anything other than a HDMI cable, so it can't phone home and it can't trash my local WiFi network with these sort of shenanigans.
Most "smart" devices are utter garbage. I found a seller of non-smart TVs, which manufacture here in the UK, which made me particularly interested - Cello: https://celloelectronics.com/model/televisions/ (you can filter for non-smart TVs).
The problem? The picture quality and sound of the one I got (TBF, the cheapest medium-sized TV they sell) is not great. Fine for a spare bedroom for occasional use so a guest can watch something short, or in an office where I might want the news on, fine. But I couldn't watch a film on it, and it's nowhere near the level of my main TV.
Given that no smart TV manufacturer is ever going to get a single byte of data from me they can sell, I guess the joke is on them? I wish I didn't have to do this dance though: give me a smart TV where I can get the apps I choose, but the manufacturer is not ramming it full of spyware... that would be amazing.
> but I've never connected it up to anything other than a HDMI cable, so it can't phone home
Good news! HDMI supports Ethernet backhaul, which isn't widely used, but in theory your TV could access the internet through the HDMI source you have plugged into it.
Assuming the source is cooperating. The source would need to act as either an Ethernet switch (if itself connected to Ethernet, or a WDS/4addr-enabled Wi-Fi network), or act as a NAT & DHCP server. That's quite a lot of complexity.
In practice, I've never seen it used even for point-to-point links, let alone this kind of bridging/routing/NATing.
> never connected it up to anything other than a HDMI cable, so it can't phone home
Well, you're lucky that your equipment doesn't use the Ethernet channel in HDMI 1.4 then :) you can put a piece of Kapton tape over the HEC pin to make sure that doesn't happen.
If you do this, keep in mind that ARC (audio return channel) is an alternate configuration for the HEC pins. If the cable is going to a sound system, you cannot cover those pins (unless you have another audio-out cable, like TOSLINK, in which case you wouldn't connect to the sound system via HDMI to begin with).
Well, props for fixing the problem. But the problem is Windows, not the TV.
I wonder what to take of this. Use Linux? Or at least set your home network as "Public" instead of "Private" (clearly a workaround, not a solution, because then (s)he would need to enable RDP on Public networks.
I'd say that the TV is to blame: it's claiming to be tens of thousands of different TVs, and Windows is dutifully keeping track of them and their configurations. Sure, Windows should be able to handle more devices on the home network than could fit within your average warehouse, but an issue like that should only crop up if you actually, y'know, try to do that.
(Btw, your parentheses are unbalanced: https://xkcd.com/859/. And the author uses they/she pronouns (not ‘(s)he’): it says so at the top left of the page.)
TVs became a nightmare… is there really no market for pay 1000 more and get a non spyware, repairable tv? I know the answer. Same as with buying away ads. The greater fuckery makes more money even than the rich people plonking down money.
TV companies don't make $1k for the spyware, nowhere near that.
Vizio for exmaple in 2021 made 85% of its revenue from selling the TV, just 15% from the "platform". If the $400 TV was instead $470 they would make the same. These scam companies just see it as "free profit" on top of a captive audience.
PC manufacturers used to do this, with Microsoft's consent. Buy a laptop 20 years ago and you would get tons of shovelware from Dell which made them a few extra pennies. Nowadays I believe Microsoft themselves got into the game.
Companies aren't happy with making a product for $50 and selling it for $60 (or $200 or whatever), they have to make a little more by double-dipping. This is of course partly the consumer to blame -- they just look at the headline price. Buy the plane ticket for the lowest price on the middleman interface, but then it's $15 'check-in fee', $50 'landing-fee' etc, but that doesn't matter because look at the shiny advert for $9.99*
I think it's easier to just buy whatever TV you want but never connect it to the internet. Hook it up to a Chromecast or Apple TV or a Plex box or whatever and you're good.
I've done that with last 3-4 TVs and never had an issue. And the $50 dongle is much cheaper than paying $1000 more.
Once again, this whole idea rears its ugly head. There has never been a TV, let alone a device, that has included a cellular radio to maintain a connection so it can keep tracking you.
Never happened. It’s just a thing we know can happen, but doesn’t for myriad reasons like humans flying in drones.
Unfortunately a lot of modern TVs have bloated slow UIs, and want to default to showing their "home screen". This makes them much worse experiences for "just show HDMI input".
