Posted by david b.
on December 7, 2013
This final section of SeungJin Lee’s Black Hat presentation outlines hidden photo and video recording on Smart TV, and contains the takeaways for the study.
We’ve implemented two surveillance programs. One is taking pictures and sending the photos to my server automatically. The second is recording video and doing some live streaming stuff.
The self-surveillance program
A photo taker
Implementing a photographer
To make that rootkit program, I had to understand how the camera and mic work on Smart TV. I mean, you’ve got to understand very low-level stuff, because there is some API (see rightmost image above)
. You can control camera and mic using DOS APIs, but it’s application level, which means you cannot be background. So users may notice there is some malicious program working. I had taken that second option. I went to understand that low-level stuff, I mean, to use the camera and the mic.
Analyzing the camera program
So, I figured out I’ve got to open that /tmp/stream_socket, and sent the camera these commands, like StopSecCamStreaming and SetMicVolume, and things like that (see right-hand image)
. This is a protocol between the camera device and user’s web process. If you send those commands to the socket, it takes a picture. It’s like length – command, command – length values and things like that (see leftmost image below)
. This is the dump for SetCamVideoDisplaySize. You see that there is length and value; it’s very easy to recognize.
Protocol for the commands
A video taker
To implement the video taker (see middle image above)
, I figured out: to take a video recording, you’ve got to call those functions. So I did reverse engineering almost of the whole binary (rightmost image above)
. If you set the resolution – you see that, the numbers – you’re just doing setup stuff. And finally it will start to record using the camera.
ReadBuffer sounds always good
But we wanted to make it live streaming, which means you’ve got to dump that recording file into the file system (see right-hand image)
. Well, actually you could do that, you could send the dump in memory directly without making a file. But we made this for fun, so we just chose the easier way. When you see CMoIPBuffer::Read() function, you see the bad location and the good location (see leftmost and middle images below)
. If you can jump to good location, there is ‘fopen’ function. It is actually for opening a file and dumping the video buffer into it. I think this is a test code for developers. But in our binary we actually go to bad location by default. You can do binary fetching (see rightmost image below)
. If you can read the ARM code to jump to the good location, you’ve got to set arg1 + 0x1c, not to 0, for example, 1. Using the code, you can set that value to 1, and after that it will dump the video buffer into a file in the file system.
Thanks for the code, dev!
Ok, now I’ll tell you about real-world video surveillance I tested. I got a shell from my Smart TV. All processes are running as root privilege. I’m injecting some modules into the main binary, I mean, the TV binary. The streaming server is to record using the camera. When I start it’s downloading the video buffer; a very old media player. It is watching what’s going on around. This streaming is not reliable though. There might be a one-minute delay, because I had to restart this program. I explained that my rootkits are working 24 hours. I give some signal, and then I’m going to turn it off. Maybe after one minute you will see the video.
Do you remember that the AP Twitter account got hacked, like, two months ago? I read a newspaper after this accident, and their stock points in the USA went down 1%. 1% is actually huge, isn’t it?
AP Twitter account hack
Hoax on Smart TV
Of course it’s possible to show some text to make hoax on Smart TV (see middle image above)
. As you see, there are many APIs by the vendor, and using those APIs you could show text, you could show movies, images, music, everything. You could do that. But you cannot use those APIs, because it cannot be background, so users will know that there is some malicious program running. I had to make it on low level, so I again did reverse engineering of the binary and I found some interesting functions (see rightmost image above)
. CCText is running text. There are some alternatives to show messages on Smart TV. When you click some manual on the remote controller and it shows some text messages, the function flow is like that: first, there are some other functions, and then CKeyHelpBar::SetLastIndex(), CKeyHelpBar::OrderingMarker(), CCTextDrawing::Text(), and VTP::Print.
Difficulties of the analysis
So, you see those APIs. You may think that it might be easy to find it, but in Smart TV there are over 10,000 functions, and it’s around 300 MB, so it’s very hard to find the right function to do whatever you want (see right-hand image)
. And also, to use that API you’ve got to make sure. I mean, you see just a simple text box, but actually there are many components inside: label, color, font, size, partition, so you have to make sure to show messages to victims.
Basically, anything can be possible on Smart TV if you hack Smart TV, because it’s just like a regular PC. So, if you understand how Smart TV works, how Smart TV processes work, you can do whatever you want.
So, it’s time for conclusion. I have to say that probably Smart TV hacking doesn’t bring money as much as smartphone hacks, but I believe that personal privacy is more important, I mean, money is also important as well, but personal privacy is very important
. That’s why Smart TV industry should make their TV more secure. They have to think about it very seriously.
If you hack a Smart TV, it’s a really nice platform, especially for surveillance, because the power is always connected and they have a camera and a mic inside. It can located in private places, like it could watch your bed. I’m not really sure how deceiving Smart TV users, making hoax affects the people, but this might be a good case. Of course we’re planning to release all the code after the conference, so you can check out updated slides or material on grayhash.com. We have some time for Q&A, and RIP Barnaby Jack. Any questions?
Question: Did you report your findings to the vendor – Samsung?
Answer: First of all, I didn’t say it was Samsung, but I did report this to the vendor, of course. They have fixed some vulnerabilities already, and they are trying to make it more and more secure. They are doing great. Other questions?
Question: Do these vulnerabilities apply to more than one vendor?
Answer: Well, I have to say that all the Smart TVs from multiple vendors are vulnerable; not the same attack points, not the same vulnerabilities, but they are also very vulnerable. Thank you for attending my talk!
Read previous: Hacking, Surveilling, and Deceiving Victims on Smart TV 4: Ways to Deploy Surveillance
Like This Article? Let Others Know!
Comment via Facebook: