Skip to content

Dirty note on Samsung Smart TV Security

December 20, 2012

So, I’ve been pretty busy this year. I’ve been independently working for big companies and a training program by Government (called BoB). And no need to mention having drinks both on weekdays and weekends with my buddies. Which means not much time to do researches.

Fortunately, I made this December not much busy, then I’ve started to research about Samsung Smart TV security since one month ago. Why Smart TV? Because it’s already world popular and obviously it’s going to be more popular than now.

As press says, over 54M Smart TV sold last year, and 80M Smart TV sold this year already. But we can hardly see security researches on the field (Revuln.com did a good job), so, why not? Why i choose Samsung Smart TV? Because it’s industry No.1 brand.

I bought 2 Samsung Smart TVs for research. Each is about $2,500. The model name is Samsung Smart TV ES8000 and there are a variety of models of it. My one is 46′ inch which is smallest one. But it has features as much as higher inch models, then, fair enough to dig something on.

As a quick review of the product, I’ve categorized attack surfaces of the TV. It can be

1. Samsung Apps (This is like App store of Apple)
2. Network (Internet, internal network, MiTM)
3. Physical attack
4. Broadcast signal
5. Contents (DRM)
6. Default installed apps and insecure storage

I’m still working on it but I want to mention some points. I will go first with the security architecture design of Samsung Smart TV. As you can see the guideline on Samsung Smart TV developer site (http://samsungdforum.com), you can only develop Smart TV applications within HTML/Javascript/Flash.

They don’t allow you to write native programs by languages like C or C++. Besides the performance issue, it seems acceptable. Since you can’t typically make malicious programs using Javascript/Flash as they work on like VM and you can’t use syscal directly.

And it’s known that you can’t usually use file i/o calls or something like that in Javascript. But it almost doesn’t make sense making modern programs without file i/o. Therefore, Samsung gives you APIs that you can create/modify/remove files in Javascript. Also, they give you multiple API classes that you may control camera/mic and others.

But if you look at how your application works on the TV, you’d feel bad. The Smart TV uses Linux and there is only one account, ‘root’. So, basically all processes are running as ‘root’. The problem is that all applications made by programmers also run as ‘root’. (This is a very wrong design.)

 

['ps' result of the TV]

  PID USER       VSZ STAT COMMAND
    1 root      1688 S    init
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    4 root         0 SW   [migration/0]
    5 root         0 SW   [migration/1]
    6 root         0 SW   [ksoftirqd/1]
    7 root         0 SW   [events/0]
    8 root         0 SW   [events/1]
    9 root         0 SW   [khelper]
   10 root         0 SW   [async/mgr]
   11 root         0 SW   [sync_supers]
   12 root         0 SW   [bdi-default]
   13 root         0 SW   [kblockd/0]
   14 root         0 SW   [kblockd/1]
   15 root         0 SW   [kmmcd]
   16 root         0 SW   [kdtvlogd]
   17 root         0 SW   [kswapd0]
   18 root         0 SW   [xfs_mru_cache]
   19 root         0 SW   [xfslogd/0]
   20 root         0 SW   [xfslogd/1]
   21 root         0 SW   [xfsdatad/0]
   22 root         0 SW   [xfsdatad/1]
   23 root         0 SW   [xfsconvertd/0]
   24 root         0 SW   [xfsconvertd/1]
   25 root         0 SW   [mmcqd]
   37 root      1692 S    -/bin/sh
   58 root      1692 S    /bin/sh /mtd_exe/rc.local
   67 root     1502m S    ./exeDSP
   88 root         0 SW   [aeMsgTask]
  149 root         0 SW   [khubd]
  247 root         0 SW   [flush-179:0]
  256 root     17692 S    /mtd_cmmlib/BT_LIB/bsa_server -all=0 -diag=0 -hci=0
  265 root         0 SW   [usbhid_resumer]
  458 root      234m S    /mtd_appdata/Runtime/bin/X -logfile /mtd_rwarea/Xlog
  579 root      486m S    /mtd_appdata/InfoLink/lib/WidgetEngine 67 51982
  657 root     16632 S    HAControl 37039 -1
  678 root         0 SW   [scsi_eh_0]
  679 root         0 SW   [usb-storage]
  709 root         0 DW   [scsi-poller]
  880 root         0 SW   [RtmpTimerTask]
  881 root         0 SW   [RtmpMlmeTask]
  882 root         0 SW   [RtmpCmdQTask]
  883 root         0 SW   [RtmpWscTask]
 1047 root      1688 S    udhcpc -i ra11n0 -t 5 -T 5 -b
 1067 root      3684 S N  /mtd_exe/Comp_LIB/UEP.b
 1075 root     10680 S    ./MainServer /mtd_rwarea/yahoo
 1079 root     10072 S    ./PDSServer
 1080 root     18656 S    ./AppUpdate com.yahoo.connectedtv.updater
 1112 root     18956 S    ./BIServer com.yahoo.connectedtv.samsungbi
 1133 root      361m T    /mtd_down/emps/empWebBrowser/bin/BrowserLauncher
 1368 root      9592 S    Download 42060 -1

