SmartTV Security - For Fun and Non-Profit                                                      Presented by:              ...
Who is SpiderLabs?  SpiderLabs is the elite security team at Trustwave, offering clients the most advanced  information se...
SpiderLabs – International Footprint                                       © 2012
Agenda•   Disclaimers•   Motivation•   Concepts•   Why “Smart”?•   Attack Vectors•   Tools•   Future Work•   Conclusion   ...
$ finger @jespinhara• Network Security consultant for Trustwave  Spiderlabs                                              ©...
$ finger @urma• App Security consultant for Trustwave SpiderLabs   –    Managed security services (full stack)   –    Trus...
Disclaimers• This talk focus on a small subset of Smart TV  manufacturers  – TV sets are expensive, more intrusive tests v...
Motivation• Most devices now provide hardware that is good  enough even for high-end consumers  – Hardware alone is no lon...
Motivation• Current research is focused on specific  devices/platforms/techniques  – Google TV (Dwenger & Rosenberd, DEFCO...
Motivation• Hacks are still device/platform specific   – Enough common ground for a framework though   – Smart TVs share m...
Motivation             © 2012
Why “Smart”? Analog TV signal, digital logic   Digital TV signal, audio/video only applies to audio/video       combined w...
Why “Smart”?• Manufacturers had to upgrade the components in  their devices to handle digital TV  – Interactivity (Ginga, ...
Why “Smart”?Samsung Smart Hub            LG Dashboard                    Imagges ae                                       ...
Why “Smart”?               © 2012
Why “Smart”?                                                                                    Samsung & LG              ...
Why “Smart”?• Models  – LG 47LW5700  – LG 32LV3700  – Samsung UN32C5000                        © 2012
Attack Vectors           Physical Network              Application   Digital TV           Access                          ...
Attack Vectors• Network  – UPnP/DLNA     •   Enabled by default     •   Not possible to disable on most TV sets     •   De...
Attack Vectors NOTIFY * HTTP/1.1 HOST: 239.255.255.250:1900 CACHE-CONTROL: max-age=1800 LOCATION: http://192.168.0.14:3790...
Attack Vectors <pnpx:X_compatibleId>MS_DigitalMediaDeviceClass_DMR_V001</pnpx:X <pnpx:X_deviceCategory>MediaDevices</pnpx:...
Attack Vectors• Network  – IP Remote Control     • Implemented by most major manufacturers         –   Samsung         –  ...
Attack Vectors                 © 2012
Attack Vectors                 © 2012
Attack VectorsPOST /hdcp/api/auth HTTP/1.1           HTTP/1.1 200 OKContent-Type: application/atom+xml     Date: Fri Dec 3...
Attack Vectors                 © 2012
Attack Vectors                 © 2012
Attack Vectors                 © 2012
Attack Vectors• Network  – IP Remote Control     • lgcommander.py        – https://github.com/ubaransel/lgcommander       ...
Attack Vectors• Network  – Firmware upgrades     • Requires MITM and spoofing all checked attributes of the       firmware...
Attack Vectors• Physical Access  – USB     • All recent TV sets include at least a USB port, many include       more     •...
Attack Vectors         Teensy++ 2.0: http://www.pjrc.com/teensy/                                                     © 2012
Attack Vectors   Facedancer: http://goodfet.sourceforge.net/hardware/facedancer10/                                        ...
Attack Vectors• Physical Access  – HDMI     • Display Data Channel (DDC), I2C based communication       between devices fo...
Attack Vectors• Physical Access  – HDMI     • HDMI Ethernel Channel (HDMI 1.4)     • Audio Return Channel (HDMI 1.4)  – HD...
Attack Vectors                 © 2012
Attack Vectors• Application  – Browser  – Browser Plugins  – Market                      © 2012
Attack Vectors• Application  – Browser                 © 2012
Attack Vectors• Application  – Browser Plugins                      © 2012
Attack Vectors• Application  – Browser Plugins                      © 2012
Attack Vectors• Physical Access  – RS-232C                    © 2012
Fuzzing• Emulator  – Netcast 2.0 (2011)     • Flash Player 9 or lower (Netcat 2011 does not support Flash       Player 10)...
Fuzzing - Emulator• Netcast 2.0                     © 2012
Fuzzing - Emulator• Netcast 3.0                     © 2012
Future Work• Focus on different manufacturers  – A lot of common ground in major features and , but    many subtle differe...
Conclusions• Lots of scary disclaimers and warnings in many  references  – Many tests could have gone further, but TV sets...
Questions?             © 2012
Trustwave SpiderLabsSpiderLabs is an elite team of ethical hackers atTrustwave advancing the security capabilities ofleadi...
Upcoming SlideShare
Loading in...5
×

SmartTV Security

2,477

Published on

SmartTV Security for Fun & Non-Profit, as presented by me and Joaquim Espinhara in Silver Bullet 2012.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,477
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • ----- Meeting Notes (11/8/12 10:58) -----Falar um pouco das aranhas.
  • Raw data:Cornelio Procopio, Parana, BrazilRecife, Pernambuco, BrazilRibeirao Preto, Sao Paulo, BrazilMexico City, MexicoMelbourne, AustraliaHong KongBangalore, IndiaTucson, AzGrand Rapids, MILos Angeles, CASan Francisco, CAPortland, ORRaleigh, NCColorado Springs, CODenver, COMilwaukee, WIAustin, TexasBoston, MassachusettsDenver, Colorado,Indianapolis, IndianaNew York City, New YorkOttawa, CanadaMilwaukeeCincinattiClevelandWashington DCSao Paulo, BrazilLondon, UkManchester, UkLuton, UKMalaga, SpainChicago, ILHelena, MTTulsa, OK
  • ----- Meeting Notes (11/8/12 10:58) -----Marcas utilizadas: LG e SAMSUNG
  • ----- Meeting Notes (11/8/12 10:58) -----Exemplo video da Sony falando como é facil. Não tem que ser dificil.
  • ----- Meeting Notes (11/8/12 10:58) -----Adicionar especificações de Hardware da TV.
  • ----- Meeting Notes (11/8/12 10:58) -----plexapp.comExclusividade LG
  • Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel before 2.6.38-rc4-next-20110215 might allow attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.
  • US$24, Teensy 3.0 US$19, self-contained USB device emulation
  • USB host emulation using Python code
  • Colocarfoto da entrada HDMI da TVComentar:HEC – HDMI Ethernet ChannelHDCP – High-bandwidth Digital Content ProtectionCEC – Consumer Eletronics Control
  • Colocarfoto do dashboard de aplicações.Falar dos browsers disponiveisColocar video do fuzzing crashando a tvColocarimagem da atualização do flash
  • Old ref fuzzerO problemaestáemdebugar o crash. Poisalgumas TVs nãooferemfacilmente o modo debug.
  • Colocarfoto do dashboard de aplicações.Falar dos browsers disponiveisColocar video do fuzzing crashando a tvColocarimagem da atualização do flash
  • Colocarfoto do dashboard de aplicações.Falar dos browsers disponiveisColocar video do fuzzing crashando a tvColocarimagem da atualização do flash
  • Falar um poucosobre fuzzing Fuzzerar no simuladorobviamente tem suasparticularidadesjáquemuitosrecursosnãoestãodisponiveis.
  • Falar um poucosobre fuzzing Fuzzerar no simuladorobviamente tem suasparticularidadesjáquemuitosrecursosnãoestãodisponiveis.
  • Virtual Box
  • SmartTV Security

    1. 1. SmartTV Security - For Fun and Non-Profit Presented by: Joaquim Espinhara/Ulisses Albuquerque jespinhara@trustwave.com/ualbuquerque@trustwave.com © 2012
    2. 2. Who is SpiderLabs? SpiderLabs is the elite security team at Trustwave, offering clients the most advanced information security expertise and intelligence available today. The SpiderLabs team has performed more than 1,500 computer incident response and forensic investigations globally, as well as over 15,000 penetration and application security tests for Trustwave’s clients. The global team actively provides threat intelligence to both Trustwave and growing numbers of organizations from Fortune 50 to enterprises and start-ups. Companies and organizations in more than 50 countries rely on the SpiderLabs team’s technical expertise to identify and anticipate cyber security attacks before they happen.Featured Speakers at:Featured Media: © 2012
    3. 3. SpiderLabs – International Footprint © 2012
    4. 4. Agenda• Disclaimers• Motivation• Concepts• Why “Smart”?• Attack Vectors• Tools• Future Work• Conclusion © 2012
    5. 5. $ finger @jespinhara• Network Security consultant for Trustwave Spiderlabs © 2012
    6. 6. $ finger @urma• App Security consultant for Trustwave SpiderLabs – Managed security services (full stack) – Trusted [Virtual] Computing – Linux device drivers – Scripting/dynamic language love all around – C whenever static typing is needed • OO is fun, Java/C++ are not • Breaking stuff is fun, building stuff is funnier, building stuff to break stuff is awesome © 2012