At a school I was doing IT support for, I had a Hisense TV suddenly refuse to work at all (couldn’t even select HDMI input) until I connected it to the internet and created an account.
There's digital signage displays (like the ones you find in airports, shops, practices, etc) but those are only sold to private entities, not direct to consumers, if you can score one of those on ebay, but you'll get no warranty obviously and energy consumption might be higher and missing fancy picture and processing modes.
Or just buy a normal TV and never connect it to the internet, what's so hard about that? Cheaper than paying more and getting less for a digital signage screen.
What's the pros of that signage TV versus any consumer TV? It's still a "smart TV" running Tizen OS from Samsung so high chances of similar software shittyness.
In Samsung's terminology, it is a business signage display. Note that this is considered a separate product category from "business TV".
The point of a sign is that it shows what you want it to show. Whether that's an advantage depends on whether that's what you're looking for. But every feature of the display is going to be oriented towards that goal.
Your comments elsewhere in this very thread seem to indicate that this product is exactly what you want, a display that won't show ads and, in the general case, isn't connected to the internet. What exactly are you imagining will happen to someone who uses one?
Mine, a 43" 4k AMVA3 from iiyama, shines with a comfortable 18/7 uptime rating.
Essentially that means I only have to turn it off when I'm sleeping to stay in the warranty. Also I can officially customize the splash screen it's bootloader throws up before it goes and switches to the last selected input and it's graphics settings.
Having gotten a 40" sibling that was sold as "desktop monitor" with otherwise identical panel (besides of course pixel pitch) spoiled me with it's "technically counts as HDR" native contrast from a burn-in resistant LCD, also suffering just barely perceptible loss of contrast with no significant color shift at all viewing angles that aren't already too extreme to comfortably read text due to distortion.
Sure, it's slow and thus not suited for competitive counter strike, code editing and SDR-mastered visual media look about as good as an LCD can.
They do though seem to not consider factory/nominal color calibration for the panel with the signal processor and a regular operating system on an attached PC something they want to offer on these, which is annoying because with 8 bit and the nominal 5000:1 static contrast mild banding isn't even unexpected. So it'd be preferable to just drop an ICC profile onto the computer that's valid for when the screen is set to native gamma and native white balance (I.e. dumb panel mode) and get to make full use of the panel without the excess expense of individually calibrating devices to do digital proofs ahead of actual production/view the material during actively ongoing color grading work. A decent color managed (but not individually calibrated) screen will suffice happily for most tasks, to the point where further calibration won't be perceptible in a double blind test with the screen isolated from reference light sources for most untrained eyes.
> There's billboard displays (like the ones you find in airports, shops, practices, etc) but those are only sold to private entities
Most of these are resold by niche small businesses but I don't see any incentive for them to reject a private individual buying it? In the UK I got mine from https://www.projectorpoint.co.uk/displays (no affiliation beyond being a satisfied customer) and after wiring them the money I got it next day.
I've had good experience with Sony professional displays (model number FW-65BZ35F) - they are reasonably priced and come with stock Android TV with very little bloatware. My understanding is that these Sony units are not billboard displays or optimized for high-brightness/24H runtime, they're what looks like standard consumer hardware just running a different firmware - the upside is that the price is actually competitive with consumer-grade TVs.
Digital signage displays are terrible at color reproduction, usually have no amenities for CEC or ARC, and did I say they’re terrible at color reproduction. Like the one thing a TV is for.
A lot of TVs only have wifi, no ethernet. Plus even if you plug it only once it's enough to phone home and download and cache some ads to show you later.
I've found that even once can be too much, since new firmware/software often include new ads and require telemetry.
If you're never gonna use the built in OS anyway, there's no reason to risk it. Most TV manufacturers are engaged in a brutal race to the bottom and they have to enshittify the software to make money.
I bought an LG 43” computer monitor (marketed for doing 2x2 PbP of 1080p video streams and small video conferencing rooms, I guess) and it feels infinitely better than any smart TV I’ve used. It was reasonably priced as well. If you want bigger than 43”, you may be stuffed, as I think all the largest monitors on the market are this big.
There are definitely dumb TVs out there. I picked up a Sceptre from Amazon. It's not fantastic, but the price was right, has inputs plenty and varied, and zero "smart" features.
It shouldn’t be creating a new UPnP UUID every few minutes. That’s clearly not good behaviour. However it does also highlight a denial of service in Windows.
