SMOLD TV: Old & Smart

SMOLD TV: Old & Smart
Gerard Fuguet (gerard@fuguet.cat)
Abstract
The life cycle of an object is finite, doesn’t last forever, have an expiration date but
most of the times is unknown… The old concept of buying is to have a strong principle
of durability but, human forgets that the material almost always has another replacement
for the same thing or other with similar functionalities.
The type of item we will cover in this white paper is about a Smart TV, a quite old
model one from 2011 epoch but, still works almost the first day it was bought. We
found a vulnerability that affects to the viewing/emission of a viewer/spectator/audience
producing a denying of their service (DoS).
We will demonstrate things like these TV’s deserves “a second life“. Vendors would
desire bring support to it, covering these errors avoiding the planned obsolescence
(without focus on the “death of the item”) in order to protect from all types of nowadays
cyberattacks.
1

Table of Contents
1. Motivation.................................................................................................3
2. SWL [Samsung Wireless Link].................................................................3
2.1. Wireless Spores...................................................................................4
2.2. Air Dress Code....................................................................................7
2.2.1. Windows WPS to WPA/2.............................................................9
2.2.2. Linux WPS to WPA/2.................................................................12
2.3. Host offerings to Guests....................................................................15
3. D o S Attack............................................................................................16
3.1. (pixied) Bully....................................................................................18
3.1.1. Videometer..................................................................................19
3.1.2. PostMortem.................................................................................20
3.2. (bits) Reaver......................................................................................23
3.2.1. Time Thief...................................................................................24
4. Conclusions.............................................................................................26
5. References...............................................................................................29
2

1. Motivation
On a typical standard day of my life, I was watching my Smart TV when suddenly
rebooted without any previous notice. At this moment, my thoughts were about has not
enough hardware resources like RAM, CPU or other related errors, because perhaps the
TV was very old and electronic components started to degrade. I had the SWL (Samsung
Wireless Link) [1] by mistake activated because I were doing some “pen-tests” and
inventory tasks.
Figure 1: SWL (Samsung Wireless Link) option on Menu Settings
I felt some concern so decided to do research about the vulnerabilities this Smart TV
has. Found one affecting to the SWL component when is activated, generating a Wi-Fi
Access Point [2] [3]. Normally, when someone found a vulnerability and shares
publicly, an identification number is created to identify properly. In this case, there is no
CVE ID assigned but, there is a VulDB (strange/odd because VulDB cooperates with
Mitre and the corresponding CNA). The security researchers [2] [3] said using the
reaver tool [4] (an WPS auditor toolkit) was able to break the WPA2 password in a few
seconds (default pin was all zeroes according to the researcher’s tests). TV uses WPS
mechanism to establish the connection with the client using the PBC (Push Button
Configuration) [5] method.
Decided to try replicate to see if the TV gained the “enough intelligent” to be protected
against these bad situations. We will talk later about the problem we found.
2. SWL [Samsung Wireless Link]
Is the given name for the HotSpot/AccessPoint functionality of the TV to let devices
share content through this “hotline”. Smart TV offers it too when there is no
infrastructure mode (meaning TV is not connected to a network) so devices cannot be
added to the same network or, TV is in contact with a network through Ethernet but Wi-
Fi devices don’t want establish a connection through an AP that not belongs to the TV
infrastructure for several reasons.
3

This function seems reside in OFF mode with the help of last firmwares updates in
order to not to disturb with their powerful/strong signal [6] and to protect your network
against unwanted intruders [3]. Of course, we are always curious about the way it is
build and decide to check it out, you can turn it ON through the remote control easily
following the steps below:
Menu - Network - SWL(Samsung Wireless Link) - SWL(Samsung Wireless Link) –
Activate
Note: I operated with these commands under Spanish TV language. Some word action
may differ.
2.1. Wireless Spores
When you want to connect to a wireless network, what is the first thing you looking for,
their SSID name or the emitting power? Probable has more sense figure out on the
power of their emission because we don’t know about their name, it doesn’t show on
any place of the process but has a name, and this Wi-Fi is not hidden. It shows as:
SEC_LinkShare_XXXXXX
Where “X” represents the last 6 digits of the MAC of the… Wi-Fi interface? No, about
the Ethernet interface.
If using a nowadays Windows 10, you will be aware about the PBC (Push Button
Configuration) function because it supports WPS.
4

Figure 2: Windows 10 Wireless Manager aware about WPS options
Note: Words in the above figure 2 are in Spanish.
Near the “writing the security wireless key”, it says; “You can also connect by pushing
the button on the router.” Is well noted that this message is universal/global when it
detects PBC as config, and when this option appears, WPS is implicitly imposed.
More detailed information can be retrieved if you use other tools like airodump-ng from
aircrack-ng suite (having a compatible wireless card supporting monitor mode) as seen
in the following figure:
Figure 3: Kali Linux: WPS available options under airodump-ng
Modern version support WPS detailed info, showing it in their respective column (at
right, between AUTH and ESSID). Just need to insert the argument –wps in command. It
notifies the version and then the types that are LAB and PBC. The theory says LAB is a
label where PIN code (8 digit) is notated and PBC means the button style configuration
(in the TV case, this is by software, triggered through the menu).
Channel is operating in number 11 here, but further investigation tells us can be
switched to the number 1, so can be different on each reboot (no other channels
observed).
We can also save the capture directly through airodump-ng putting --write like this:
airodump-ng --write capture --beacons --channel 11 wlan0mon
(Where beacons mean record all the beacons instead of only save one). Or do the record
into the Wireshark (prefixing the channel selection before in order to stay sure we are
sniffing the correct one) for a post observation on the packets using the favorite reader
(of course, we are talking about Wireshark! Plus, you will record including the radio
header!!). The packets we are expect, need to be Probe Responses or Beacon Frames in
the moment the TV “pushed the button”. Normal/Standard Beacon Frames don’t deliver
the configuration WPS methods (if no station does Probe Requests).
A Wi-Fi capture take lot of unwanted packets, this forces to implement a good display
filter of what is needed. We took the following (short as possible):
wlan.ta == e4:e0:c5:xx:xx:xx && (wlan.ra == 00:27:10:xx:xx:xx || wlan.ra ==
ff:ff:ff:ff:ff:ff) && (wps.config_methods || wps.selected_registrar_config_methods)
“What the hell” means this? Well, going to explain each part of display filter:
5

wlan.ta → Is the transmitted/origin MAC address of the TV which, is their
responsibility to inform about what it offering to others by the air.
wlan.ra → Is the receive/destination MAC address of the client who receives the
information provided by TV. This can be the broadcast address too when TV is offering
to all (Beacon Frames).
wps.config_methods → Available WPS methods, shown in a Probe Response
wps.selected_registrar_config_methods → Show the methods at the time AP act as
registrar (it pushes the button) so the Probe Response packet is more longer in size. The
Beacon Frames also appear here indicating that AP is ready to pair.
And… how the parenthesis works in filter? I remember those math classes in school that
seemed to be of no use but in real life, definitively has lot of sense! This is the same as
putting it (the long way, still functional):
(wlan.ta == e4:e0:c5:xx:xx:xx && wlan.ra == 00:27:10:xx:xx:xx &&
wps.config_methods) || (wlan.ta == e4:e0:c5:xx:xx:xx && wlan.ra == ff:ff:ff:ff:ff:ff
&& wps.config_methods) || (wlan.ta == e4:e0:c5:xx:xx:xx && wlan.ra ==
00:27:10:xx:xx:xx && wps.selected_registrar_config_methods) || (wlan.ta ==
e4:e0:c5:xx:xx:xx && wlan.ra == ff:ff:ff:ff:ff:ff &&
wps.selected_registrar_config_methods)
Let’s see now a comparison between 2 Beacon Frames packets and then, between 2
Probe Responses when they are under non pairable mode and ready to pair.
Figure 4: Beacon Frame comparison: rest mode (left) and pairable PBC mode (right)
Starting with Beacon Frames comparison;
First difference is the length of the packet when is under rest/standard mode, has 254
bytes vs 271 of the Beacon Frame when it is ready to pair, the packet increases in 17
more bytes (271-254) adding 3 more parameters in tag as can be shown in above figure.
6

Figure 5: Probe Response comparison: rest mode (left) and pairable PBC mode (right)
Continuing with Probe Responses comparison;
The incremental on size is still 17 bytes (364-347) and it adds same 3 more packets
added in Tag: vendor Specific: Microsoft Corp.: WPS but not after the last tag, in that
case is between Wifi Protected Setup State: Configured (0x02) and Response Type: AP
(0x03)
If the goal of client is only needed to know the rest of WPS modes, it doesn’t need to
interact in case of AP is ready to pair (only wait to capture for a Beacon Frame is more
than enough) or wait until get a Probe Response that does not belong to client whose is
interested in.
2.2. Air Dress Code
There are places like: special events, restaurants, etc. that demands some requirements
for their access. One type of term used for this is the dress code and consist of bring a
proper wearing to attend. In the case to connect to the AP, need some similar
requirement like the case of the dress code type. For example, for an Android in order to
have the minimum requirements, need to be a compatible version because WPS was
deprecated in Android 9 [7] or you can use other compatible devices having Windows
10 as OS for example to get luck in the connection.
For start the connection, the first steps to implement are through the TV, need enable
the compatible WPS AP to allow clients to connect;
- Step 1: Enable SWL. The status by default, is OFF (can be seen at chapter 1.) need to
follow the steps at the end of the chapter 2 to put it ON. The result is shown in next
figure.
7

Figure 6: SWL (Samsung Wireless Link) activation of the AP
- Step 2: Pair PBC mode. Interface is enabled but WPA2 password is not known (yet)
so… There is only one path to bonding with AP and is initiating the connection pushing
the button;
Conexión SWL (in English, Connection SWL).
Figure 7: SWL (Samsung Wireless Link) pairing PBC mode
A pop up with a 120 second countdown appears. Is the time any device with WPS
support must establish a connection against the TV.
This simulate the PBC mechanism (can be physically or virtual, this is a virtual case).
The PBC could have been done before in client instead of the screen (The Walk Time
interval or countdown is still valid within these seconds).
We are going to see how is doing through Windows and Linux respectively within this
time.
8

2.2.1. Windows WPS to WPA/2
Is easy to do this under Windows (in the example a 10 version). We only just need to
choose the desired wireless, click in Connect the WPS compatible AP, will aware you as
seen in figure 2 then the state automatically changes to establishing connections/get
configuration from router because TV is under Walk Time period.
Figure 8: Windows 10 Wireless Manager aware acquiring network configuration through PBC
You can read in Spanish “Obteniendo configuración del enrutador” (in English means
getting router configuration). That’s all to complete the connection with the respective
compatible client.
What is happening between the communication of the client and AP when is
establishing/negotiate to “be part of the network member”?
A capture, with the help of airodump-ng in the same channel where AP operates
(capturing all possible relations between computer & TV) was done. Also, we took a
cleaning (or good filter) taking the relevant packets that describes the situation.
9

Figure 9: Connection establishment WPS schema
The diagram of the figure 9, shows the different requests and responses messages
represented by the arrows lines. The order of the petitions starts at top and ends with last
line. There are a total of 37 packets. Laptop generates 18 (coming from) and TV 19
respectively. 2 beacon packets at the beginning are from TV, the first beacon is
indicating their network capabilities, the second beacon is same plus PBC because TV is
putting in “pair” mode. The packet number 3 is the moment when laptop decides to start
the joining process. If we do a measurement of time between the packet 3 and the last
packet number 37, we have 2,072406 seconds (taking our saved .cap file as origin, this
may be varied depending on some conditions).
We won’t enter in more detail about the composition of every packet of the sequence
(out of scope in this paper) but 2 important parts can be denoted from first Probe
Request to the other. One is about the WPS transactions and the other about the WPA/2
key procedure (famous/AKA 4-way handshake). This situation of the connection
establishment must be compared with a real situation to explain little better. Imagine at
your new acquired work, someone of the IT team brings you the temporarily password
in a small piece of paper and you hook it in a computer deployed by the company until
finalize the consolidation of the password. The password in paper is like WPS and the
final password, that you supposed to choose final & changed, is the WPA/2.
10

Now, a good question could be… How can we connect a non-compatible device with a
WPS network style? Retrieving the WPA/2 password that always exist in background. In
fact, the WPS is not the final key who lives/resides in perpetual mode, it’s only an
intermediary to obtain the credential for the encryption of the communication of the link
between client/station and AP. How to do this? In Windows exist 2-way.
- Live WPA/2 GUI Way:
This is easiest and can be done all through graphical interface, but the only drawback is
that it can only be done during the connection to the Wi-Fi network (not works if client
is disconnected).
Enter to the Connections/Adapter Options and then follow the below figure steps…
Figure 10: Windows 10: Network Connection/Adapter Options. Showing Wi-Fi Password
during connection
Double click on Wi-Fi adapter – Wireless Properties – Security tab. After pressing
Show characters password appears.
Note: An elevated credentials are needed to show the password when tick the box.
- OFFline WPA/2 CLI Way:
If the connection against SEC_LinkShare_XXXX network was successful using wireless
manager, password is stored until you decide to forget it.
This is the one line in CMD to show the password:
netsh wlan show profile SEC_LinkShare_* key=clear
11

Figure 11: Windows 10: Showing the WPA2 password with netsh tool
The SSID can be typed partially and ending with an asterisk (*) to autocomplete the rest
of the Wi-Fi network if you don’t remember entirely and to avoid the use of another
command to show the saved profiles.
2.2.2. Linux WPS to WPA/2
A Kali Linux distribution was used for this purpose:
12

Figure 12: Kali Linux; showing the detailed version
We prefer inserting the corresponding version just in case these commands differ if
another edition (Kali distribution) is used (old or newer).
Two processes are mandatory and executed in separate command line windows,
wpa_supplicant and wpa_cli will be our toolchain. But first, need to stop any process
that can be conflicting with the help of airmon-ng (also used to put an interface into
monitor mode).
Figure 13: Kali Linux: Killing Wi-Fi processes
A configuration file must be created before starting, this is like a “cue file” for
wpa_supplicant with the minimum setup.
Figure 14: Kali Linux; Creating the .conf file for wpa_supplicant
Following the good standards (or best practices) the .conf file name is called
wpa_supplicant.conf and saved in a recommended path [8]. With the help of echo
command, the file can be created “on the fly” and 2 lines are needed:
ctrl_interface; Tell to use wpa_supplicant mechanism
13

update_config; Allows to save the key WPA2 passphrase in the wpa_supplicant.conf
file.
Last line commands are for invoke/initialize the wpa_supplicant with a pair of
parameters.
-i; Choosing the interface which wpa_supplicant is going to move from.
-c; Choose and location of the .conf file.
Is all ready to use the second tool in a separate window, the wpa_cli [9]
Figure 15: Kali Linux; Complete steps to the connection of a WPS-PBC network
14

As the WPS Wi-Fi network is PBC type, indicating the first command observed in the
above figure, it’s the only necessary. Joined to the wireless without an IP? OK…
Staying under the TV Wi-Fi umbrella is one thing, other thing is the way how to obtain
this configuration with the help of other tools, wpa_cli tool will not do for you but don’t
worry, the dhclient comes by default and you will retrieve an IP fastly from the DHCP
server of the TV! After that, a check can be carried out with a simple ifconfig issuing.
All command steps are optional except for the first one of the wpa_cli. If result was OK,
password can be retrieved showing the content of the wpa_supplicant.conf. Cat tool
reveals the psk line.
2.3. Host offerings to Guests
Generally, when you are invited by a friend or other person in their home, is common
(in many situations) that they offer you something to drink or eat as a gesture of thanks.
What TV AP is offering? Let’s look at the network parameters!
Figure 16: Windows 10; ipconfig/all showing the network Wi-Fi interface parameters
It delivers a DHCP service that provision with the IP 10.123.12.128 (if you are the first
device which requested for a connection). Is a /24 class C IP range. Gateway and
DHCP server are the TV IP which hangs the services in same container but… the DNS
server is different, why? It has an explanation. According to the article mentioned
before in chapter 1 & 2 [3], TV can act as a router. To convert it, the Ethernet interface
must be connected to another router so, DNS is the same as the router connected. A
small test can be done to figure this out (pinging to google is more than enough to check
internet connectivity).
15

Figure 17: Smart TV architecture acting as router
Situating in above figure, P1 is a device under the TV network and P2 is under the
home router user network. P1 can contact directly with P2 but not in reversal way (P2
cannot go to P1 “by default”). TV is between the 2 networks and has enough
information to route packets to the Ethernet part doing a NAT (it means, P2 can see the
IP 192.168.1.X Ethernet TV interface). Unless a route exists in the router (who has
192.168.1.1 IP), P2 will not be able to reach P1.
3. D o S Attack
It can be said that the attack appears suddenly magically by tools designed to test the
vulnerabilities of WPS. The objective of them is looking to get WPA key by brute
forcing the first & second stage of PIN code (a total of 8 digit). An offline brute force of
the pin is possible with the discover of Dominique Bongard [10], another tool was born
called pixiewps (“pixie-dust attack”) [11]. Due to their efficiency, was implemented
under modified version of Reaver [4] and also implemented in Bully [12].
We are going to use both (Bully and Reaver respectively) to do a comparison of the
performance and the time it taken. Is important to mention that first intention of this was
test the security against Smart TV, WPA2 password is not possible to be retrieve under
any of these tools because instead of this, it gets rebooted again and again!
Let’s check the model and versions of the TV and computer used for these DoS attacks.
TV:
- Model Code: UE40D7000
- Software/Firmware Version: T-GAPDEUC-1033.2
16

Figure 18: Smart TV: Model and Software version under Contact section
These parameters can be retrieved in the TV’s Menu. This is the last firmware known.
Computer/Laptop:
A Kali Linux ISO 2020.4 running in Live mode, same that exposed in figure 12 of the
chapter 2.2.2.
How to figure it out there is a vulnerable Smart TV before starting the attack? Put the
WiFi interface into monitor mode first...
Figure 19: Kali Linux; Airmon-ng tool: Putting interface into monitor mode
Then, wash tool will tell you how (part of the tool Reaver [4] pack).
Figure 20: Kali Linux; Wash tool to scan for WPS AP’s
SSID is the key parameter to be aware around you, we use grep to do a clean filter in
search of what is necessary and essential. Putting WPS as part of the filter, the word is
marked in red on column to use as a guide.
17

The rest of the show (Proof of Concept) continues with the inspection and use of the
tools.
3.1. (pixied) Bully
This tool doesn't seem to be as famous as the other, reaver but has their own look and
feel showing a bulldog as a logo in Kali Linux tools [13].
This is a targeted attack so in order to start fast, BSSID and channel must be known.
Figure 21: Kali Linux; Bully tool in action
The command bully is written in terminal with 3 parameters:
-b: BSSID (or MAC of the AP).
-c: The channel where Access Point is working.
-v: Verbosity, will show you more info if the level established is set to maximum (in
that case, 4 is the maximum).
wlan0mon: The interface after “be converted” into monitor mode.
Last lines show a column indicating “timeouts” means TV doesn’t answer in proper
time. Before start the first Rx(Beacon)... line, TV was rebooted. Why not measure these
times, right?
18

3.1.1. Videometer
On a race, to put and identify order in the positions, measurement tools/techniques are
used. Depending on the precision imposed by the race type, you can use a physical
stopwatch (typical function included in most wristwatches) or more sophisticated
professional grade tools.
How can we use a stopwatch for a PoC?
I like to make videos showing PoC’s with a little cinematic touch. I realized at same
time it helps you so much to do measurements representing different involved objects in
same screen video. The trick consists in sync different recordings (for example, one
under laptop, other recording TV screen directly).
Figure 22: Measurement techniques using a video editor
For joining process, join “all the pieces”, we use a video editor. Here there are 2
recordings. The screen of the laptop that runs Kali Linux and the TV screen (with the
help of a smartphone for example). The stopwatch helps on to be precise on certain
moments you want to catch if you have the intention do some statistics/analysis at the
end. I know you can have questions like… Is the stopwatch coming by default? Maybe
but, in my case, I need to create an -insert as a video-. The small square of the
StopWatch is taken recording the screen of an Android device, then need some work to
fit and flatten the video in the project. You don’t need to have hard skills on that, only
have some patience and make sure to synchronize all the parts and start the timer at the
moment you think is right. I named this as videometer because, doing similar work
without the help of a video editor, it doesn't give you the vision you need (or at least I
didn't achieve without this support) …
And no, this isn’t only an image or type of collage ;) you can see this edited video here:
https://youtu.be/MdIT4mPTX3s
19

3.1.2. PostMortem
We describe the results after implementing the measurements with the “videometer”
technique.
Time Log:
- 0:00,00 START DoS Attack
- 0:14,35 TV is Rebooted
- 0:22,89 TV is Operating Normally
- 0:42,67 WiFi is ON (Throwing Beacon frames)
- 1:02,42 TV is Rebooted Again
Stopwatch started at same moment of pushing “enter” in keyboard to start the Bully
tool. The idea was to know how much time it takes to reboot, to up and running again,
when Wi-Fi is discoverable again (through the beacons frames) and see in what time is
produced the second reboot.
As observed, some conclusions can be extracted (or just out of curiosity).
TV was ON when DoS attack was started. The first reboot takes less than a minute to
reboot (14,35 seconds). The second reboot takes more time in comparison the first
reboot, 39,53 seconds from the TV was operating normally, so 39,53 – 14,35 = 25,18
more seconds than first reboot.
Interactions Diagram:
We know how are the interactions under a normal WPS bonding between a client and
AP (seen in figure 9) but… what are the interactions (requests/responses) driven by the
tool? We recorded traffic with airodump-ng in order to create a .cap file, and this is the
result.
20

Figure 23: Interaction Diagram between laptop & TV under Bully attack
The general difference in comparison with figure 9 is that at the beginning of the
petitions, there is no beacon frame reflected nor the probe pair. This is because client,
Bully, doesn’t seem need any beacon frame to start the attack because it knows the
BSSID and channel (acquired from many ways, in that case through wash tool).
However, according to what can be seen in the tool's log, it makes sure to receive a
beacon before starting the attack.
The DoS attack produces when EAPOL packets thrown. After the request identities, TV
has the “poison inside” and it's a matter of time before it falls. Under this period, more
packets are sending (showed in red). Is like a boxer when is on the ground and the
countdown starts. The WSC_NACK tries to get configuration from AP. Under this state
[14] the rest of packets enter into a sequence and/or a loop, 6 packets in total, they are:
Deauthentication, Authentication x2, Association Request-Response and EAPOL –
Start.
As we had the .cap we have the ability to do more things and decided to take a
graphic/diagram using this function into Wireshark [15]. On a traffic packet inspection,
is highly recommended filter for what needed, however, graphics can say things not
seeing easily by text only mode.
21

Figure 24: Wireshark: I/O Graph of Bully attack until first TV reboot
They give us a clear behavior and it denotes that follows a certain pattern.
The Y axis is number of packets compressed in a half of a second (500 milliseconds).
Each portion are 2 packets. Max packets reached = 46.
The X axis is about the time expressed in seconds. Each portion is 0,5 seconds. Total
time is no more than 17 seconds.
What colors, dots and lines means? In case of Bully, we distributed the packets in 4
sections. Each section we applied a Wireshark display filter to be part of the graphic.
The legend is;
- Black line: All displayed packets of the attack. The filter applied is;
frame.number>=xxx && frame.number<=xxx && ((wlan.addr == e4:e0:c5:xx:xx:xx
&& (wlan.addr == f0:d5:bf:xx:xx:xx || wlan.ra == ff:ff:ff:ff:ff:ff)) || (!wlan.ta_resolved
&& (wlan.ra == e4:e0:c5:xx:xx:xx || wlan.ra == f0:d5:bf:xx:xx:xx)))
We cut unwanted frame numbers at the beginning and at the end with frame.number
filter expression. The !wlan.ta_resolved for showing acknowledgments packets that has
not presents the source address but count as packet for other analytic purposes.
- Green line: Beacon frames that comes from Smart TV. The filter applied is;
wlan.ta == e4:e0:c5:xx:xx:xx && wlan.ra == ff:ff:ff:ff:ff:ff
- Blue dots: Is a pack of deauthentication, authentication (request & response),
association request and association response respectively. The filter applied is;
wlan.fc.type_subtype == 0x000c || wlan.fc.type_subtype == 0x000b ||
wlan.fc.type_subtype == 0x0000 || wlan.fc.type_subtype == 0x0001
- Garnet dots: EAPOL packets (including EAP). The filter applied is so simple and short
(1 word!);
22

eapol
Let's look for some deductions but something doesn't seem to fit at the beginning of the
graph... Why at 0 seconds there are already packets? This type of Wireshark graphic
uses each second at their maximum profit it means, the 0 it's taking its limit, before next
half-second sequence that is 0,5 so 0,4 (for example) is counting as “0” that’s the
reason to show packets at 0 time.
To show graphic clear as possible, lines express max limit or continuous amount of
packets like the beacon frames.
Now so… reading it from the beginning, the commands to produce the attack takes less
than a half of second, more blue packets than garnet but, goes together.
The garnet dot at second 10 is the EAP - Response, Expanded Type, WPS, WSC_NACK
packet before send another cycles. In that moment, “TV is dying” and pattern repeats 3
times with their respective high blues & low garnets with the same number of packets
in each and same distance in time. Blues has a pair of less packets than at 0 second,
garnets are only 2 packets, telling us the attack is trying to send but there is no answer
from AP. Last pack of blues & garnets before TV reboots are equal at packet number
(for each one) but there is more distance in comparison with their previous pack.
3.2. (bits) Reaver
The only one tool to deal with WPS until Bully appears.
The invoked commands are very similar.
Figure 25: Kali Linux; Reaver tool in action
The differences respect Bully are the representation of the interface and the verbosity:
-i: Interface to perform the attack, wlan0mon is the wlan0 under monitor mode.
-vv: The verbosity, putting another “v” show more detail (in this case with 2 v’s is more
than enough to not distortion with unneeded packets).
23

The tool log reflects every step (like Bully) thanks to the verbosity option.
3.2.1. Time Thief
The same procedure is carried out as with the previous tool. We use same method as
“videometer” seen in chapter 3.1.1.
Time Log:
- 0:00,00 START DoS Attack
- 0:20,17 TV is Rebooted
- 0:29,72 TV is Operating Normally
- 0:49,10 WiFi is ON (Throwing Beacon frames)
- 1:08,23 TV is Rebooted Again
Let’s take some conclusions observed in that case.
Track the “zero” moment as well. First reboot takes less than a minute (20,17 seconds).
Second reboot still takes more time than first with 38,51 seconds, so if we do 38,51 –
20,17 = 18,34 extra seconds than first reboot.
Interactions Diagram:
We follow the same methodology like with Reaver tool under petitions perspective.
Figure 26: Interaction Diagram between laptop & TV under Reaver attack
The feeling it gives is that it is simpler since there does not seem to be more interaction
packets between those involved. It’s true, diagram is shorter than the captured with
Bully but we didn’t put all the repeated packets in place to not to distortion the graphic.
24

Later in the Wireshark I/O Graph, we can see a bit deeper in packet context vs time
taken.
The start sequence of requests-responses is equal than Bully but, a new packet is
introduced and different (not seen in Figure 23). This is an action packet that has as a
mission block the acknowledges, what it means and what role does it play here? Block
Ack is intended to be more efficiency avoiding so many ack packets and instead, be put
all of them in one frame [16]. This must be negotiated between two parties, here exist a
request but not a respond/answer from laptop so the mechanism didn’t initiate.
Into the DoS phase, there is only a pair of EAP request-response reflected but here are
ellipses, meaning the pair is repeating into a loop until TV is rebooted. The mechanism
is simpler, short but intense.
It’s the Wireshark I/O Graph turn!
Figure 27: Wireshark: I/O Graph of Reaver attack until first TV reboot
The description is the same as seen in figure 24. In order to do a fair comparison. The
size of the graph is the same, as well as the number of packets per half second.
Here the max packets are 301 and total time is no more than 21 seconds.
The legend is almost the same but plus Action (Block Ack) packets;
- Purple line: Action – Block Ack packets. The filter applied is;
wlan.fc.type_subtype == 0x000d && wlan.addr == f0:d5:bf:xx:xx:xx
We can see differences in how the software’s manage the packets through the time.
Note: In order to present same type of data in each software case, the SWL function of
the TV was reset (turn OFF – turn ON) and TV turned OFF and ON to stay sure there
were not something in memory, buffer,…
25

The axis Y denotes a higher number of packets that Reaver need to waste for the DoS
attack. Number of EAPOL packets is higher. For the blue group, only appears at the
beginning while purple goes forward and garnet packets are present all the attack as if
these were beacon frames (almost all the time goes in same line of beacon takes).
Garnet has two well differentiated peaks. First high takes about 180 packets at 4,5
seconds. Second at 11,5 seconds with 220. 7 seconds and 40 more packets of difference.
Other curios observation, just after the first high peak, garnet seems to lose some
power. Second peak has more sense, seems is reactivating at the second 11 to get more
potential at half of a second more (11,5 seconds).
From second 12 until the end, garnets are linear.
4. Conclusions
We have seen both tools have similarities, we have unintentionally discovered a “hidden
function” the DoS that tools can do to this Smart TV. According to the tests results,
seems Bully is programmed/coded to do a somewhat cleaner job of fiddling with WPS
making less noise “in the air”. Thanks to the traffic sniffed, inferences can be made
without the need to inspect the source code of the tools. Video techniques
measurements, interaction diagrams and I/O graphs are good to determine and take a
decision for a winner.
We took the trouble to make a final comparison by putting both tools "on the table" to
increase clarity in their times.
26

Figure 28: Time comparison between Bully & Reaver
Some explanation is needed before commenting on this schematic graph.
At top level, time object can be found, positioning at the middle, taking 0 seconds count
(the start). There are 2 separated columns. Left is the timeline of Bully and right same
for Reaver. We created the following group colors to have an easy visualization of the
situation;
- Red: First TV reboots.
- Blue: When TV wake up after the first reboot (showing images & sound in screen).
- Green: Beacon frames spreading again after the normal operation of the TV.
- Orange: Second reboot time.
When an action is taken (either from one tool or from the other), the time column takes
note of the time. At same moment, the action of each tool gets the timestamp from the
previous action putting nearest of the time column. If the time is situated in same
column of the tool, the timestamp reference is against their previous action. The
27