    7. 7. Disclaimers• This talk focus on a small subset of Smart TV manufacturers – TV sets are expensive, more intrusive tests void warranties and might brick the devices – We used our personal TVs during the tests – Manufacturers were not chosen, just what we already had at hand © 2012
    8. 8. Motivation• Most devices now provide hardware that is good enough even for high-end consumers – Hardware alone is no longer enough to drive new purchases – Software adds possibility of further sales through application stores – Devices have turned into full fledged software platform• TVs are ubiquitous – Full blown OS in networked devices everywhere © 2012
    9. 9. Motivation• Current research is focused on specific devices/platforms/techniques – Google TV (Dwenger & Rosenberd, DEFCON20) – Smart TV Fuzzing (Kuipers, Starck & Heikkinen, whitepaper) – HDMI Fuzzing (Andy Davis, Blackhat12) – SamyGO Project (alternative firmware for Samsung TVs) – OpenLG TV Project (alternative firmware for LG TVs) © 2012
    10. 10. Motivation• Hacks are still device/platform specific – Enough common ground for a framework though – Smart TVs share many common devices and attack vectors – Network attacks are particularly interesting due to interoperability between manufacturers • UPnP/DLNA is present in >90% of all TVs © 2012
    11. 11. Motivation © 2012
    12. 12. Why “Smart”? Analog TV signal, digital logic Digital TV signal, audio/video only applies to audio/video combined with interactive post-processing content and control data, more robust microcontrollers/components required © 2012
    13. 13. Why “Smart”?• Manufacturers had to upgrade the components in their devices to handle digital TV – Interactivity (Ginga, HbbTV, Tru2way) – Bandwidth (1080i versus 480p video, 5.1 versus 2.0 audio)• Beefier components allow for full fledged software stacks © 2012
    14. 14. Why “Smart”?Samsung Smart Hub LG Dashboard Imagges ae © 2012
    15. 15. Why “Smart”? © 2012
    16. 16. Why “Smart”? Samsung & LG have over 40% of the market http://www.reghardware.com/2012/06/20/lcd_tv_shipments_slip_for_first_time_ever/ © 2012
    17. 17. Why “Smart”?• Models – LG 47LW5700 – LG 32LV3700 – Samsung UN32C5000 © 2012
    18. 18. Attack Vectors Physical Network Application Digital TV Access © 2012
    19. 19. Attack Vectors• Network – UPnP/DLNA • Enabled by default • Not possible to disable on most TV sets • Device enumeration/fingerprinting • Media playback abuse • Information leaks • Focus on device interoperability and home use scenarios © 2012
    20. 20. Attack Vectors NOTIFY * HTTP/1.1 HOST: 239.255.255.250:1900 CACHE-CONTROL: max-age=1800 LOCATION: http://192.168.0.14:37904/MediaRenderer1.xml NT: upnp:rootdevice NTS: ssdp:alive SERVER: Linux/2.6.28.9 UPnP/1.0 DLNADOC/1.50 INTEL_NMPR/2.0 LGE_ USN: uuid:1b12f5e8-1dd2-11b2-9d7b-de7e1af3b7bb::upnp:rootdevice © 2012
    21. 21. Attack Vectors <pnpx:X_compatibleId>MS_DigitalMediaDeviceClass_DMR_V001</pnpx:X <pnpx:X_deviceCategory>MediaDevices</pnpx:X_deviceCategory> <df:X_deviceCategory> Multimedia.DMR</df:X_deviceCategory> <df:X_modelId>LG Digital Media Renderer TV</df:X_modelId> <deviceType>urn:schemas-upnp-org:device:MediaRenderer:1</deviceType> <friendlyName>47LW5700-SA</friendlyName> <manufacturer>LG Electronics</manufacturer> <manufacturerURL>http://www.lge.com</manufacturerURL> <modelDescription>UPnP Media Renderer 1.0</modelDescription> © 2012
    22. 22. Attack Vectors• Network – IP Remote Control • Implemented by most major manufacturers – Samsung – LG – Sony – Panasonic • Non-interoperable between brands (as expected) • Multiple implementations between device generations – Unmaintained old versions unlikely to be patched • Fragmentation makes ubiquitous exploits difficult © 2012
    23. 23. Attack Vectors © 2012
    24. 24. Attack Vectors © 2012