> I tried to open the system settings, (start ms-settings: Access is denied." despite admin mode)
> I manually backed up everything important from my main PC drive (as I could not access the windows backup program because it lived in settings!!!!!!!!)
Son #3 hates that System Settings is restricted to ≤1 instance by design. Windows only unchanging feature is that it is impossible to work with 2 Settings Windows simultaneously.
Working with multiple windows was kind of the point of Windows in the first place.
MS doubles down on that problem by continually pruning-away legacy settings options. Their end game seems to be limiting all system option access to just one app - an app that can be downed by janky TV firmware.
As someone who hasn't used windows since Win7, I'm amazed people are blaming windows for this.
While all software is buggy to some extent, Hisense TV is probably maliciously changing their UUID so users cant block their telemetry, or their ads, etc.
If you use router level AdBlock -- that is, DNS filtering -- lots of ads and telemetry go away by themselves, and what UUID is used is irrelevant. Of course, most people don't do that, but still I don't see how changing the UUID helps prevent blocking telemetry/ads.
> Hisense TV is probably maliciously changing their UUID so users cant block their telemetry, or their ads, etc.
I'm not defending Hisense and I'm not saying that this can't be the intention but it's a good idea to keep Hanlon's razor in mind in situations like this.
> Hisense TV is probably maliciously changing their UUID so users cant block their telemetry
I'm not sure it will. If this was a scenario that caused DHCP to continually issue new IPs - this will likely cause operational issues. Two I can think of are DHCP exhaustion and routine loss of device connectivity.
Applying hanlons razor to this (as another comment has) this is likely some process that either a) fails to store or b) doesn't bother storing the UUID and thus generates a fresh new one every time it runs, which must be pretty often, and thus causes this.
There is no TV OS, that I know of, that does not suffer from one of these issues:
- Slow/laggy UI
- Ads on the home screen
- Sends a shit ton of telemetry home
This is why all of my TV are never connected to the internet and only serve as output for my Apple TV. Sadly, I gave up on the cheaper Android TV boxes, because they all have the same issues with crappy software and even started to show ads.
TVs with Google TV that you put into Basic mode (https://support.google.com/googletv/answer/10408998?hl=en ) fulfill most of that, though they're probably still sending some data back. I have my firewall set to block everything except the domain that handles the firmware updates.
The laggy UI is what irritates me the most. I do not have a smart TV, though I do have a cable box, and there is no excuse for an interface to lag in [current year], or even for anything in the past 20 years, which serves to merely display a list of program listings. It's frigging text! Built-in vehicle interfaces are also perennial offenders.
My 6 year old Philips Android tv gradually got super slow. At some point it had a problem and I had to reset it to factory settings and then I noticed how snappy everything was, like it was when new! Now I keep it disconnected from the internet and use a google tv chromecast instead. Works much much better!
First one being the problem with my Sony KDL-60W607B since day 1 (the youtube app is a pain in the butt), otherwise though it doesn't has too much sparkles and whistles it has been great this 10 years I've had it. I wish you could do something like swap whatever it has internally with the OS to switch it to a Pi or something like that - not something like a Chromecast or an external dongle that would require (1) another power socket, (2) another remote control and (3) switching back and forth between TV input and HDMI input.
1) try to use 2 or more usb ports in your tv to draw power
2) IR learning remote
Beware, amazon link. This is just an example, not a quality product
https://tinyurl.com/yks7kmxv
3) I dont have a non-smart solution to that
I have one of those tvs (kdl##w####) and yes, the youtube app is becoming unusable. I am quite sure someone might be telling us the party is over (that they want us to use a new tv)
Have used Windows PCs connected to my TVs since about 2006 .. so agree in principle. :-)
My pet pieve with my current Samsung QLed 4K 65" (2016) is just how sluggish changing input sources is - when wanting to go between the Xbox and the PC. Have never tried any of its other features, can't imagine they'd be anything other than horrible.
The display is a very nice monitor otherwise! Still very good colours. Windows with a Logitech media keyboard is awesome. Zwift, Spotify, Internet media all plays back very nicely.
Sour grapes from either their overbearing neck pain from staring at a 50 degree upward tilt to accommodate for their ugly fireplace mounting point, or from the seething hatred of being unable to fit it in their gaudy 400lb "entertainment center" wood furniture pieces that force them to compensate
I laugh every time I see a livingroom with all furniture focused toward a fireplace. It truly reminds me how holdovers from out-of-touch lifestyles two+ generations ago still dominate some norms of interior decoration. Larger screens are objectively better in every way if you have the space.