different color indicates the color of the previous action. When the time is in the
opposite column (having two times) means the additional more time respect the
previous category (actual time less previous category).
The things that can be seen in overall view of the diagram are the total time for both,
ends at similar time, differs from 5,81 seconds making Reaver a few slow than Bully.
The almost same difference it produces at the beginning, in first reboot, time differs
from 5,82. In all cases Reaver takes more time in each action respect Bully but respect
their own previous action, Reaver takes less time in orange and green categories.
One important lesson to learn here is you should not activate functions which behavior
is unknown or/and not used. Unless it is to carry out research of this kind, as a user of a
product not manufactured by yourself, it is better to use those parts of which you have
knowledge. Does it mean the fault is yours? Oh, of course not… This is just a way to
mitigate issues that are not easily resolved by third parties. We understand these devices
have a useful life, but what if life gives them a break like a human being who can reach
his hundred years and more? Would you leave your relative banished at a predetermined
age even though his health is good? We believe that the answer here is more than
implicit right? If this is clear enough, why not apply same for devices? We know there
is no comparison, but it deserves some kind of fix to cure that annoyance.
We tried get the password remotely but with the pair of tools mentioned had no luck, so
at less, nobody can retrieve your WPA2 “non-changeable” password (don’t forget WPS
born insecure, Stefan Viehböck make it publicly [17]) but, you need take into account
that... if you have the Ethernet interface connected to your home router (according to the
chapter 2.3) your home router’s network is accessible from Smart TV network (if you
trying to isolate, using the TV AP isn’t good idea!).
Back to the DoS attack, we demonstrate the effectiveness recreating it by taking it to a
possible cybercrime scenario into a multimedia format (video of chapter 3.1.2). A
mother and her son are watching cartoons and suddenly TV is malfunctioning. The
mother may think there is a failure on television. TV is old and official manufacturer's
technical support will no longer take over so mother, most probably, takes the decision
to buy other (perhaps changing brand and manufacturer, losing their trust). She doesn't
know that the failure was caused by a cybercriminal…
In all tests, we were aware for the channel changing, sometimes can be 1, others is
number 11, this doesn't happen on all TV reboots but casuistry can happen (the video
only reflects against same channel without stay ready for TV’s AP channel change). Are
the tools the ability to switch from one channel to other in case it happens? Yesss! Your
tool is Bully and the command will look like this;
bully -b E4:E0:C5:XX:XX:XX -c 1,11 -v 4 wlan0mon
The solution for citizens is easy, disable the SWL TV’s functionality but we think
manufacturer should do their part, handle these internal errors correctly, be resistant to a
DoS WPS PIN attacks. It surely would increase their reputation and can also serve as a
28

good marketing strategy against your competitors. It should be an honor for them the
product can still be standing, a sign that they do things very well.
Remember…
Be Good, Be Hackers.
5. References
[1] E-MANUAL - 01_ENG_GPDVBEUA-0106.pdf; Page. 93,111.
https://downloadcenter.samsung.com/content/UM/201201/20120128101809663/01_EN
G_GPDVBEUA-0106.pdf
[2] VDB-12842 | Samsung TV SSID Authentication improper authentication.
https://vuldb.com/?id.12842
[3] Samsung Wireless Link security hole | Jumping Spider.
https://jumpingspider.co.uk/rants-2/samsung-wireless-link-or-wtf-is-sec_linkshare
[4] GitHub - t6x/reaver-wps-fork-t6x. https://github.com/t6x/reaver-wps-fork-t6x
[5] Wi-Fi Protected Setup Specification; Page. 94 -11.3 PBC Technical Description-.
https://www.wi-fi.org/file/wi-fi-protected-setup-specification
[6] SEC_LinkShare SSID is from your Samsung TV: SWL (Samsung Wireless Link).
https://wiert.me/2011/07/04/sec_linkshare-ssid-is-from-your-samsung-tv-swl-samsung-
wireless-link
[7] Wi-Fi Easy Connect | Android Open Source Project.
https://source.android.com/devices/tech/connect/wifi-easy-connect
[8] Wpa_supplicant – ArchWiki. https://wiki.archlinux.org/title/wpa_supplicant
[9] Wpa_supplicant and Wi-Fi Protected Setup (WPS).
https://w1.fi/cgit/hostap/plain/wpa_supplicant/README-WPS
[10] Offline bruteforce attack on WiFi Protected Setup (slides).
http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf
[11] GitHub - wiire-a/pixiewps: An offline Wi-Fi Protected Setup brute-force utility.
https://github.com/wiire-a/pixiewps
[12] GitHub - kimocoder/bully: Bully WPS Attack Tool.
https://github.com/kimocoder/bully
[13] Bully | Kali Linux Tools. https://www.kali.org/tools/bully
[14] Wi-Fi Protected Setup Specification; Page. 109 -Configuration Error-.
https://www.wi-fi.org/file/wi-fi-protected-setup-specification
[15] Wireshark. 8.8. The “I/O Graphs” Window.
https://www.wireshark.org/docs/wsug_html_chunked/ChStatIOGraphs.html
[16] CWAP - 802.11 : Block Ack | mrn-cciew. https://mrncciew.com/2014/11/01/cwap-
802-11-block-ack
29

[17] Brute forcing Wi-Fi Protected Setup.
https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
30

SMOLD TV: Old & Smart

More Related Content

Similar to SMOLD TV: Old & Smart

More from Gerard Fuguet

Recently uploaded

SMOLD TV: Old & Smart