 

And it seems Samsung developers try to prevent bad guys from making malicious programs. How? They put you into Sandbox. For example, you can create files but only in a specific directory. You technically can’t escape from the sandbox.

 

.text:0004BDFC ; jx_GetFullPath(char *, char *)
.text:0004BDFC                 EXPORT _Z14jx_GetFullPathPcS_
.text:0004BDFC
.text:0004BDFC var_820         = -0x820
.text:0004BDFC s               = -0x420
.text:0004BDFC ptr             = -0x20
.text:0004BDFC
.text:0004BDFC                 STMFD           SP!, {R4-R8,R11,LR}
.text:0004BE00                 ADD             R11, SP, #0x18
.text:0004BE04                 SUB             SP, SP, #0x800
.text:0004BE08                 MOV             R4, #0
.text:0004BE0C                 SUB             SP, SP, #0xC
.text:0004BE10                 MOV             R5, R0
.text:0004BE14                 MOV             R2, #0x400 ; n
.text:0004BE18                 MOV             R6, R1
.text:0004BE1C                 SUB             R0, R11, #-s ; s
.text:0004BE20                 MOV             R1, R4  ; c
.text:0004BE24                 STR             R4, [R11,#ptr]
.text:0004BE28                 BL              memset
.text:0004BE2C                 MOV             R1, R4  ; c
.text:0004BE30                 SUB             R0, R11, #-var_820 ; s
.text:0004BE34                 MOV             R2, #0x400 ; n
.text:0004BE38                 BL              memset
.text:0004BE3C                 LDRSB           R3, [R5]
.text:0004BE40                 CMP             R3, #0x2F ; /
.text:0004BE44                 BEQ             loc_4BEC0
.text:0004BE48                 CMP             R3, #0x2E ; .
.text:0004BE4C                 BEQ             loc_4BEC8
.text:0004BE50                 SUB             R8, R11, #-ptr
.text:0004BE54                 SUB             R7, R11, #-s
.text:0004BE58                 MOV             R1, R6
.text:0004BE5C                 SUB             R4, R11, #-var_820
.text:0004BE60                 MOV             R0, R8
.text:0004BE64                 BL              _Z20STR_AllocCopyDefaultPPcPKc 
.text:0004BE68                 MOV             R1, R5
.text:0004BE6C                 MOV             R0, R8
.text:0004BE70                 BL              _Z19STR_AllocCatDefaultPPcPKc 
.text:0004BE74                 MOV             R1, R7  ; resolved
.text:0004BE78                 LDR             R0, [R11,#ptr] ; name
.text:0004BE7C                 BL              realpath
.text:0004BE80                 MOV             R1, R4  ; resolved
.text:0004BE84                 MOV             R0, R6  ; name
.text:0004BE88                 BL              realpath
.text:0004BE8C                 MOV             R0, R4  ; s
.text:0004BE90                 BL              strlen
.text:0004BE94                 MOV             R1, R7
.text:0004BE98                 MOV             R2, R0
.text:0004BE9C                 MOV             R0, R4
.text:0004BEA0                 BL              _Z12STR_NcasecmpPKcS0_i 
.text:0004BEA4                 CMP             R0, #0
.text:0004BEA8                 LDR             R0, [R11,#ptr] ; ptr
.text:0004BEAC                 BNE             loc_4BEB8
.text:0004BEB0                 SUB             SP, R11, #0x18
.text:0004BEB4                 LDMFD           SP!, {R4-R8,R11,PC}
.text:0004BEB8                 CMP             R0, #0
.text:0004BEBC                 BNE             loc_4BEDC
.text:0004BEC0                 MOV             R0, #0
.text:0004BEC4                 B               loc_4BEB0
.text:0004BEC8                 LDRSB           R3, [R5,#1]
.text:0004BECC                 CMP             R3, #0x2E
.text:0004BED0                 BNE             loc_4BE50
.text:0004BED4                 MOV             R0, #0
.text:0004BED8                 B               loc_4BEB0
.text:0004BEDC                 BL              free
.text:0004BEE0                 MOV             R0, #0
.text:0004BEE4                 B               loc_4BEB0

 

- Pseoudo code is like

jx_GetFullPath(filepath, stricted_directory) {
   ...
   if not filepath starts with stricted_directory:
      exit
   ...
}

 

However, as I said before, running all processes as ‘root’ is wrong which means if there is any vulnerable API, an attacker could compromise the TV and get the most privileged account. There are many classes of API, as you guess, I’ve found many APIs vulnerable. You can get ‘root’ very easily using the vulnerabilities.

At this point, one thing i have to say is that, again, this is a wrong design even if the Samsung developers made all APIs secure. This is like “Soon or later problem”. They will anyway make more APIs and if there will be anything wrong, they are going to have bad times. They need to implement something like iOS’s MAC or android isolation policy *at least*.

So, we’ve found around 10 API vulnerabilities so far, but we’re pretty sure there will be more. But we just stopped for looking at it as there are more attack surfaces on Samsung Smart TV.

As all processes are running with ‘root’, if there is any pre-installed application and vulnerable to MiTM attack, again, an attacker can compromise the TV. Some applications are against MiTM attacks, but some are not. And some applications seem to be against MiTM attack. For example, an application does automatic update and it checks a new binary’s checksum.

But problem is we can re-generate the checksum because we have binaries and keys. I’ve seen any application using TPM like ARM TrustZone which means you easily get the keys on the machine. However, they may use ARM TrustZone when playing multi media contents. (But didn’t check this out, yet)

Next, there are many network daemons on the TV. There are over 10 TCP/UDP based programs. We’ve found some memory corruption-style bugs in some of them. Even though we’ve not managed to make working exploits, but it’s just matter of time.

Physical attack vectors are also nice for hackers. Pwning by USB sticks is being more notorious. You may see the excellent work by j00ru (http://j00ru.vexillium.org/?p=1272) before. I also did some research on that kind of bug in 2008, tho. It was crashing NTFS driver when i put a USB stick into my laptop.

You may want more range when you do physical attacks, then, IrDA based remote controller would be a nice idea. We’ve figured out that there are some hidden commands in remote controller protocols. So, we’ve been able to make the debug mode on on our TV. Also, there is still a possibility that you could find some memory-corruption style vulnerabilities while parsing data of the protocol.

Pwning by broadcast signal would be ideal as well. Samsung Smart TV provides you to upgrade the firmware with 3 ways. You can upgrade via internet, USB and broadcast signal. I’m not sure why they offered users this way, but it’s probably for people who can’t use internet. To be honest, we’ve not done any research on that part yet, but, it’s obviously fun to take a look.

DRM attacks, it may be boring for hackers. But it’s critical to TV vendors. As far as I know, if your TV platform is week against DRM attacks, the multi media providers won’t give you the contents. And of course contents business is really important in the field, so, vendors like Samsung are trying to make it secure. Unfortunately, there are already media programs, but, I hardly see them secure. The typical packet sniffing works.

Last, there are minor issues in pre-installed applications. For example, there is a Facebook app, but, it has a hard-coded secret key. I don’t know how this key is important, however, there are many insecure storage cases. For example, there are many private keys that look created by Samsung.

The TV uses ARMv7. So, we’re doing ARM reversing. While the reversing, we’ve pointed out some spots that might cause open source license issues. It’s known that there are law firms, especially in US, that are ready to sue vendors who use open source in a improper way, we want to be careful, i’ll explain about this topic after talking to Samsung.

I’ve quickly mentioned the attack surfaces so far. So, what’s the worst case if your Smart TV gets hacked? It’s probably when your TV does surveillance! ES8000 has a lot of hardware modules. There are WIFI/Bluetooth/UART/JTAG/etc and Camera/MIC!