    25. 25. Attack VectorsPOST /hdcp/api/auth HTTP/1.1 HTTP/1.1 200 OKContent-Type: application/atom+xml Date: Fri Dec 30 13:44:44 2011 GMTContent-Length: 74 Server: LG HDCP ServerHost: 192.168.0.116:8080 Pragma: no-cacheConnection: Keep-Alive Cache-Control: no-store, no-cache, must-reva Connection: close<?xml version="1.0" encoding="utf-8"?> Content-Length: 122<auth><type>AuthKeyReq</type></auth> Content-Type: application/atom+xml; charset= <?xml version="1.0" encoding="utf-8"?>• No SSL <envelope>• Session is persistent (pairing) <HDCPError>200</HDCPError>• No device authentication aside <HDCPErrorDetail>OK</HDCPErrorDetail> from session </envelope> © 2012
    26. 26. Attack Vectors © 2012
    27. 27. Attack Vectors © 2012
    28. 28. Attack Vectors © 2012
    29. 29. Attack Vectors• Network – IP Remote Control • lgcommander.py – https://github.com/ubaransel/lgcommander – Grants access to service menus through IP remote control interface – Can be used to enable serial console (Busybox) in certain models – Contains mapping of all remote control keycodes • Automated remote control through network, including interaction with applications – Many applications contain paid content – Automate purchase of fraudulent/useless paid applications in market © 2012
    30. 30. Attack Vectors• Network – Firmware upgrades • Requires MITM and spoofing all checked attributes of the firmware images • Images are encrypted, but keys have been leaked for some manufacturers • Recent models also digitally sign firmware images • Most TVs allow upgrades through USB mass storage devices, which does not require network setup © 2012
    31. 31. Attack Vectors• Physical Access – USB • All recent TV sets include at least a USB port, many include more • USB ports are used for – Mass storage access (for media files and firmware upgrades) – Network devices (wireless dongles) – Input devices (uncommon, keyboard/mouse) • Vulnerabilities in USB device drivers could be exploited by especially crafted USB hardware – caiq USB audio interface device long name http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0712 © 2012
    32. 32. Attack Vectors Teensy++ 2.0: http://www.pjrc.com/teensy/ © 2012
    33. 33. Attack Vectors Facedancer: http://goodfet.sourceforge.net/hardware/facedancer10/ © 2012
    34. 34. Attack Vectors• Physical Access – HDMI • Display Data Channel (DDC), I2C based communication between devices for “plug and play” operation – Used by High-Bandwidth Content Protect (HDCP) and Extended Display Identification Data (EDID) • Consumer Eletronics Control (CEC) – Used to control multiple devices using a single remote control – Trademarked names used by manufacturers • Anynet (Samsung) • Simplink (LG) • Bravia SYNC (Sony) © 2012
    35. 35. Attack Vectors• Physical Access – HDMI • HDMI Ethernel Channel (HDMI 1.4) • Audio Return Channel (HDMI 1.4) – HDMI is not a one-way high bandwidth bus only • Spanning/routing support • Bidirectional communication • Hot plug support © 2012
    36. 36. Attack Vectors © 2012
    37. 37. Attack Vectors• Application – Browser – Browser Plugins – Market © 2012
    38. 38. Attack Vectors• Application – Browser © 2012
    39. 39. Attack Vectors• Application – Browser Plugins © 2012
    40. 40. Attack Vectors• Application – Browser Plugins © 2012
    41. 41. Attack Vectors• Physical Access – RS-232C © 2012
    42. 42. Fuzzing• Emulator – Netcast 2.0 (2011) • Flash Player 9 or lower (Netcat 2011 does not support Flash Player 10). – Netcast 3.0 (2012) © 2012
    43. 43. Fuzzing - Emulator• Netcast 2.0 © 2012
    44. 44. Fuzzing - Emulator• Netcast 3.0 © 2012
    45. 45. Future Work• Focus on different manufacturers – A lot of common ground in major features and , but many subtle differences in implementations• SmartBUZZWORD Fuzzer Framework• Firmware Rootkit• 0days © 2012
    46. 46. Conclusions• Lots of scary disclaimers and warnings in many references – Many tests could have gone further, but TV sets are expensive• Boss, we need budget to go further in our tests – TV set(s) we can poke around without fear – USB fuzzing hardware – HDMI test hardware – Advanced tests © 2012
    47. 47. Questions? © 2012
    48. 48. Trustwave SpiderLabsSpiderLabs is an elite team of ethical hackers atTrustwave advancing the security capabilities ofleading businesses and organizations throughoutthe world.More Information:Web: https://www.trustwave.com/spiderlabsBlog: http://blog.spiderlabs.comTwitter: @SpiderLabs © 2012

    ×