Not so Smart: On Smart TV Apps Marcus Niemietz, Juraj Somorvsky, Christian Mainka, Jörg Schwenk Hackmanit GmbH
Table of Contents Horst Görtz Institute for IT security Hackmanit GmbH German book about UI redressing Speaker at Black Hat, BlueHat, PHDays, Zeronights, OWASP, ... • Twitter: @mniemietz •
[email protected] • • • •
Table of Contents 1. 2. 3. 4. 5. 6.
Introduction & Generalization Tested Devices Attacker Model Eavesdropping Atttacks Samsung: Attached Storage and Web Attacks Conclusions
1. Introduction & Generalization
Introduction • “Years” ago: TVs were a medium to watch news, broadcasts, documentaries, or blockbusters • Smart TV: TV + computer with Internet connection
Introduction • Smart TV apps – Social networks like Facebook – Streaming services like Netflix or Watchever – Games like Angry Birds – Browsing websites
Generalization • Can be also applied to different scenarios beyond Smart TVs – Internet connection – App rendering engine(s) (e.g., from a browser) – Installed attacker’s app
• „Internet of Things“ is nearly everywhere
2. Tested Devices
Tested Devices
3. Attacker Model
Attacker Model • Eavesdropper – Sniffing HTTP traffic
• Attached Storage Attacker – For example a USB flash drive
• Malware Attacker – Device’s app store or attacker controlled website
4. Eavesdropping Attacks
Eavesdropping Atttacks
Vulnerable Login Apps • Samsung – 25 pre-installed (WATCHEVER v2.200, ImmoScout24 v1.010) – 31 app store (NewMoove v2.2003, Putpat TV v2.504)
• Grundig – 34 apps: Facebook, Ebay, and Viewster
• Apple: WATCHEVER, Google & Amazon: 0
Privacy Violation and SSO Hijacking
Wireshark Demo
Privacy Violation and SSO Hijacking
VEVO App: Market Research Traffic
VEVO App: Market Research Traffic • „ScorecardResearch ... market research community, a leading global market research effort that studies and reports on Internet trends and behavior. ScorecardResearch conducts research by collecting Internet web browsing data and then uses that data to help show how people use the Internet, what they like about it, and what they don’t.“ Source: www.scorecardresearch.com
Samsung SSO
Privacy Violation and SSO Hijacking • Access to – Samsung GALAXY Apps – Samsung Link – Find My Mobile – Smart Appliance – Samsung e-Store – PEN.UP – Samsung Wallet, S Health, Samsung Cloud, ...
5. Samsung: Attached Storage and Web Attacks
Samsung Apps • Basically just a normal website (HTML5, CSS, JavaScript) – config.xml – index.html
– Optional HTML, CSS, JS, etc.
• Can be loaded from a USB device
Samsung Apps • navigator.userAgent – Mozilla/5.0 (SmartHub;SMARTTV;U;Linux/SmartTV+2014;Maple2012) AppleWebKit/537.42+ (KHTML, like Gecko) Smart TV Safari/537.42+
Samsung Apps • document.location – file:///dtv/usb/sda1/UIR6_0.100_Europe_201503 09/index.html?country=D&language=17&lang=enGB&modelid=14_X14_2D&server=operation&rem ocon=0_650_259_22&area=PANEURO&product=0
[email protected]&ss opw=secret&authtoken=MORESTUFF&all_artist=jenniferlopez&ft_artist=&video_content_type=vevotv&ns _st_pr=Top10Now&realmodel=UE22H5600&netw orktype=0
Samsung App Bypass • is not supported in the app context – Security reasons? – Any ideas for a bypass?
Samsung App Bypass • is not supported in the app context
• Thank you HTML! "> %all
file:// • App can “access” all (?) files – Wifi data (incl. password) – Apps Cookies – Local Storage (Zattoo: login data) – SSO username (one line) – Browser history – Common user inputs • FB and Samsung-SSO username/password
– Partial webcam access
file:// & OAuth • OAuth is not to log in the user into an application, but to grant access rights on specific resources to it • We have Samsung‘s Facebook Connect API-Key and apiSecret – We can make a spoofed client – We cannot get user credentials
• Proof?
file:// & OAuth
file:// & OAuth
Just saying ... • A never ending story? – Leaking data is not new • Samsung SmartTV customers warned personal conversations may be recorded (http://is.gd/Wxq2oy) • Read It Twice! A mass-storage-based TOCTTOU attack (http://is.gd/VLC0yE)
– Leaking credentials without any attack is new
Just saying ... • Our research was covered by the German media (Heise, Golem, WDR, and ORF) – What happened?
• Consumer advice centre of NRW (Germany) https://www.vz-nrw.de/klage-gegen-samsung
Samsung Smart TV Bug Bounty
Samsung TV Bounty • “The bugs that are eligible will be payed according to the site policy: – we reward only unknown and unreported issues on TV/Blueray models from E-Series and above (2012 to 2015). – you agree not to disclose the vulnerabilities to 3rd parties without our agreement (we can agree on a publication date after the security patches are deployed)“
6. Conclusions
Conclusions • New IoT technologies like Smart TVs are a valuable target for attackers • Lessons learned – Use TLS – Do not save sensitive data (unencrypted) – Do not run with root priviledges – Use a sandboxing mechanism
• Todo: Protect your webcam
Thank you for your attention. Questions?