How I learned to hack my TV (and started worrying about the future)

Everything in our home is connected to the Internet these days. Our thermostats and surveillance cameras are going to the cloud. Our refrigerators and TVs are online. Even the rice cooker can be connected to the Internet. Outside the home, we have the likes of Smart Rifles, and even though it is not clear if they can be connected to the Internet or not, they do support device-to-device Wi-Fi connections. We and our machines are increasingly connected, in ways we don’t necessarily expect or consider.

 

Let’s talk about my TV. When I bought a TV a few years ago, it was just a TV. Maybe it had a larger screen than the one I had before and it might have better screen resolution and refresh rates. But when I bought our new TV last year, it had something else as well. I didn’t notice it for a while, but it came embedded with a small computer. The presence of the computer isn’t obvious and I might have never even noticed it.

 

Others have noticed these computers though. In fact, there have been various discussions in the industry recently on the security of Smart TVs. Last year two researchers at Black Hat Briefings security conference, Aaron Grattafiori and Josh Yavor, discussed remote hacking exploits they had found. Basically they found a cross-site scripting vulnerabilities in Samsung Smart TV apps (the apps are usually written in JavaScript). Using cross-site scripting, they acquired local user privileges. They also used a local privilege escalation issue to get system privileges. The problem here is that the default user ID that runs the whole TV application has root privileges. Just getting out of the sandbox is enough to gain total control of the system.

 

I was inspired by this talk and started digging into one of my TVs at home. I was really curious about what was inside the TV.

 

Rooting my TV

 Gathering the required information was not difficult as my TV is a popular model. The Samygo forum had some useful information in this area, especially on Samsung. The principle is simple. You use the developer account to install private applications on your machine. Developer account information can be found here and there. Or you can choose to unlock the TV using a local exploit. Some applications have a local vulnerability that allows unauthorized applications to get permanent access to the system level. We’ll call this an “exploit” as it is using a glitch with specific applications installed on the TV by default. Of course, you can’t use it to remotely hack into the system, but if the attacker can access the TV physically, it would be possible to install backdoors using similar methods.

 pic1.png

Figure 1 Samygo TV discussions on getting root access to TVs

 

After following the instructions, I was able to root my own TV. It just took a USB stick and a few minutes of my time to see a root shell on my own system. I bought the TV six months ago and never knew that I had an extra computer in my house. The operating system looked like Linux and I confirmed this by initiating the “uname” command and checking the result.

  

 pic2.png

Figure 2 Root shell on my TV

 

 Console access
Additionally, I could have console access to the system by utilizing the system’s Ex-Link port -- the benefit with console access is that you can access an enormous amount of debug logs. You can also upload your firmware image. The physical appearance of the Ex-Link port appears to differ depending on your specific model, but basically it is a serial communication port. For my TV, it was in the form of a 3.5mm audio jack.

 

 pic3.png

Figure 3 EX-LINK Port

 

I modified a DB9 serial cable I had around to connect with the audio jack. It took 10 minutes to come up with a homemade Ex-Link cable. The cost of the cable was under $5. When in serial communication with the TV I could see various debugging messages. Most of the information is meant for software debugging and contained component and method names along with other details. This information itself could be a really useful resource for hacking the TV.

 

 

 pic4.png

Figure 4 Console Access to my TV

 

 

What we found in a few days

 I’d gained access to a root shell and console output, so now what could I do? Maybe bug hunting would be fun. I downloaded the binaries from the system and looked around with IDA. Most of the binaries were ARM native code and some of the JavaScript was obfuscated. Using the netstat command showed a lot of services using TCP and UDP protocols. There were also web services, UPnP services and services using non-conventional ports. Some services were using open-source code, but some were using proprietary code, (which means they might not be as hardened as their open-source counterparts -- open-source code often gets hardened as it gets audited repeatedly by multiple users over the course of time that the code has been publically available).

 

After fiddling around in the system for a few days, I found that a service related to UPnP had issues with remote authentication. UPnP is a technology used for peer-to-peer network connectivity between PCs and other appliances (as defined here). It provides easy discovery of machines on a network and an additional means of control. The issue could allow possible control of the TV system itself by allowing remote users unauthorized access to an input device. We reported the issue to Samsung security and it is currently under investigation. They responded promptly -- the issue could be exploited by remote attackers to control the TV and its network traffic.

 

Just a few days of work revealed a useful vulnerability, and even though it doesn’t execute a shell command on the remote system, it could give some control to an attacker. If an attacker could control network traffic, they could redirect any traffic from the TV to a location of the attacker’s choice. This could significantly affect the fundamentals of the network’s security and eventually be used for identity theft by capturing credentials from fake web sites.