The TV industry is notorious for the telemetry generated by "smart" TVs.
Commercial "dumb" TV screens are available but are harder to find, and as I said, it's only recently that large computer LCDs (not TVs) have become available. But these are still not as large as recent gigantic smart TVs.
So when most people want a bigger screen, they see little choice but to accept telemetry. The more privacy-aware people take measures against it.
And the worst part is that the "dumb" TVs are expensive.
This is mostly because Roku/etc are subsidizing the cost of the device so far down the line that it becomes impossible to argue for the better ones, especially from companies like NEC/Sharp who make Damn Good displays for business.
It’s probably the same set of people that want us all to live in 400 sqft apartments and cannot fathom sitting more than four feet away from the screen.
Even the shittiest STB-grade CPU should be perfectly capable of doing what the user wants out of their TV which is draw basic menus for settings and otherwise display the signal unaltered (the signal path is all in hardware anyway, the CPU isn't involved).
The reason it's slow is because "growth & engagement" wants that slow CPU to be doing more ("suggestions" aka ads, telemetry, garbage overdesigned UI, etc) than actually necessary.
It's obviously bad that the TV is doing this, but the way Windows reacts to it is worse. Presumably any device on the LAN could trigger this exact same DoS failure mode (and much faster, if done deliberately). An annoyance on a home network, but could cause absolute mayhem in a corporate setting.
I was thinking the same thing. Lots of corporations rely on UPNP for printers and the like, so if you were to embed a UPNP spammer in a malicious invoice...
Why does anyone use a TV anymore? What does a "Smart TV" offer that you can't do better in a different way?
For years now, actually more than a decade, we just use a home-theater projector (Epson, fwiw). Audio goes into our stereo system. Set up a media center to feed the projector. If you still have cable (or equivalent), hook up the box from your cable company.
My apartment is a bit too bright for a projector, and I don't want to always watch stuff only in the dark with all the curtains drawn. I'm not ritualizing it. Sometimes I'll leave a podcast or old episodes of the Simpsons on while I cook (open concept living-room/kitchen).
I don't watch TV unless I'm with my wife, but when we do, we get stunningly accurate 4K HDR video at any time of day, faithful color reproduction because the panel is QD-OLED (I had to tune it a little beforehand; I still need to color calibrate it), and the ability to tilt the display based on where we're sitting.
You can get those with a projector, but you need space, a good panel to project against, and, most importantly, a REALLY GOOD projector (Epsons that can do this are $2k+, which is how much our TV was).
That said, a projector can't be beat for watching stuff outside (though, again, you need a really good projector to watch anything during the day)
> Why does anyone use a TV anymore? What does a "Smart TV" offer that you can't do better in a different way? For years now, actually more than a decade, we just use a home-theater projector
It's a bit of a squeeze for a smallish bedroom. Or an 1000 sqft home w/ 3+ kids, a single wide, a 5th wheel, a shotgun home. Ya know. Places people live.
The average TV costs $333. Put another way, the average consumer is spending $333 on their TV (I think that's a correct inference?). At that price you can get a pretty large 4K LCD panel supporting HDR.
I think you'd be hard pressed to find a competitor at that price point, and I'm guessing you spent significantly more than that on your setup. I'm sure that choice made sense for you, but you're not the average consumer.
Depending on your environment, a projector could very likely be more expensive but leads to worse experience than a half decent 4k TV. Most of people don't do what you are describing because they are spending their money well, not because they are stupid.
Why doesn't everyone have a room with perfect lighting, use special paint or buy a screen to project onto, buy external audio equipment, manage cables and mount the projector all for what is worse image quality than modern oleds. Gee guy, I really don't know. What a hot take you've got here.
I never got why one needed its TV to be online. The smart apps on TV are slow, have lousy UIs, and most likely badly implemented. A device like game console or AppleTV is much better alternative.
> The root cause is the TV generates random UUIDs for UPNP network discovery every few minutes. That means it poses as a new device. This caused windows to add it to the device list (Device Association Framework, aka DAF) as a new device. This means now 1000s of devices (which is the same device) filled the device tree causing it to enumerate forever. Thus the "deadlock".
> TaskManager uses DasHost to enumerate devices for some reason, so that hangs.
> Bluetooth relies on device discovery, so that also hangs, and Settings app along with it.
> Network discovery in file explorer obviously also needs Device discovery, so that also hangs.
looks like its a bug in windows where lots of new network display devices eventually corrupts the registry, and the TV gets a new identity on a regular basis - probably to protect the users identity.
Why is the TV pretending it’s a new device?
UPnP is literally just a protocol that sits on top of HTTP.
This why I said in a different comment that both Windows and Hisense are at fault. Windows could have handled this kind of edge case much better but that doesn’t absolve Hisense TVs responsibility for behaving badly too.
It's more similar to how you have a list of all paired Bluetooth devicees, even if they are currently not connected. Or a list of networks configs for every network you connected to, even if it was a public one.
But there are 2 issues:
- it's automatically set by "external" local network "events" (which isn't the case for the things I mentioned above, as long as you don't automatically connect to public networks, never do so)
- it's not bound, which is in general not the best idea but in context of the 1st point is really really bad. I.e. it should have some bound related to it's resource cost and expected usage. (If I have to widely guess a bound of 250 or so would be over the top enough to accommodate all edge cases and not lead to issues, most users would be more then fine with idk. 25 or so). Through what to do if the count is exceeded needs some careful considerations, i.e. you would need to drop the "oldest unused entry" but for that you need to determine and propagate what "unused" means here.
To be fair I wouldn't be surprised if that isn't just a problem for Windows. Like e.g. I have heard multiple times people arguing that UPnP shouldn't be enabled (by Windows/Linux/Mac) as it wasn't designed for a modern security context where you can't just trust your local network a lot.
Every software that saves something needs to have a way to deal with too many things being saved.
It's called testing software. Maybe Microsoft should try it.
We’ve all, yourself included, made plenty worse fuck ups in our career. So let’s show a modicum of pragmatism here please.
What we should be more critical of is how this gets reported and handled by Microsoft and Hisense. Do they choose to ignore this bug / close it as “Won’t fix” (working as intended)? Or is this something that will be patched in a relatively recent software update?
However, as this incident demonstrates, there’s always an edge case that breaks things.
The correct way to look at this is that the OP has discovered a significant flaw in the windows network stack. The correct description is:
"A flaw in windows PnP discovery allows a denial of service attack against the windows networking stack. Windows PnP service track and caches the UUID and Mac address of all entities that appear in the local network and fails to purge old or outdated services until it deadlocks"
That isn’t remotely what I said though.
My point was: It’s both vendors fault.
If youd bothered to spend even 30 seconds longer to properly read my comment instead of knee jerk reacting to anything that’s even remotely sympathetic to evil Microsoft then you’d realise that I’m not letting MS off the hook for this. I’m just saying there’s enough blame to go round on this particular fault.
This looks like a trivial low-packet-count DoS on every Windows machine on the network.
My point is: it’s very easy to post on message boards like this about what best practices should be when reviewing fuck ups from other companies. While at the same time ignoring the fact that we fuck up plenty of times ourselves too. In an ideal world software engineering would be held to the same rigour as other forms of engineering. But when software fails people don’t (usually) die. So what happens is developers end up getting overworked, given unrealistic deadlines and have to fix problems with software updates. those kind of scenarios will breed bugs like the aforementioned. So yes, you’re technically correct — but only in a universe that doesn’t have our current tech culture.
This is why I’m a little more pragmatic about my criticism.
MS shouldn't have anything "unbound" which can increase due to external events, even if it's limited to the same local network (but MS (and probably not just them) has also a long history with security issues on local network exposed interfaces).
At the same time regenerating a new UUID for UPnP every few minutes is buggy to a point it can be seen as a DOS attack. So ... also not okay. (It also doesn't add any relevant degree of privacy to "very frequently regenerate UPnP ids for devices always there in the same fixed local network AFIK.)
[0] https://arstechnica.com/security/2023/10/iphone-privacy-feat...
That's a very uncharitable way to phrase that. It's not like Apple was lying or doing this on purpose. It was clearly a bug, a bug that was not wide known for 3+ years. It's not as if it was some open secret that everyone was taking advantage of. I'm not saying no one knew or that no one took advantage of it but I'd imagine the average consumer was complete unaffected by this bug.
Fingerprinting is absolutely an issue for device-based trackers (whether apps or websites), but from the perspective of a passive network observer they're usually quite airtight and don't leak the collected data over insecure channels.