Isn’t Camera/MIC sound scary? We’re working on a demo that our malicious program can record your motion/voice. Of course it sounds very scary, but, it would be a good demo how Smart TV should be secure. Side note: I hardly put on clothes at home.

Besides the software stuff, there are some interesting hardware-like stuff work. As I said, we found a way to make the debug mode enable on the TV, and we just put a cable into EX-LINK, now, we can see the UART messages without opening the TV box.

So, i think we’ve done 50% of this research so far. We hope this work will be done in January. Then, we’ll submit a talk to security conferences. There are my good friends who commented nice stuff to our work. Mongii of Hackerschool, Tora of Google and Donato of Revuln. Thanks to the guys and i hope i’m going to make this research done soon.

Also, I’ll put slides about Smart TV attack surfaces here. They’re presented at small and local seminars. The seminars were for introducing the attack surfaces but not detailed technical stuff. So, feel free to enjoy and please give us good ideas if you have. :) I need to stop writing before too drunk!

Slides: samsung_smart_tv_attack_surfaces

 

From → Security Misc

39 Comments
  1. Thanks. I have recommended your post Nginx+php-fpm: uaertspm sent too big header while reading response header from uaertspm 0 007 Team to my followers.

  2. Sounds interesting. With some dneect lighting, a green screen, and a swivel chair/stool we could probably get enough to extract some data to work with. I wonder what fidelity is possible and resolution bounds exist. Of course, it would nice to work on someone else s head (it was a a little odd seeing myself that way)

  3. Do you have a spam problem on this blog; I also am a blogger, and I was wanting to know your situation; many of us have created some
    nice procedures and we are looking to exchange
    strategies with other folks, please shoot me an e-mail if interested.

  4. I loved as much as you will receive carried out right here.
    The sketch is attractive, your authored subject matter stylish.
    nonetheless, you command get got an shakiness over that you wish be delivering the following.
    unwell unquestionably come more formerly again since exactly the
    same nearly very often inside case you shield this increase.

  5. We absolutely love your blog and find most of your post’s to be just what I’m looking
    for. can you offer guest writers to write content for you personally?
    I wouldn’t mind creating a post or elaborating on a few of the subjects you write concerning here. Again, awesome blog!

  6. Anonymous permalink

    on Samsung Smart TVs the browser is not starting, if you block the encryted calling home session.
    Any idea to kill this “feature”?

  7. Your method of describing all in this paragraph is genuinely pleasant,
    every one can simply understand it, Thanks a lot.

  8. No matter what auto manufacturers do to stop thieves
    from stealing cars, they still find away around security systems.
    You strongly need the ability to stay motivated day in and day out when
    you are not seeing any results yet. So you can easily browse the internet in
    across 24,000 towns and 6 lacs villages and major highways,
    railway routes, remote locations etc.

  9. Heya i am for the first time here. I came across this board and
    I find It truly useful & it helped me out much.
    I hope to give something back and aid others like you aided me.

  10. Hi there, after reading this awesome post i am also happy to share
    my know-how here with friends.

  11. I am truly grateful to the holder of this website who has shared this impressive post at at this time.

  12. When the Grand Thief Auto V are going to be released.
    It also supports high definition audio including Dolby
    True – HD and DTS-HD Master Audio. This nonprofit organization is found
    Des Plaines, Illinois. Racing a VW Bug will feel diverse
    from racing a Corvette.

  13. If you forgot a snack or drink you can always grab
    them here. He also lectures frequently on a national basis, including
    speeches before the American Law Institute – American Bar Association (ALI-ABA),
    the International Forum, the Association for Advanced Life Underwriting (AALU), the Million Dollar Round Table
    (MDRT), and numerous life insurance companies, brokerage firms and
    trade associations. Interest to communication, coordination,
    consent building and financing conclude the outcome of
    executedvalues.

  14. I enjoy what you guys are up too. This sort of clever work and reporting!
    Keep up the superb works guys I’ve incorporated you guys to my
    blogroll.

  15. Hi there! I could have sworn I’ve been to this website before but after browsing through
    some of the articles I realized it’s new to me. Regardless, I’m certainly pleased
    I discovered it and I’ll be book-marking it and
    checking back regularly!

