Having outlined the key features of Smart TV technology, SeungJin Lee is now focusing on reverse-engineering its exploitable components for the attack purpose.I’m going to talk about the Smart TV attack vectors (see right-hand image). I want to say that Smart TV has almost the same attack vectors as smartphone has. I categorized 4 attack vectors. One of them is a hacker who uploads malicious apps to the app market. Smart TV has a market like Android has Google Play and iOS has App store, things like that. It has its own market. There are other vectors as well, I will talk about this in more detail later. How do I start research (see right-hand image) on Smart TV? It’s pretty much the same when you do it on mobile devices. For example, when you do research on Android or iOS, you’ve got to root it first so that you could understand the internals, so that you could test stuff you want. This is the same, even though the Smart TV uses Linux, but the vendors don’t give us any shell, so you can’t access the box. So we’ve got to find a way to get a shell from Smart TV. First I tried to download the firmware for my Smart TV model, but the problem was that at the time my Smart TV was very new, so the Samygo site didn’t have any information for my TV. So I decided to get it another way (see left-hand image). As I told you, the Smart TV binaries are very huge, which means that even though there are older versions of firmware, there must be a lot of same code between the older version and the later version. I just downloaded the older firmware and started to analyze the binaries. You have IDA, which supports ARM architecture as well, which means you could do static analysis using IDA. But I wanted to go an easier way, so I decided to use UART. Actually UART is pretty basic hardware. Why I tried to use UART is that normally embedded developers make a lot of debug messages in the code. It usually goes to UART port, because many embedded systems don’t have monitors, so if you put UART port and if you redirect messages to your box, you can see all the messages which developers made. Of course, we need to do reverse engineering. If you find some strings, that means it’s a lot easier to do reverse engineering, because these binaries are very huge. And you see some exception messages when you do some memory correction down the box, like buffer overflow, things like that. By default the UART mode is disabled, so you’ve got to make it enabled before using UART (see left-hand image). There are two ways to get into Service Mode. I had to take the second one, because the first one doesn’t have Advanced Mode; only Advanced Mode has the option of enabling UART. Usually normal remote controller doesn’t have info or factory key, so you’ve got to generate the key yourself (see leftmost image below). You see 0x1f and 0x3b that match the info and factory. I got this from Samygo, by the way, so you program this and you send it via, like – yeah, I made this one – this (see middle image below) is for sending IR signals. I used Arduino. You see that Advanced Mode and UART are enabled. So, some configuration (rightmost image below).
The problem is that they don’t have sandbox, so if there is any vulnerable API, it’s all gone, because you see that every application is running as root privilege, so if there is any single API bug, you would get root privilege on the box.
Read previous: Hacking, Surveilling, and Deceiving Victims on Smart TV