Quantcast

Hacking, Surveilling, and Deceiving Victims on Smart TV 2: Attack Vectors

Having outlined the key features of Smart TV technology, SeungJin Lee is now focusing on reverse-engineering its exploitable components for the attack purpose.

Smart TV attack vectors

Smart TV attack vectors

I’m going to talk about the Smart TV attack vectors (see right-hand image). I want to say that Smart TV has almost the same attack vectors as smartphone has. I categorized 4 attack vectors. One of them is a hacker who uploads malicious apps to the app market. Smart TV has a market like Android has Google Play and iOS has App store, things like that. It has its own market. There are other vectors as well, I will talk about this in more detail later.

Starting Smart TV research

Starting Smart TV research

How do I start research (see right-hand image) on Smart TV? It’s pretty much the same when you do it on mobile devices. For example, when you do research on Android or iOS, you’ve got to root it first so that you could understand the internals, so that you could test stuff you want. This is the same, even though the Smart TV uses Linux, but the vendors don’t give us any shell, so you can’t access the box. So we’ve got to find a way to get a shell from Smart TV.

Firmware analysis issues emerging from the start

Firmware analysis issues emerging from the start

First I tried to download the firmware for my Smart TV model, but the problem was that at the time my Smart TV was very new, so the Samygo site didn’t have any information for my TV. So I decided to get it another way (see left-hand image). As I told you, the Smart TV binaries are very huge, which means that even though there are older versions of firmware, there must be a lot of same code between the older version and the later version. I just downloaded the older firmware and started to analyze the binaries.

Benefits from using IDA and UART

Benefits from using IDA and UART

You have IDA, which supports ARM architecture as well, which means you could do static analysis using IDA. But I wanted to go an easier way, so I decided to use UART. Actually UART is pretty basic hardware. Why I tried to use UART is that normally embedded developers make a lot of debug messages in the code. It usually goes to UART port, because many embedded systems don’t have monitors, so if you put UART port and if you redirect messages to your box, you can see all the messages which developers made. Of course, we need to do reverse engineering. If you find some strings, that means it’s a lot easier to do reverse engineering, because these binaries are very huge. And you see some exception messages when you do some memory correction down the box, like buffer overflow, things like that.

Enabling UART

Enabling UART

By default the UART mode is disabled, so you’ve got to make it enabled before using UART (see left-hand image). There are two ways to get into Service Mode. I had to take the second one, because the first one doesn’t have Advanced Mode; only Advanced Mode has the option of enabling UART. Usually normal remote controller doesn’t have info or factory key, so you’ve got to generate the key yourself (see leftmost image below). You see 0x1f and 0x3b that match the info and factory. I got this from Samygo, by the way, so you program this and you send it via, like – yeah, I made this one – this (see middle image below) is for sending IR signals. I used Arduino. You see that Advanced Mode and UART are enabled. So, some configuration (rightmost image below).

Adding some code

Adding some code

More tips and tricks

More tips and tricks

UART enable commands

UART enable commands


 
Ready to find bugs

Ready to find bugs

I think we are ready for reverse engineering on Smart TV. So you have binaries and you can do static analysis. You can get some useful messages from Smart TV via UART port. My strategy is to find vulnerabilities in Smart TV, I mean, to get the shell. The first one is I do static analysis, I mean reverse engineering. Next, if I think I got something interesting, I mean to try to trigger that vulnerability, I do test. The third one is that after test I read messages from the Smart TV so that I can know if my payload is working or not. If it didn’t work, I would repeat this process until I find 0days in Smart TV.

Smart TV app store

Smart TV app store

After this work I’ve gotten, like, 10 vulnerabilities in Smart TV in almost every attack vector. The first one is – I told you that Smart TV has its own app store, but developers can only use HTML, JavaScript and Flash. You cannot use native languages like C or C++. There are two reasons, I think. The first one is because of portability, and the second one is because of the security policy.

Why am I mentioning the security policy here? What is to write in only JavaScript and Flash? For security researches it means that basically JavaScript and Flash are virtual machines, which means you cannot do systems calls directly and you cannot access files directly. Nothing really much you can do in VM. That’s why I told you this is because of security policy.

Attack points for app store

Attack points for app store

In app store we have two big attack points (see left-hand image). Smart TV app is running on the web browser, which means the Smart TV web browser has web libraries that desktops have, like WebKit, so they use Adobe Flash. Attacking WebKit or Flash is very traditional, so I passed this one, but I was focusing more on the second part, which is SDK.

SDK features

SDK features

You cannot make many useful programs only using JavaScript or Flash, so the vendor gives you SDK so that it’s easier for developers to make applications (see right-hand image). For example, you could use the file I/O API or you could control networks or you could control the screen.

Security policy for apps

Security policy for apps

But the thing is that JavaScript and Flash are the virtual machine, but you could have used this API in JavaScript, but this API is implemented in native label, which means you could find some vulnerabilities inside, you would get access to debugs.
Issue with sandboxing

Issue with sandboxing

Most of APIs do sanity checks (see left-hand image). You see this function, so when you try to do a directory traversal, “../”, it is very simple, by the way.

The problem is that they don’t have sandbox, so if there is any vulnerable API, it’s all gone, because you see that every application is running as root privilege, so if there is any single API bug, you would get root privilege on the box.
 

Read previous: Hacking, Surveilling, and Deceiving Victims on Smart TV

Read next: Hacking, Surveilling, and Deceiving Victims on Smart TV 3: Exploitable Vulnerabilities

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: