This post is derived from the slides (page 35) of our presentation at PHDays IV in 2014:
The following are the referenced videos:
Attack Surface
- As you might have guessed there are a lot of different ways to attack a SmartTV
- To get a better understanding let’s take a look at a real world device
- We will just focus on a subset of the device attack surface
- To do that we take in consideration the following schema related to a Philips SmartTV…
Attack Surface - WiFi
WiFi adapter of the TV acting as access-point listening for WiFi
connections.
The Miracast protocol is composed by out-of-band WiFi packets, protocols
and codecs.
A vulnerability in Miracast allows the attacker to access the TV from outside your house.
Attack Surface - LAN
- Most of the SmartTV issues are related to services exposed via LAN:
- UPNP
- Video/Audio service (like DirectFB)
- Various HTTP/HTTPS servers
- Network remote controller
- Media sharing
- Status and information
- First thing to try on your SmartTV is using NMAP:
- You will see a number of different TCP and UDP ports open
- Some of them awaiting for you to connect :]
- If you try to send some junk data to these ports you might get some easy way to crash/reboot the TV, a starting point to investigate
- The TV also scans the LAN, an attacker can passively exploit vulnerabilities
Real World Issues
Samsung #1 (1)
Date: 2012
Tested device: Samsung SmartTV D6000
Affected Service/Protocol: DMRND, an HTTP server listening on ports 52253 and 52396
Vulnerability: Directory Traversal, which allows to download any file available on the device except special files like those in /proc
Details: The server has a security check to allow people to download files having only whitelisted file extensions (jpg, png, ..). To bypass the check the attacker needs to append a NULL byte followed by the whitelisted extension:
- http://SERVER:52235/../../etc/passwd%00.png
Samsung #1 (2)
- Download all the filesystems from the remote TV
- Download the filesystems related to all the connected USB devices
Samsung #1 (3)
- TV controller configuration file, it contains the parameters used by the whitelisted remote controller
- Configuration file used by the our PC program, we need only to copy the above parameters here
These fields are not part of the Ethernet packets, but are defined inside the protocol itself so it’s possible to spoof the IP, MAC address and hostname to allow an attacker in the network to impersonate the whitelisted TV controller
Samsung #1 (4)
- Now we can control the TV when the victim is not watching
- The attacker can install arbitrary malicious Apps on the TV using the “develop” account
Samsung #2 (1)
Tested device: Samsung SmartTV D6000
Affected Service/Protocol: DLNA client
Vulnerability: Buffer overflow exploitable as soon as the device tries to download the icon image associated to a DLNA host
Samsung #2 (2)
NOTIFY * HTTP/1.1Host: 239.255.255.250:1900Location: http://192.168.0.3:56923/test.xmlNTS: ssdp:aliveCache-Control: max-age=1800Server: UPnP/1.0 DLNADOC/1.50 Platinum/0.6.8.0-bbUSN: uuid:00000000-0000-0000-0000-000000000000::urn:schemas-upnp-org:device:MediaServer:1NT: urn:schemas-upnp-org:device:MediaServer:1
Samsung #2 (3)
<iconList><icon><mimetype>image/png</mimetype><width>48</width><height>48</height><depth>32</depth><url>/images/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa [...]
Samsung #3
Tested device: Samsung SmartTV D6000
Vulnerability: Persistent Endless Loop
Details: The controller packet contains a string, which is used to identify the controller itself. A malformed string will trigger an endless loop. The only way to fix this issue is to access the device service mode before the reboot.
Philips Miracast (1)
- Found in 2014
- ALL the Philips TV 2013 models are affected
- Silently exploitable probably from Summer 2013
- No PIN
- No authorization request
- Hardcoded fixed password… “Miracast” :)
- Full access to the TV services just like in LAN
- Exploiting of directory traversal in JointSpace
- Abuse of the available services
- Let’s check what we can do…
Philips Miracast (2)
- Controlling the TV from remote
Philips Miracast (3)
- Sending audio and video to the TV… the TV is talking to you!
Philips Miracast (4)
- Stealing configuration files and cookies via a directory traversal public from September 2013 but unfixed
Conclusion
- SmartTV are insecure
- SmartTV are a perfect target for “monitoring” a specific target: a person or even a company (TVs are everywhere)
- Exploiting them usually requires to be in the LAN or some user interaction
- Currently it’s difficult to have a vulnerability for owning many models of TV, so you must focus on the one of your target