 

My worries

 Now I’m really worried about the future. These TVs are just sitting in my bedrooms and living room, and they can be hacked. Back when the TV was not so “Smart”, I don’t remember any reports that they could be hacked in any way to monitor people. Now, the TV is “infectable” and could be a threat if that occurred. At last year’s Black Hat Briefings, SeungJin Lee presented various techniques that could hypothetically be used to rootkit your TV. He used open-source code called adbi to plant malicious code inside a vendor’s application. You can achieve various things with this rootkit technique and you can reuse ready-made toolsets. Aaron Grattafiori and Josh Yavor also used the application layer to monitor users through a webcam as the payload for their POC system compromise.

 

People are increasingly dependent on their gadgets. Our life is inside these gadgets -- if the gadgets get hacked, our life is hacked. You might use your TV to Skype your friends and family, or you might use it for business communications. If your TV is hacked there is a high chance that those communications could be monitored (or even possibly altered). You might save all your personal pictures and videos on your TV for convenient viewing. They are in danger if your TV is hacked. So, there is the potential for similar patterns of compromise to those we’ve seen on PCs (and are seeing on mobile devices) to repeat in the context of home appliances -- including Smart TVs.

 

 

Return-On-Investments (The ROI)

 I wonder how many people actually use the Smart features of their Smart TVs? Some remote exploits only work when you actually utilize a specific application or feature. The potential ROI of an exploit is dependent on the popularity of that specific application or feature. Personally, even when the same apps are available on multiple devices, I tend to use my mobile phone or PC rather than the TV. The usability of these apps tends to decline significantly when you’re forced to interface with them using a remote control. You generally don’t see malware in the wild that infects users through applications that no one uses. The Smart TV application model started relatively recently. I couldn’t find any good statistics on how Smart TV users are using their apps, but then it might be too early in the game for actual attacks to appear. Put simply, the ROI on Smart TV malware is kind of low compared to that on other platforms for malware authors. But, who knows? If popular apps appear and they have vulnerabilities, then what happened in PC security history could repeat in this space.

 

 

More worries and a conclusion

 Even if we think that malware that abuses Smart TVs and Smart home appliances are not coming any time soon, there is still a problem. While the projected ROI prevents attackers from developing malware for Smart home devices, the same thing happens with the security industry. When there are no actual attacks, no security measures are developed to defend against them. Security in general is reactive in many cases. When malware appears, AV vendors release new signatures that capture the new “variant”. Tomorrow the malware authors will tweak their obfuscation routines and release another variant which is 99% the same as the previous one, but repacked with different vectors. The same model applies to vulnerability research -- when vulnerabilities are reported, vendors fix them.

 

But, the PC and mobile industries have learned a lot from their past experience and they are doing more proactive research. They perform code audits and run bug bounty programs to urge external security researchers to submit their findings. They run fuzzers on their own products to find the vulnerabilities before the bad guys do (such as this fuzzer from Microsoft). They add additional security measures to their products. Many things still break, but they also make significant improvements through these processes. The problem with Smart home devices is that while they may not have suffered as much as other systems that’s no reason for the Smart appliance vendors to be lax about security.

 

The other issue with Smart home appliances is that there are few tools you can use to check if your system has been hacked. How would you know if your Smart appliances were hacked, and even if you did, how would you disinfect them? There is no good, officially published, publically available knowledgebase for these systems. Generally the only information you can find is compiled by well-meaning individual enthusiasts who have reverse-engineered them. And vendors appear to be approaching the issue using more of a black box model (security by obscurity) rather than by publically exposing useful details on the systems themselves.

 

There are many issues you could debate on Smart appliance security, but one thing is clear. The Smart home device is not necessarily the fortified castle it might appear. If you want to reveal the insides of these devices, there are ways to do it. If you want to find vulnerabilities, it is not extremely difficult. You can apply the same approach to this area as you would with PC or mobile software security. Smart appliances often run the same or similar operating systems (OSes) and applications as PCs and mobile devices. Now might be the time for vendors of Smart devices to be “Smart” about security too (before the attackers wise up).

 

 

Comments
oro-ra(anon) | ‎02-20-2014 03:28 PM

 

Can you please elaborate on the UPnP vulnerability.

 

The issue could allow possible control of the TV system itself by allowing remote users unauthorized access to an input device

 

 

Matt_Oh | ‎02-20-2014 04:34 PM

The issue is still not patched. We are going to work on new post when the issue is fixed and the patch is released from the vendor.

 

Thanks.

Mebbed(anon) | ‎02-26-2014 01:52 PM

Some time ago I came across this whitepaper:

 Smart TV hacking

 

 

Matt_Oh ‎02-27-2014 09:11 AM - edited ‎02-27-2014 09:15 AM

Mebbed, thanks for sharing a good white paper. It looks like it shows another vector in Smart TV attack surface.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Twitter: @ohjeongwook .
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.