Viewing habits (what you watch, when, and for how long)\nVoice commands\nLocation data (often through your IP address)\nSearch queries\nTechnical information (error logs, network details, device usage) \n<\/code><\/pre>\nEvery one of these things is a service you know nothing about as far as security goes…sigh<\/p>","upvoteCount":2,"datePublished":"2025-06-23T20:20:05.751Z","url":"https://community.spiceworks.com/t/smart-tv-using-web-browser/1217403/3","author":{"@type":"Person","name":"somedude2","url":"https://community.spiceworks.com/u/somedude2"}},{"@type":"Answer","text":"
Disabling those TV options didnt let me open the browser either:confused:<\/p>\n
Does it make more sense in terms of security to get 2 cheap android boxes and hook them up to the tvs (disconnecting the tvs from the wifi) that way android boxes can connect to the wifi and can open the browser with the internet blocked?<\/p>\n
instead of opening the websites that the tvs are trying to connect to<\/p>","upvoteCount":0,"datePublished":"2025-06-24T06:52:07.931Z","url":"https://community.spiceworks.com/t/smart-tv-using-web-browser/1217403/4","author":{"@type":"Person","name":"Dejv","url":"https://community.spiceworks.com/u/Dejv"}},{"@type":"Answer","text":"
The problem is it is never just about security lol
But, working with what you have, at least the androids would have updates you know
Or cheapest, firewall the heck out of the segment with the TV’s on the assumption they will get hacked and try to penetrate the rest of your network, or act as botnet hosts for the internet, and isolate accordingly. (You should be doing this for your internal segments anyhow, to some extent, to limit damage if some slob clicks on a nasty link, the only difference is you need to be more strict here, there are no users with credentials who need to log in to a TV, so it shouldn’t even be possible to try)<\/p>","upvoteCount":0,"datePublished":"2025-06-24T13:41:38.576Z","url":"https://community.spiceworks.com/t/smart-tv-using-web-browser/1217403/5","author":{"@type":"Person","name":"somedude2","url":"https://community.spiceworks.com/u/somedude2"}},{"@type":"Answer","text":"
thanks for the reply, technically I have a couple of laptops that are not able to run win11 that I can put linux on them. DO you know of a version of linux that I can use for these kind of usage maybe there is something ready made to make my life easier
If I run the linux machine I also can avoid having it on a seperate network and can leave it on my normal ones as long as I install an antivirus on it. right?<\/p>","upvoteCount":0,"datePublished":"2025-07-03T06:21:13.436Z","url":"https://community.spiceworks.com/t/smart-tv-using-web-browser/1217403/6","author":{"@type":"Person","name":"Dejv","url":"https://community.spiceworks.com/u/Dejv"}},{"@type":"Answer","text":"
FullScreenOS exists but I’m not certain it’s made to support x86_64 devices, since it’s primary target is RPis.<\/p>\n
If this were me, I’d probably stick NixOS on them with the most minimal configuration to boot into a GUI non-sudo user profile that launches a browser fullscreen with your URL as the homepage. I’d then default deny all on the firewall, other than connectivity to the server and allow SSH from your work machine IPs. I’d also include a service that runs the update command every X period of time. The final configuration.nix file can be backed up somewhere and applied to any additional/replacement machines. It’s a single self-documenting file that requires a single command to apply. I understand it’s a niche OS but you’d spend a similar amount of time setting this up with Ansible or plain bash scripts+cron jobs.<\/p>\n
I asked ChatGPT to mock something up purely for demonstrative purposes:<\/p>\n
{ config, pkgs, lib, ... }:\n\nlet\n username = \"kioskuser\";\n homepageUrl = \"https://example.com\";\n homepageHost = \"example.com\";\n allowInboundFrom = \"203.0.113.42\";\nin\n{\n imports = [ ./hardware-configuration.nix ];\n\n system.stateVersion = \"24.05\";\n\n networking.hostName = \"kiosk\";\n time.timeZone = \"America/Chicago\";\n i18n.defaultLocale = \"en_US.UTF-8\";\n\n # Enable Sway and auto-login\n services.xserver = {\n enable = true;\n displayManager.autoLogin = {\n enable = true;\n user = username;\n };\n desktopManager.plasma5.enable = false;\n windowManager.sway.enable = true;\n };\n\n environment.systemPackages = with pkgs; [\n google-chrome\n sway\n ];\n\n users.users.