  16. I am regular reader, how are you everybody? This paragraph posted at this website
    is actually nice.

  17. Different services can help you find the perfect place for you
    and advice you what to do to reach it. Many times if you use our suggestion you will find that
    the quality backpacks are the same price as the cheaply made backpacks.
    When a heavier weight than this is placed on the shoulders,
    it will cause imbalance and pull the person backwards.

  18. This can help you only look for vacuums that meet this price
    criterion and you will not be tempted to look at a vacuum that
    is out of your price range. Also, upright vacuum cleaners area less expensive and are much easier to
    store. For bagless vacuum machines, check the compartment
    where dust is stored.

  19. 44 offres Pull abercrombie – Touslesprix vous renseigne sur .
    chemise hollister http://digitalmarketer.com/test/soldesabercrombie.php?p=chemise-hollister

  20. Merci pour votre expertise sur le sujet. En vous souhaitans plein de succès.

  21. hi!,I like your writing very so much! proportion we communicate
    more about your post on AOL? I require a specialist
    in this area to unravel my problem. Maybe that is you!
    Taking a look ahead to see you.

  22. I think this is among the most significant information for me.
    And i’m glad reading your article. But want to remark on few
    general things, The site style is wonderful, the articles is really excellent : D.
    Good job, cheers

  23. Before painting, slosh your painting brush in the solvent you will
    be painting your piece on. American scientists have recreated the world’s
    most famous oil painting, doesn’t adorn your mantelpiece, an oil imitation looks
    as stunning as its counterpart that hangs in the cathedral in Bury St Edmunds.
    This persistence of religious themes in painting has continued tto the present day, despite the allegations.
    In 2006, View of Tinherir, painted in 1964 after the assassination of Joohn F.

    Many people try doing house painting oon their own faces.

  24. Good info. Lucky me I recently found your site by accident (stumbleupon).
    I have saved as a favorite for later!

  25. Hi, I do believe this is an excellent site. I stumbledupon it ;) I may return once again since I book marked it.
    Money and freedom is the best way to change, may
    you be rich and continue to help others.

  26. Wow! After all I got a webpage from where I know how to actually take useful
    information concerning my study and knowledge.

  27. Write more, thats alll I have to say. Literally, it seems as though youu relied on the video to make our point.
    You definitely know what youre talkking about, why waste your intelligence on just
    posting videos to your weblog when you could
    be giving uss something informative to read?

  28. Hello too every body, it’s my fifst go to ssee of this weblog; this website consists of amazing and in fact fine data for visitors.

  29. each time i used to resad smaller articles which also clear their
    motive, and that is also hapening with this post which I am reading here.

  30. Foods that are naturally rich in vitamins and minerals can help the
    skin maintain elasticity, provide protection from the elements and help with the natural
    healing process. You can almost think of your skin as a
    window into the health of your entire body.
    Stay away from heavy drinking to keep your skin looking younger,
    longer.

  31. It is often felt that implementation of an innovative design leaves optimization unable to
    function as it must in order to achieve desired goals.
    For example, if you’re linking to a page about really cool cars, say something like, “more about really cool cars”.

    Merely submitting your blog post to search
    engines isn’t an SEO strategy and will not get people results.

  32. When you become accustomed to less expensive housing,
    you will feel better about how much money you saved on your home.
    The availability or applicability of any type of mortgage or finance raising scheme discussed in this article is something
    that needs to be determined on an individual basis therefore this article
    does not constitute advice. The experienced lawyers are helping the foreigners
    with regard to the ownership of the condos and houses.

  33. Article Source: care of your furniture is important, but buying quality furniture is
    the best place to start. There are many popular brands of vacuum cleaners,
    which include Black & Decker, Volta, Airflo, Bissell
    Miele, Vactron, Bosch and many more. When removing the bag you will want to make sure that you don’t spread a lot of
    dust all over the place.

  34. This paragraph will help the internet people for building up new
    weblog or even a blog from start to end.

  35. I have read so many content about the blogger lovers however
    this piece of writing is in fact a pleasant post, keep it
    up.

Trackbacks & Pingbacks

  1. Hintergrund: Samsung-TVs: Smart, aber unsicher | Edv-Sicherheitskonzepte.de – News Blog aus vielen Bereichen
  2. honeynet project chapter » » Things to read before EOF(2012);
  3. Samsung Smart TV: sus fallos de seguridad al detalle

댓글을 남겨주세요.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: