Not so Smart: On Smart TV Apps

Not so Smart: On Smart TV Apps Marcus Niemietz, Juraj Somorvsky, Christian Mainka, Jörg Schwenk Hackmanit GmbH Table of Contents Horst Görtz Institu...
Author: Maria Simmons
0 downloads 2 Views 15MB Size
Not so Smart: On Smart TV Apps Marcus Niemietz, Juraj Somorvsky, Christian Mainka, Jörg Schwenk Hackmanit GmbH

Table of Contents Horst Görtz Institute for IT security Hackmanit GmbH German book about UI redressing Speaker at Black Hat, BlueHat, PHDays, Zeronights, OWASP, ... • Twitter: @mniemietz • [email protected] • • • •

Table of Contents 1. 2. 3. 4. 5. 6.

Introduction & Generalization Tested Devices Attacker Model Eavesdropping Atttacks Samsung: Attached Storage and Web Attacks Conclusions

1. Introduction & Generalization

Introduction • “Years” ago: TVs were a medium to watch news, broadcasts, documentaries, or blockbusters • Smart TV: TV + computer with Internet connection

Introduction • Smart TV apps – Social networks like Facebook – Streaming services like Netflix or Watchever – Games like Angry Birds – Browsing websites

Generalization • Can be also applied to different scenarios beyond Smart TVs – Internet connection – App rendering engine(s) (e.g., from a browser) – Installed attacker’s app

• „Internet of Things“ is nearly everywhere

2. Tested Devices

Tested Devices

3. Attacker Model

Attacker Model • Eavesdropper – Sniffing HTTP traffic

• Attached Storage Attacker – For example a USB flash drive

• Malware Attacker – Device’s app store or attacker controlled website

4. Eavesdropping Attacks

Eavesdropping Atttacks

Vulnerable Login Apps • Samsung – 25 pre-installed (WATCHEVER v2.200, ImmoScout24 v1.010) – 31 app store (NewMoove v2.2003, Putpat TV v2.504)

• Grundig – 34 apps: Facebook, Ebay, and Viewster

• Apple: WATCHEVER, Google & Amazon: 0

Privacy Violation and SSO Hijacking

Wireshark Demo

Privacy Violation and SSO Hijacking

VEVO App: Market Research Traffic

VEVO App: Market Research Traffic • „ScorecardResearch ... market research community, a leading global market research effort that studies and reports on Internet trends and behavior. ScorecardResearch conducts research by collecting Internet web browsing data and then uses that data to help show how people use the Internet, what they like about it, and what they don’t.“ Source: www.scorecardresearch.com

Samsung SSO

Privacy Violation and SSO Hijacking • Access to – Samsung GALAXY Apps – Samsung Link – Find My Mobile – Smart Appliance – Samsung e-Store – PEN.UP – Samsung Wallet, S Health, Samsung Cloud, ...

5. Samsung: Attached Storage and Web Attacks

Samsung Apps • Basically just a normal website (HTML5, CSS, JavaScript) – config.xml – index.html

– Optional HTML, CSS, JS, etc.

• Can be loaded from a USB device

Samsung Apps • navigator.userAgent – Mozilla/5.0 (SmartHub;SMARTTV;U;Linux/SmartTV+2014;Maple2012) AppleWebKit/537.42+ (KHTML, like Gecko) Smart TV Safari/537.42+

Samsung Apps • document.location – file:///dtv/usb/sda1/UIR6_0.100_Europe_201503 09/index.html?country=D&language=17&lang=enGB&modelid=14_X14_2D&server=operation&rem ocon=0_650_259_22&area=PANEURO&product=0 [email protected]&ss opw=secret&authtoken=MORESTUFF&all_artist=jenniferlopez&ft_artist=&video_content_type=vevotv&ns _st_pr=Top10Now&realmodel=UE22H5600&netw orktype=0

Samsung App Bypass • is not supported in the app context – Security reasons? – Any ideas for a bypass?

Samsung App Bypass • is not supported in the app context

• Thank you HTML! "> %all

file:// • App can “access” all (?) files – Wifi data (incl. password) – Apps Cookies – Local Storage (Zattoo: login data) – SSO username (one line) – Browser history – Common user inputs • FB and Samsung-SSO username/password

– Partial webcam access

file:// & OAuth • OAuth is not to log in the user into an application, but to grant access rights on specific resources to it • We have Samsung‘s Facebook Connect API-Key and apiSecret – We can make a spoofed client – We cannot get user credentials

• Proof?

file:// & OAuth

file:// & OAuth

Just saying ... • A never ending story? – Leaking data is not new • Samsung SmartTV customers warned personal conversations may be recorded (http://is.gd/Wxq2oy) • Read It Twice! A mass-storage-based TOCTTOU attack (http://is.gd/VLC0yE)

– Leaking credentials without any attack is new

Just saying ... • Our research was covered by the German media (Heise, Golem, WDR, and ORF) – What happened?

• Consumer advice centre of NRW (Germany) https://www.vz-nrw.de/klage-gegen-samsung

Samsung Smart TV Bug Bounty

Samsung TV Bounty • “The bugs that are eligible will be payed according to the site policy: – we reward only unknown and unreported issues on TV/Blueray models from E-Series and above (2012 to 2015). – you agree not to disclose the vulnerabilities to 3rd parties without our agreement (we can agree on a publication date after the security patches are deployed)“

6. Conclusions

Conclusions • New IoT technologies like Smart TVs are a valuable target for attackers • Lessons learned – Use TLS – Do not save sensitive data (unencrypted) – Do not run with root priviledges – Use a sandboxing mechanism

• Todo: Protect your webcam

Thank you for your attention. Questions?