Samsung-TVs: Smart, aber unsicher
21.12.2012
Millionen Menschen haben einen Computer im Wohnzimmer – und wissen es nicht: In modernen TV-Geräten stecken leistungsfähige Prozessoren, damit die Bedienung von Apps und der Zugriff auf Webdienste leicht von der Hand gehen. Das Thema Sicherheit kommt dabei jedoch offenbar noch viel zu kurz, wie der Sicherheitsexperte Lee SeungJin herausfand. Er knöpfte sich die weit verbreitete SmartTV-Plattform von Samsung vor und entdeckte dabei allerlei Sicherheitsprobleme.
Es fängt damit an, dass sämtliche Apps mit Root-Rechten laufen. Die Sandbox ist auch nicht besonders robust, in den APIs – die unter anderem einen Zugriff auf Kamera und Mikro des Fernseher gestatten – fand er rund zehn Sicherheitslücken. Darüber hinaus beschreibt der Sicherheitsexperte weitere potenzielle Angriffswege wie speziell präparierte USB-Sticks, das TV-Signal und sogar Infrarot-Fernbedienungen.
Dirty note on Samsung Smart TV Security
So, I’ve been pretty busy this year. I’ve been independently working for big companies and a training program by Government (called BoB). And no need to mention having drinks both on weekdays and weekends with my buddies. Which means not much time to do researches.
Fortunately, I made this December not much busy, then I’ve started to research about Samsung Smart TV security since one month ago. Why Smart TV? Because it’s already world popular and obviously it’s going to be more popular than now.
As press says, over 54M Smart TV sold last year, and 80M Smart TV sold this year already. But we can hardly see security researches on the field (Revuln.com did a good job), so, why not? Why i choose Samsung Smart TV? Because it’s industry No.1 brand.
I bought 2 Samsung Smart TVs for research. Each is about $2,500. The model name is Samsung Smart TV ES8000 and there are a variety of models of it. My one is 46′ inch which is smallest one. But it has features as much as higher inch models, then, fair enough to dig something on.
As a quick review of the product, I’ve categorized attack surfaces of the TV. It can be
- Samsung Apps (This is like App store of Apple)
- Network (Internet, internal network, MiTM)
- Physical attack
- Broadcast signal
- Contents (DRM)
- Default installed apps and insecure storage
I’m still working on it but I want to mention some points. I will go first with the security architecture design of Samsung Smart TV. As you can see the guideline on Samsung Smart TV developer site (SAMSUNG SMART TV APPS Developer Forum), you can only develop Smart TV applications within HTML/Javascript/Flash.
They don’t allow you to write native programs by languages like C or C++. Besides the performance issue, it seems acceptable. Since you can’t typically make malicious programs using Javascript/Flash as they work on like VM and you can’t use syscal directly.
And it’s known that you can’t usually use file i/o calls or something like that in Javascript. But it almost doesn’t make sense making modern programs without file i/o. Therefore, Samsung gives you APIs that you can create/modify/remove files in Javascript. Also, they give you multiple API classes that you may control camera/mic and others.
But if you look at how your application works on the TV, you’d feel bad. The Smart TV uses Linux and there is only one account, ‘root’. So, basically all processes are running as ‘root’. The problem is that all applications made by programmers also run as ‘root’. (This is a very wrong design.)
[B
['ps' result of the TV][/B]]
However, as I said before, running all processes as ‘root’ is wrong which means if there is any vulnerable API, an attacker could compromise the TV and get the most privileged account. There are many classes of API, as you guess, I’ve found many APIs vulnerable. You can get ‘root’ very easily using the vulnerabilities. At this point, one thing i have to say is that, again, this is a wrong design even if the Samsung developers made all APIs secure. This is like “Soon or later problem”. They will anyway make more APIs and if there will be anything wrong, they are going to have bad times. They need to implement something like iOS’s MAC or android isolation policy *at least*.
So, we’ve found around 10 API vulnerabilities so far, but we’re pretty sure there will be more. But we just stopped for looking at it as there are more attack surfaces on Samsung Smart TV.
As all processes are running with ‘root’, if there is any pre-installed application and vulnerable to MiTM attack, again, an attacker can compromise the TV. Some applications are against MiTM attacks, but some are not. And some applications seem to be against MiTM attack. For example, an application does automatic update and it checks a new binary’s checksum.
But problem is we can re-generate the checksum because we have binaries and keys. I’ve seen any application using TPM like ARM TrustZone which means you easily get the keys on the machine. However, they may use ARM TrustZone when playing multi media contents. (But didn’t check this out, yet)
Next, there are many network daemons on the TV. There are over 10 TCP/UDP based programs. We’ve found some memory corruption-style bugs in some of them. Even though we’ve not managed to make working exploits, but it’s just matter of time.
Physical attack vectors are also nice for hackers. Pwning by USB sticks is being more notorious. You may see the excellent work by j00ru (Introducing the USB Stick of Death | j00ru//vx tech blog) before. I also did some research on that kind of bug in 2008, tho. It was crashing NTFS driver when i put a USB stick into my laptop.
You may want more range when you do physical attacks, then, IrDA based remote controller would be a nice idea. We’ve figured out that there are some hidden commands in remote controller protocols. So, we’ve been able to make the debug mode on on our TV. Also, there is still a possibility that you could find some memory-corruption style vulnerabilities while parsing data of the protocol.
Pwning by broadcast signal would be ideal as well. Samsung Smart TV provides you to upgrade the firmware with 3 ways. You can upgrade via internet, USB and broadcast signal. I’m not sure why they offered users this way, but it’s probably for people who can’t use internet. To be honest, we’ve not done any research on that part yet, but, it’s obviously fun to take a look.
DRM attacks, it may be boring for hackers. But it’s critical to TV vendors. As far as I know, if your TV platform is week against DRM attacks, the multi media providers won’t give you the contents. And of course contents business is really important in the field, so, vendors like Samsung are trying to make it secure. Unfortunately, there are already media programs, but, I hardly see them secure. The typical packet sniffing works.
Last, there are minor issues in pre-installed applications. For example, there is a Facebook app, but, it has a hard-coded secret key. I don’t know how this key is important, however, there are many insecure storage cases. For example, there are many private keys that look created by Samsung.
The TV uses ARMv7. So, we’re doing ARM reversing. While the reversing, we’ve pointed out some spots that might cause open source license issues. It’s known that there are law firms, especially in US, that are ready to sue vendors who use open source in a improper way, we want to be careful, i’ll explain about this topic after talking to Samsung.
I’ve quickly mentioned the attack surfaces so far. So, what’s the worst case if your Smart TV gets hacked? It’s probably when your TV does surveillance! ES8000 has a lot of hardware modules. There are WIFI/Bluetooth/UART/JTAG/etc and Camera/MIC!
Isn’t Camera/MIC sound scary? We’re working on a demo that our malicious program can record your motion/voice. Of course it sounds very scary, but, it would be a good demo how Smart TV should be secure. Side note: I hardly put on clothes at home.
Besides the software stuff, there are some interesting hardware-like stuff work. As I said, we found a way to make the debug mode enable on the TV, and we just put a cable into EX-LINK, now, we can see the UART messages without opening the TV box.
So, i think we’ve done 50% of this research so far. We hope this work will be done in January. Then, we’ll submit a talk to security conferences. There are my good friends who commented nice stuff to our work. Mongii of Hackerschool, Tora of Google and Donato of Revuln. Thanks to the guys and i hope i’m going to make this research done soon.
Also, I’ll put slides about Smart TV attack surfaces here. They’re presented at small and local seminars. The seminars were for introducing the attack surfaces but not detailed technical stuff. So, feel free to enjoy and please give us good ideas if you have. 
I need to stop writing before too drunk!
Slides: samsung_smart_tv_attack_surfaces
Samsung-TVs: Smart, aber unsicher | heise Security
Cu
Verbogener