SmartTV Security for Fun & Non-Profit, as presented by me and Joaquim Espinhara in Silver Bullet 2012.

1. SmartTV Security - For Fun and Non-
Profit
Presented by:
Joaquim Espinhara/Ulisses Albuquerque
jespinhara@trustwave.com/ualbuquerque@trustwave.com
© 2012

2. Who is SpiderLabs?
SpiderLabs is the elite security team at Trustwave, offering clients the most advanced
information security expertise and intelligence available today.
The SpiderLabs team has performed more than 1,500 computer incident response and
forensic investigations globally, as well as over 15,000 penetration and application security
tests for Trustwave’s clients.
The global team actively provides threat intelligence to both Trustwave and growing
numbers of organizations from Fortune 50 to enterprises and start-ups.
Companies and organizations in more than 50 countries rely on the SpiderLabs team’s
technical expertise to identify and anticipate cyber security attacks before they happen.
Featured Speakers at:
Featured Media:
© 2012

3. SpiderLabs – International Footprint
© 2012

4. Agenda
• Disclaimers
• Motivation
• Concepts
• Why “Smart”?
• Attack Vectors
• Tools
• Future Work
• Conclusion
© 2012

5. $ finger @jespinhara
• Network Security consultant for Trustwave
Spiderlabs
© 2012

6. $ finger @urma
• App Security consultant for Trustwave SpiderLabs
– Managed security services (full stack)
– Trusted [Virtual] Computing
– Linux device drivers
– Scripting/dynamic language love all around
– C whenever static typing is needed
• OO is fun, Java/C++ are not
• Breaking stuff is fun, building stuff is funnier,
building stuff to break stuff is awesome
© 2012

7. Disclaimers
• This talk focus on a small subset of Smart TV
manufacturers
– TV sets are expensive, more intrusive tests void
warranties and might brick the devices
– We used our personal TVs during the tests
– Manufacturers were not chosen, just what we already
had at hand
© 2012

8. Motivation
• Most devices now provide hardware that is good
enough even for high-end consumers
– Hardware alone is no longer enough to drive new
purchases
– Software adds possibility of further sales through
application stores
– Devices have turned into full fledged software platform
• TVs are ubiquitous
– Full blown OS in networked devices everywhere
© 2012

9. Motivation
• Current research is focused on specific
devices/platforms/techniques
– Google TV (Dwenger & Rosenberd, DEFCON20)
– Smart TV Fuzzing (Kuipers, Starck & Heikkinen,
whitepaper)
– HDMI Fuzzing (Andy Davis, Blackhat12)
– SamyGO Project (alternative firmware for Samsung
TVs)
– OpenLG TV Project (alternative firmware for LG TVs)
© 2012

10. Motivation
• Hacks are still device/platform specific
– Enough common ground for a framework though
– Smart TVs share many common devices and attack
vectors
– Network attacks are particularly interesting due to
interoperability between manufacturers
• UPnP/DLNA is present in >90% of all TVs
© 2012

11. Motivation
© 2012

12. Why “Smart”?
Analog TV signal, digital logic Digital TV signal, audio/video
only applies to audio/video combined with interactive
post-processing content and control data, more
robust
microcontrollers/components
required
© 2012

13. Why “Smart”?
• Manufacturers had to upgrade the components in
their devices to handle digital TV
– Interactivity (Ginga, HbbTV, Tru2way)
– Bandwidth (1080i versus 480p video, 5.1 versus 2.0
audio)
• Beefier components allow for full fledged software
stacks
© 2012

14. Why “Smart”?
Samsung Smart Hub LG Dashboard
Imagges ae
© 2012

15. Why “Smart”?
© 2012

16. Why “Smart”?
Samsung & LG
have over 40% of
the market
http://www.reghardware.com/2012/06/20/lcd_tv_shipments_slip_for_first_time_ever/
© 2012

17. Why “Smart”?
• Models
– LG 47LW5700
– LG 32LV3700
– Samsung UN32C5000
© 2012

18. Attack Vectors
Physical
Network Application Digital TV
Access
© 2012

19. Attack Vectors
• Network
– UPnP/DLNA
• Enabled by default
• Not possible to disable on most TV sets
• Device enumeration/fingerprinting
• Media playback abuse
• Information leaks
• Focus on device interoperability and home use scenarios
© 2012

20. Attack Vectors
NOTIFY * HTTP/1.1
HOST: 239.255.255.250:1900
CACHE-CONTROL: max-age=1800
LOCATION: http://192.168.0.14:37904/MediaRenderer1.xml
NT: upnp:rootdevice
NTS: ssdp:alive
SERVER: Linux/2.6.28.9 UPnP/1.0 DLNADOC/1.50 INTEL_NMPR/2.0 LGE_
USN: uuid:1b12f5e8-1dd2-11b2-9d7b-de7e1af3b7bb::upnp:rootdevice
© 2012

21. Attack Vectors
<pnpx:X_compatibleId>MS_DigitalMediaDeviceClass_DMR_V001</pnpx:X
<pnpx:X_deviceCategory>MediaDevices</pnpx:X_deviceCategory>
<df:X_deviceCategory> Multimedia.DMR</df:X_deviceCategory>
<df:X_modelId>LG Digital Media Renderer TV</df:X_modelId>
<deviceType>urn:schemas-upnp-org:device:MediaRenderer:1</deviceType>
<friendlyName>47LW5700-SA</friendlyName>
<manufacturer>LG Electronics</manufacturer>
<manufacturerURL>http://www.lge.com</manufacturerURL>
<modelDescription>UPnP Media Renderer 1.0</modelDescription>
© 2012