Ideally, Apple would randomize MACs within the same SSID too, but this would break a lot of "free wifi for X time, then pay up" schemes that rely on consistent MAC addresses, and despite the appearances Apple is still very much in bed with the establishment and doesn't want to rock the boat too much by giving that much control to the users.
E.g. with IPv6 we have enough addresses to give every device in the world today and for decades to come unique addresses and using devices MAC you can reliably generate them collision free. So you don't need NAT so routers can well only route instead of routing and proxying IP Address/Port. Problem is that leaks a lot of private information. So a schema was added which while upholding the properties allows "randomizing" (and changing over time) addresses.
But coming back to the smart TV I don't think this is the case here as it changes the address _far_ to often and it's a UPnP i.e. local network only Id. Furthermore UPnP also advertises devices descriptions so de-anonymizing randomly changed IPs is more then trivial.
My guess is the UPnP software module is started anew every few minutes and generates a new uuid every time. This might be due to it not persisting the uuid. Weather that is because they just didn't bother implementing persistent device ids or weather it regenerates it after every time it crashes and it crashes every few minutes I can't say. But it looks a huge lot like a software bug.
What also is a 100% a but is that this external device misbehavior can mess up Windows (through I wouldn't be surprised if it isn't just Windows which has problems with that).
It means that there is a resource controlled by external events which isn't "bound" which from a security POV is always a terrible idea, even if it might at most cause a DOS attack (not just because DOS is bad but also because it's not rare that people find ways to use DOS attacks alongside other found attack vectors to more reliably succeed).
I am no Windows fan, but this behaviour by the TV seems to be unreasonable.
Most "smart" devices are utter garbage. I found a seller of non-smart TVs, which manufacture here in the UK, which made me particularly interested - Cello: https://celloelectronics.com/model/televisions/ (you can filter for non-smart TVs).
The problem? The picture quality and sound of the one I got (TBF, the cheapest medium-sized TV they sell) is not great. Fine for a spare bedroom for occasional use so a guest can watch something short, or in an office where I might want the news on, fine. But I couldn't watch a film on it, and it's nowhere near the level of my main TV.
Given that no smart TV manufacturer is ever going to get a single byte of data from me they can sell, I guess the joke is on them? I wish I didn't have to do this dance though: give me a smart TV where I can get the apps I choose, but the manufacturer is not ramming it full of spyware... that would be amazing.
Good news! HDMI supports Ethernet backhaul, which isn't widely used, but in theory your TV could access the internet through the HDMI source you have plugged into it.
https://en.wikipedia.org/wiki/HDMI#HEC
In practice, I've never seen it used even for point-to-point links, let alone this kind of bridging/routing/NATing.
Well, you're lucky that your equipment doesn't use the Ethernet channel in HDMI 1.4 then :) you can put a piece of Kapton tape over the HEC pin to make sure that doesn't happen.
[1] https://github.com/home-assistant/core/issues/73643#issuecom...
[2] https://forum.openwrt.org/t/minidlna-creates-new-media-serve...
I wonder what to take of this. Use Linux? Or at least set your home network as "Public" instead of "Private" (clearly a workaround, not a solution, because then (s)he would need to enable RDP on Public networks.
(Btw, your parentheses are unbalanced: https://xkcd.com/859/. And the author uses they/she pronouns (not ‘(s)he’): it says so at the top left of the page.)
Vizio for exmaple in 2021 made 85% of its revenue from selling the TV, just 15% from the "platform". If the $400 TV was instead $470 they would make the same. These scam companies just see it as "free profit" on top of a captive audience.
PC manufacturers used to do this, with Microsoft's consent. Buy a laptop 20 years ago and you would get tons of shovelware from Dell which made them a few extra pennies. Nowadays I believe Microsoft themselves got into the game.
Companies aren't happy with making a product for $50 and selling it for $60 (or $200 or whatever), they have to make a little more by double-dipping. This is of course partly the consumer to blame -- they just look at the headline price. Buy the plane ticket for the lowest price on the middleman interface, but then it's $15 'check-in fee', $50 'landing-fee' etc, but that doesn't matter because look at the shiny advert for $9.99*
What percentage of their profit comes from that 15% of their revenue ?
I suspect it's a lot.
I've done that with last 3-4 TVs and never had an issue. And the $50 dongle is much cheaper than paying $1000 more.
Never happened. It’s just a thing we know can happen, but doesn’t for myriad reasons like humans flying in drones.
Or just buy a normal TV and never connect it to the internet, what's so hard about that? Cheaper than paying more and getting less for a digital signage screen.
These devices aren't at all exclusive or difficult to purchase.
Where would you live that they would be hard to find?
The point of a sign is that it shows what you want it to show. Whether that's an advantage depends on whether that's what you're looking for. But every feature of the display is going to be oriented towards that goal.
Notwithstanding the Amazon review that says "Yes it has wifi", you might find it noteworthy that this model does not have wifi connectivity. (As can be verified from its spec sheet, https://image-us.samsung.com/SamsungUS/samsungbusiness/pdf/s... , or from its page on CDW, https://www.cdw.com/product/samsung-qe43t-smart-signage-qet-... )
Your comments elsewhere in this very thread seem to indicate that this product is exactly what you want, a display that won't show ads and, in the general case, isn't connected to the internet. What exactly are you imagining will happen to someone who uses one?
Having gotten a 40" sibling that was sold as "desktop monitor" with otherwise identical panel (besides of course pixel pitch) spoiled me with it's "technically counts as HDR" native contrast from a burn-in resistant LCD, also suffering just barely perceptible loss of contrast with no significant color shift at all viewing angles that aren't already too extreme to comfortably read text due to distortion.
Sure, it's slow and thus not suited for competitive counter strike, code editing and SDR-mastered visual media look about as good as an LCD can. They do though seem to not consider factory/nominal color calibration for the panel with the signal processor and a regular operating system on an attached PC something they want to offer on these, which is annoying because with 8 bit and the nominal 5000:1 static contrast mild banding isn't even unexpected. So it'd be preferable to just drop an ICC profile onto the computer that's valid for when the screen is set to native gamma and native white balance (I.e. dumb panel mode) and get to make full use of the panel without the excess expense of individually calibrating devices to do digital proofs ahead of actual production/view the material during actively ongoing color grading work. A decent color managed (but not individually calibrated) screen will suffice happily for most tasks, to the point where further calibration won't be perceptible in a double blind test with the screen isolated from reference light sources for most untrained eyes.
End users and consumers can buy digital signage and commercial displays without any trouble.
Here is one on Amazon:
https://www.amazon.com/NEC-Commercial-Public-Display-Speaker...
Most of these are resold by niche small businesses but I don't see any incentive for them to reject a private individual buying it? In the UK I got mine from https://www.projectorpoint.co.uk/displays (no affiliation beyond being a satisfied customer) and after wiring them the money I got it next day.
I've had good experience with Sony professional displays (model number FW-65BZ35F) - they are reasonably priced and come with stock Android TV with very little bloatware. My understanding is that these Sony units are not billboard displays or optimized for high-brightness/24H runtime, they're what looks like standard consumer hardware just running a different firmware - the upside is that the price is actually competitive with consumer-grade TVs.
If you're never gonna use the built in OS anyway, there's no reason to risk it. Most TV manufacturers are engaged in a brutal race to the bottom and they have to enshittify the software to make money.
It didn’t. Fixed some other bugs, introduced some new ones. Not my best bet, not my worst. Still no ads, luckily, though.
It shouldn’t be creating a new UPnP UUID every few minutes. That’s clearly not good behaviour. However it does also highlight a denial of service in Windows.
> I manually backed up everything important from my main PC drive (as I could not access the windows backup program because it lived in settings!!!!!!!!)
Son #3 hates that System Settings is restricted to ≤1 instance by design. Windows only unchanging feature is that it is impossible to work with 2 Settings Windows simultaneously.
Working with multiple windows was kind of the point of Windows in the first place.
MS doubles down on that problem by continually pruning-away legacy settings options. Their end game seems to be limiting all system option access to just one app - an app that can be downed by janky TV firmware.
#3 is right.
While all software is buggy to some extent, Hisense TV is probably maliciously changing their UUID so users cant block their telemetry, or their ads, etc.
On the side of TV, it is also bad.
Therefore, both the TV and the OS have blame in this.
If you use router level AdBlock -- that is, DNS filtering -- lots of ads and telemetry go away by themselves, and what UUID is used is irrelevant. Of course, most people don't do that, but still I don't see how changing the UUID helps prevent blocking telemetry/ads.
I'm not defending Hisense and I'm not saying that this can't be the intention but it's a good idea to keep Hanlon's razor in mind in situations like this.
I'm not sure it will. If this was a scenario that caused DHCP to continually issue new IPs - this will likely cause operational issues. Two I can think of are DHCP exhaustion and routine loss of device connectivity.
- Slow/laggy UI
- Ads on the home screen
- Sends a shit ton of telemetry home
This is why all of my TV are never connected to the internet and only serve as output for my Apple TV. Sadly, I gave up on the cheaper Android TV boxes, because they all have the same issues with crappy software and even started to show ads.
2) IR learning remote Beware, amazon link. This is just an example, not a quality product https://tinyurl.com/yks7kmxv
3) I dont have a non-smart solution to that
I have one of those tvs (kdl##w####) and yes, the youtube app is becoming unusable. I am quite sure someone might be telling us the party is over (that they want us to use a new tv)
My pet pieve with my current Samsung QLed 4K 65" (2016) is just how sluggish changing input sources is - when wanting to go between the Xbox and the PC. Have never tried any of its other features, can't imagine they'd be anything other than horrible.
The display is a very nice monitor otherwise! Still very good colours. Windows with a Logitech media keyboard is awesome. Zwift, Spotify, Internet media all plays back very nicely.
My LG TV is completely offline, but I can still say “Hey Siri turn off the TV” and it works.
But for those who need a 65" wall of advertising, the Invisible Hand will provide.
I laugh every time I see a livingroom with all furniture focused toward a fireplace. It truly reminds me how holdovers from out-of-touch lifestyles two+ generations ago still dominate some norms of interior decoration. Larger screens are objectively better in every way if you have the space.
Commercial "dumb" TV screens are available but are harder to find, and as I said, it's only recently that large computer LCDs (not TVs) have become available. But these are still not as large as recent gigantic smart TVs.
So when most people want a bigger screen, they see little choice but to accept telemetry. The more privacy-aware people take measures against it.
This is mostly because Roku/etc are subsidizing the cost of the device so far down the line that it becomes impossible to argue for the better ones, especially from companies like NEC/Sharp who make Damn Good displays for business.
The reason it's slow is because "growth & engagement" wants that slow CPU to be doing more ("suggestions" aka ads, telemetry, garbage overdesigned UI, etc) than actually necessary.
For years now, actually more than a decade, we just use a home-theater projector (Epson, fwiw). Audio goes into our stereo system. Set up a media center to feed the projector. If you still have cable (or equivalent), hook up the box from your cable company.
I don't watch TV unless I'm with my wife, but when we do, we get stunningly accurate 4K HDR video at any time of day, faithful color reproduction because the panel is QD-OLED (I had to tune it a little beforehand; I still need to color calibrate it), and the ability to tilt the display based on where we're sitting.
You can get those with a projector, but you need space, a good panel to project against, and, most importantly, a REALLY GOOD projector (Epsons that can do this are $2k+, which is how much our TV was).
That said, a projector can't be beat for watching stuff outside (though, again, you need a really good projector to watch anything during the day)
It's a bit of a squeeze for a smallish bedroom. Or an 1000 sqft home w/ 3+ kids, a single wide, a 5th wheel, a shotgun home. Ya know. Places people live.
https://www.statista.com/forecasts/1283880/global-television...
The average TV costs $333. Put another way, the average consumer is spending $333 on their TV (I think that's a correct inference?). At that price you can get a pretty large 4K LCD panel supporting HDR.
I think you'd be hard pressed to find a competitor at that price point, and I'm guessing you spent significantly more than that on your setup. I'm sure that choice made sense for you, but you're not the average consumer.
What are you even talking about???
But why and how?
> The root cause is the TV generates random UUIDs for UPNP network discovery every few minutes. That means it poses as a new device. This caused windows to add it to the device list (Device Association Framework, aka DAF) as a new device. This means now 1000s of devices (which is the same device) filled the device tree causing it to enumerate forever. Thus the "deadlock".
> TaskManager uses DasHost to enumerate devices for some reason, so that hangs.
> Bluetooth relies on device discovery, so that also hangs, and Settings app along with it.
> Network discovery in file explorer obviously also needs Device discovery, so that also hangs.
Sorry, flashbacks to the debates in The Old New Thing where Raymond would claim people blame Windows when it breaks broken software...
https://learn.microsoft.com/en-us/answers/questions/1339707/...