${username} = {\n isNormalUser = true;\n description = \"Kiosk User\";\n extraGroups = [ \"video\" \"audio\" ]; # Not in wheel\n initialPassword = \"\"; # Optional: no login password\n };\n\n # SSH access\n services.openssh.enable = true;\n\n # Nix system upgrade timer + reboot\n systemd.services.autoUpgrade = {\n description = \"Weekly nixos-rebuild and reboot\";\n serviceConfig = {\n Type = \"oneshot\";\n ExecStart = \"${pkgs.nixos-rebuild}/bin/nixos-rebuild switch --show-trace --upgrade-all\";\n ExecStartPost = \"${pkgs.systemd}/bin/systemctl reboot\";\n };\n };\n\n systemd.timers.autoUpgrade = {\n wantedBy = [ \"timers.target\" ];\n timerConfig = {\n OnCalendar = \"Sun *-*-* 01:00:00\";\n Persistent = true;\n };\n };\n\n # Firewall rules (iptables)\n networking.firewall = {\n enable = true;\n allowedTCPPorts = [ 22 ];\n trustedInterfaces = [ ];\n extraCommands = ''\n iptables -P INPUT DROP\n iptables -P FORWARD DROP\n iptables -P OUTPUT DROP\n\n iptables -A INPUT -i lo -j ACCEPT\n iptables -A OUTPUT -o lo -j ACCEPT\n\n # Allow SSH only from your IP\n iptables -A INPUT -p tcp --dport 22 -s ${allowInboundFrom} -j ACCEPT\n\n # Allow outbound DNS\n iptables -A OUTPUT -p udp --dport 53 -j ACCEPT\n iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT\n\n # Allow outbound HTTP/HTTPS to homepage\n iptables -A OUTPUT -p tcp -d ${homepageHost} --dport 80 -j ACCEPT\n iptables -A OUTPUT -p tcp -d ${homepageHost} --dport 443 -j ACCEPT\n\n # Allow related/established traffic\n iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n '';\n };\n\n # Auto-launch Chrome in kiosk mode on login via Home Manager\n home-manager.users.${username} = {\n home.stateVersion = \"24.05\";\n wayland.windowManager.sway = {\n enable = true;\n config = {\n startup = [\n { command = \"google-chrome --kiosk '${homepageUrl}'\"; }\n ];\n };\n };\n };\n\n # Optional: optimize nix store\n nix.settings.auto-optimise-store = true;\n}\n<\/code><\/pre>","upvoteCount":0,"datePublished":"2025-07-03T07:15:18.462Z","url":"https://community.spiceworks.com/t/smart-tv-using-web-browser/1217403/7","author":{"@type":"Person","name":"lcg86","url":"https://community.spiceworks.com/u/lcg86"}},{"@type":"Answer","text":"Hi, thanks for the suggestion, one last query
Dejv
June 23, 2025, 8:53am
1
I have 2 toshiba smart tvs around 7 yrs old (not android) at my workplace that use built in web browser to open an internal link that basically shows some ticket updates data is picked up from a local on prem serverserver example with ip 192.168.0.2.
Security wise what can I do to keep the network as secure as possible.
-Created a seperate vlan
I cannot block the internet to the Tvs as otherwise for some reason the browsers will not open.
Is there any other precautions that I can do?
4 Spice ups
Andrew_F
June 23, 2025, 9:21am
2
can you see where the TVs need to go in order to open the browser - you may be able to restrict their internet access to just the endpoints they need. Definitely restrict to just the ports that are needed.could be hijacked/intercepted and malicious code inserted - probably initially just redirecting to a new end point where they can then download packages to the TV.
I would also look to firewall the on-prem server so the TVs can only use the port(s) required
3 Spice ups
somedude2
June 23, 2025, 8:20pm
3
Turn off ACR in the tv, it is trying to get content ratings, also turn on the ‘data privacy settings’ in the tv config, it -should- work standalone then
Smart TV’s are incredibly invasive and blabby:
Data collected by Toshiba smart TVs:
Viewing habits (what you watch, when, and for how long)
Voice commands
Location data (often through your IP address)
Search queries
Technical information (error logs, network details, device usage)
Every one of these things is a service you know nothing about as far as security goes…sigh
2 Spice ups
Dejv
June 24, 2025, 6:52am
4
Disabling those TV options didnt let me open the browser either:confused:
Does it make more sense in terms of security to get 2 cheap android boxes and hook them up to the tvs (disconnecting the tvs from the wifi) that way android boxes can connect to the wifi and can open the browser with the internet blocked?
instead of opening the websites that the tvs are trying to connect to
somedude2
June 24, 2025, 1:41pm
5
The problem is it is never just about security lol
But, working with what you have, at least the androids would have updates you know
Or cheapest, firewall the heck out of the segment with the TV’s on the assumption they will get hacked and try to penetrate the rest of your network, or act as botnet hosts for the internet, and isolate accordingly. (You should be doing this for your internal segments anyhow, to some extent, to limit damage if some slob clicks on a nasty link, the only difference is you need to be more strict here, there are no users with credentials who need to log in to a TV, so it shouldn’t even be possible to try)
Dejv
July 3, 2025, 6:21am
6
thanks for the reply, technically I have a couple of laptops that are not able to run win11 that I can put linux on them. DO you know of a version of linux that I can use for these kind of usage maybe there is something ready made to make my life easier
If I run the linux machine I also can avoid having it on a seperate network and can leave it on my normal ones as long as I install an antivirus on it. right?
lcg86
July 3, 2025, 7:15am
7
FullScreenOS exists but I’m not certain it’s made to support x86_64 devices, since it’s primary target is RPis.
If this were me, I’d probably stick NixOS on them with the most minimal configuration to boot into a GUI non-sudo user profile that launches a browser fullscreen with your URL as the homepage. I’d then default deny all on the firewall, other than connectivity to the server and allow SSH from your work machine IPs. I’d also include a service that runs the update command every X period of time. The final configuration.nix file can be backed up somewhere and applied to any additional/replacement machines. It’s a single self-documenting file that requires a single command to apply. I understand it’s a niche OS but you’d spend a similar amount of time setting this up with Ansible or plain bash scripts+cron jobs.
I asked ChatGPT to mock something up purely for demonstrative purposes:
{ config, pkgs, lib, ... }:
let
username = "kioskuser";
homepageUrl = "https://example.com";
homepageHost = "example.com";
allowInboundFrom = "203.0.113.42";
in
{
imports = [ ./hardware-configuration.nix ];
system.stateVersion = "24.05";
networking.hostName = "kiosk";
time.timeZone = "America/Chicago";
i18n.defaultLocale = "en_US.UTF-8";
# Enable Sway and auto-login
services.xserver = {
enable = true;
displayManager.autoLogin = {
enable = true;
user = username;
};
desktopManager.plasma5.enable = false;
windowManager.sway.enable = true;
};
environment.systemPackages = with pkgs; [
google-chrome
sway
];
users.users.${username} = {
isNormalUser = true;
description = "Kiosk User";
extraGroups = [ "video" "audio" ]; # Not in wheel
initialPassword = ""; # Optional: no login password
};
# SSH access
services.openssh.enable = true;
# Nix system upgrade timer + reboot
systemd.services.autoUpgrade = {
description = "Weekly nixos-rebuild and reboot";
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.nixos-rebuild}/bin/nixos-rebuild switch --show-trace --upgrade-all";
ExecStartPost = "${pkgs.systemd}/bin/systemctl reboot";
};
};
systemd.timers.autoUpgrade = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "Sun *-*-* 01:00:00";
Persistent = true;
};
};
# Firewall rules (iptables)
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 ];
trustedInterfaces = [ ];
extraCommands = ''
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow SSH only from your IP
iptables -A INPUT -p tcp --dport 22 -s ${allowInboundFrom} -j ACCEPT
# Allow outbound DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
# Allow outbound HTTP/HTTPS to homepage
iptables -A OUTPUT -p tcp -d ${homepageHost} --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -d ${homepageHost} --dport 443 -j ACCEPT
# Allow related/established traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
'';
};
# Auto-launch Chrome in kiosk mode on login via Home Manager
home-manager.users.${username} = {
home.stateVersion = "24.05";
wayland.windowManager.sway = {
enable = true;
config = {
startup = [
{ command = "google-chrome --kiosk '${homepageUrl}'"; }
];
};
};
};
# Optional: optimize nix store
nix.settings.auto-optimise-store = true;
}
Dejv
July 11, 2025, 7:06am
8
Hi, thanks for the suggestion, one last query
1 Spice up
lcg86
July 14, 2025, 1:27pm
9
I would not personally install an AV on NixOS for this usecase. As long as your OpSec is solid RE: ssh key-pair for remotely accessing the devices, it’s highly unlikely to be a weak link on your network.
To avoid physical attacks, you can also disable tty switching: boot.kernelParams = [ "vt.global_cursor_default=0" "console=tty1" ];
Overwrite the default the Sway config, so it is impossible to get a CLI, launch a terminal or application launcher:
environment.etc."sway/config".text = ''
set $mod Mod4
bindsym $mod+q exec shutdown
bindsym $mod+Enter exec google-chrome --kiosk '${homepageUrl}'
'';
Disable sudo, so it’s not installed: Sudo - NixOS Wiki
security.sudo.enable = false;
If you seek peace of mind/have an obligation to run AV, ClamAV can be run as a service very easily: Clamav - NixOS Wiki
services.clamav.daemon.enable = true;
services.clamav.updater.enable = true;
It’s as simple as adding those code snippets to the configuration.nix file and rebuilding. You’d also want to nix-collect-garbage -d to clear out all old builds, so they can’t be loaded at boot.
