Samsung Smart TV: Like A Web App Riddled With Vulnerabilities

Smart television sets aren’t short on cool features. Users can connect to Facebook and Twitter from the same screen that they’re using to watch Real Housewives of New Jersey, or log into Skype and use a built in- or external webcam to have a video chat. Unfortunately, the more TVs start to look like computers, the more they are becoming subject to the same underlying code vulnerabilities that have caused headaches and heartache in the PC space.

Samsung SmartTV
Researchers said SmartTVs from Samsung are vulnerable to many, traditional web-based attacks.

That was the message of two researchers at the Black Hat Briefings security conference Thursday, who warned that one such product, Samsung’s SmartTV, was rife with vulnerabilities that could leave the devices vulnerable to remote attacks.

Vulnerabilities in the underlying operating system and applications on Samsung SmartTVs could be used to steal sensitive information on the device owner, or even spy on the television’s surroundings using an integrated webcam, said Aaron Grattafiori and Josh Yavor, both security engineers at the firm ISEC Partners.

In a presentation at Black Hat on Thursday, the two researchers described the Samsung SmartTV as, essentially, a Linux device configured with a Webkit-based browser to run web pages and applications. The device is vulnerable to  many of the same web-based vulnerabilities as have been well documented in recent years, the researchers found.

In their presentation, the two showed how vulnerabilities in SmartHub, the Java-based application that is responsible for many of the SmartTV’s interactive features, could be exploited by a local or remote attacker to  surreptitiously activate and control an embedded webcam on the SmartTV. The researchers were able to conduct DNS poisoning and drive-by download attacks and show how vulnerabilities could be combined to steal local user credentials and those of connected devices, browser history, cache and cookies as well as credentials for the local wireless network, said Grattafiori.

ISEC Partners - BlackHat
Aaron Grattafiori and Josh Yavor, both security engineers at the firm ISEC Partners, conducted the research on the SmartTVs, reporting their findings to Samsung. They say similar vulnerabilities may lurk in other IP enabled consumer goods.

One of the most impressive hacks was against a Skype application on the SmartTV. The two researchers were able to show how malicious java script could be injected into Skype sessions as “mood messages,” forcing the application to restart. Other attacks could use similar remote code injection to access another Skype user’s stored data, account credentials and more. Hacks against vulnerable java apps could be used to take control and access APIs linked to that application, they said. 

The two researchers said the devices lack basic security features like firewalls or strong authentication requirements, though they admit that more recent models of the device may add such features. Samsung of the security flaws in January and that the firm took steps to create and distribute patches to deployed devices for several different models.

Some of the issues related to access to APIs (application program interfaces) will be fixed in the 2014 model. SmartTVs do support remote OTA (over the air) firmware and application updates, and can even force updates for key features like the web browser, while the vulnerabilities in the Skype application were fixed almost immediately, they said.

This isn’t the first time Samsung has found itself on the wrong side of security researchers over its SmartTV product. In December, 2012, the security firm ReVuln issued a video that warned of a remotely exploitable vulnerability in the SmartTV firmware. That vulnerability gave an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV.

The ReVuln exploit was in a 2011 SmartTV model, whereas Grattafiori and Yavor researched a later model. There have been subsequent SmartTV hardware updates since, Grattafiori told The Security Ledger. As a rule, SmartTVs are not easy targets for random and remote attackers. “I think practically, its still not a big enough platform to get a lot of people to put the effort in,” he said. However, the Samsung’s choice to build a framework on HTML and Javascript applications carries risks for manufacturers. “Building an OS out of that framework has some risks. We wanted to bring the idea to the attention of developers who might be building another OS or phone with HTML and Javascript,” he said.

As an example, Samsung’s decision to build a browser based on the Webkit technology exposes the devices to a range of security exploits against that platform.

Beyond that, targeted attacks against known SmartTV users are a distinct possibility, especially by way of a malicious SmartTV application that could be introduced into a SmartTV specific application store, said Yavor.

Still a relatively niche offering, smart TVs have already spawned a subculture of hackers who look for ways to defeat content control and security features on devices, for the purpose of installing their own applications or displaying blocked content on the devices. For example, Samygo.tv is a forum for hackers who specialize in “jailbreaking” Samsung firmware. Those forums have revealed much about the inner workings of smart devices, providing a solid foundation for future research, Grattafiori said.

“Embedded devices are becoming smarter. And as they get smarter, there’s a lot more attack surface,” he said. “Some of these things may seem far-fetched now, but five years from now when everything has an IPV6 address and is connected, it may be a different story.”

Comments are closed.