22. Attack Vectors
• Network
– IP Remote Control
• Implemented by most major manufacturers
– Samsung
– LG
– Sony
– Panasonic
• Non-interoperable between brands (as expected)
• Multiple implementations between device generations
– Unmaintained old versions unlikely to be patched
• Fragmentation makes ubiquitous exploits difficult
© 2012

23. Attack Vectors
© 2012

24. Attack Vectors
© 2012

25. Attack Vectors
POST /hdcp/api/auth HTTP/1.1 HTTP/1.1 200 OK
Content-Type: application/atom+xml Date: Fri Dec 30 13:44:44 2011 GMT
Content-Length: 74 Server: LG HDCP Server
Host: 192.168.0.116:8080 Pragma: no-cache
Connection: Keep-Alive Cache-Control: no-store, no-cache, must-reva
Connection: close
<?xml version="1.0" encoding="utf-8"?> Content-Length: 122
<auth><type>AuthKeyReq</type></auth> Content-Type: application/atom+xml; charset=
<?xml version="1.0" encoding="utf-8"?>
• No SSL <envelope>
• Session is persistent (pairing) <HDCPError>200</HDCPError>
• No device authentication aside <HDCPErrorDetail>OK</HDCPErrorDetail>
from session </envelope>
© 2012

26. Attack Vectors
© 2012

27. Attack Vectors
© 2012

28. Attack Vectors
© 2012

29. Attack Vectors
• Network
– IP Remote Control
• lgcommander.py
– https://github.com/ubaransel/lgcommander
– Grants access to service menus through IP remote control
interface
– Can be used to enable serial console (Busybox) in certain models
– Contains mapping of all remote control keycodes
• Automated remote control through network, including
interaction with applications
– Many applications contain paid content
– Automate purchase of fraudulent/useless paid applications in
market
© 2012

30. Attack Vectors
• Network
– Firmware upgrades
• Requires MITM and spoofing all checked attributes of the
firmware images
• Images are encrypted, but keys have been leaked for some
manufacturers
• Recent models also digitally sign firmware images
• Most TVs allow upgrades through USB mass storage devices,
which does not require network setup
© 2012

31. Attack Vectors
• Physical Access
– USB
• All recent TV sets include at least a USB port, many include
more
• USB ports are used for
– Mass storage access (for media files and firmware upgrades)
– Network devices (wireless dongles)
– Input devices (uncommon, keyboard/mouse)
• Vulnerabilities in USB device drivers could be exploited by
especially crafted USB hardware
– caiq USB audio interface device long name
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0712
© 2012

32. Attack Vectors
Teensy++ 2.0: http://www.pjrc.com/teensy/
© 2012

33. Attack Vectors
Facedancer: http://goodfet.sourceforge.net/hardware/facedancer10/
© 2012

34. Attack Vectors
• Physical Access
– HDMI
• Display Data Channel (DDC), I2C based communication
between devices for “plug and play” operation
– Used by High-Bandwidth Content Protect (HDCP) and Extended
Display Identification Data (EDID)
• Consumer Eletronics Control (CEC)
– Used to control multiple devices using a single remote control
– Trademarked names used by manufacturers
• Anynet (Samsung)
• Simplink (LG)
• Bravia SYNC (Sony)
© 2012

35. Attack Vectors
• Physical Access
– HDMI
• HDMI Ethernel Channel (HDMI 1.4)
• Audio Return Channel (HDMI 1.4)
– HDMI is not a one-way high bandwidth bus only
• Spanning/routing support
• Bidirectional communication
• Hot plug support
© 2012

36. Attack Vectors
© 2012

37. Attack Vectors
• Application
– Browser
– Browser Plugins
– Market
© 2012

38. Attack Vectors
• Application
– Browser
© 2012

39. Attack Vectors
• Application
– Browser Plugins
© 2012

40. Attack Vectors
• Application
– Browser Plugins
© 2012

41. Attack Vectors
• Physical Access
– RS-232C
© 2012

42. Fuzzing
• Emulator
– Netcast 2.0 (2011)
• Flash Player 9 or lower (Netcat 2011 does not support Flash
Player 10).
– Netcast 3.0 (2012)
© 2012

43. Fuzzing - Emulator
• Netcast 2.0
© 2012

44. Fuzzing - Emulator
• Netcast 3.0
© 2012

45. Future Work
• Focus on different manufacturers
– A lot of common ground in major features and , but
many subtle differences in implementations
• SmartBUZZWORD Fuzzer Framework
• Firmware Rootkit
• 0days
© 2012

46. Conclusions
• Lots of scary disclaimers and warnings in many
references
– Many tests could have gone further, but TV sets are
expensive
• Boss, we need budget to go further in our tests
– TV set(s) we can poke around without fear
– USB fuzzing hardware
– HDMI test hardware
– Advanced tests
© 2012

47. Questions?
© 2012

48. Trustwave SpiderLabs
SpiderLabs is an elite team of ethical hackers at
Trustwave advancing the security capabilities of
leading businesses and organizations throughout
the world.
More Information:
Web: https://www.trustwave.com/spiderlabs
Blog: http://blog.spiderlabs.com
Twitter: @SpiderLabs
© 2012