Benjamin Michele and Andrew Karpow presented a scary Proof of Concept using two Samsung Smart TVs. They used the integrated media player of these Smart TV set. For the most recent one, they discovered that the TV set used a 2011 version of the open source FFMPEG’s libavformat library. This library identifies the type of content to be played and demux it before the content is transmitted to Samsung’s proprietary media player. The libavformat library supports many containers. It is a complex piece of software, and as such as many new discovered bugs. By scanning the bug-tracking database of this open source library, the researchers selected one vulnerability that was not patched in the version used by the TV set. This vulnerability allowed them to execute arbitrary code when playing a forged content. As the player executes in root shell, the forged payload also executes in root shell. This means that the payload has full access to the platform. As the Smart TV had an integrated camera and microphone, they wrote an exploit that captured the video of the camera and the sound from the microphone. The captured information can then be sent to a remote server. As the payload is encapsulated in a real movie, the consumer is not aware that his TV set is being infected and that he is spied. The researchers found a way to flash the Smart TV set and thus make the infection permanent.
Of course, the payload could do other things. The researchers could perform a thorough analysis of the TV set because they succeeded to get root access, and thus could explore the system and easily work on the exploit. The target were Samsung TV sets. Most probably, any other smart TV of any brand could be attacked in a similar way but using another vulnerability.
This POC highlights several interesting points:
- This exploit highlights an important issue of IoT. Will devices in the field be upgraded and securely patched? There are two issues that are not yet solved:
- Will manufacturers do the security maintenance for the lifetime of the product? Currently, the business model is to sell one device and not maintain it (unless there is a very serious bug that impact the behaviour). How could the manufacturer finance this maintenance? In the software world, maintenance is financed by either new version or maintenance contract for professional expensive applications. This is not the case in the consumer domain.
- Will consumers apply the patch? The likelihood is low if we extrapolate from the computer world. Too many consumers’ computers are not patched.
- The wide use of open source libraries has brought some benefits. It is less expensive for companies and it is claimed to be more secure. Unfortunately, it also has its downside.
- This last claim is only true if all systems would be patched. If it is not the case, then the use of widely deployed open source libraries may be an advantage for the attackers. The attacker can experiment on his own system before trying on the targeted device.
- Furthermore, the more a ‘common’ library is deployed, the more targets will be hit whenever a vulnerability is found in this library. Heartbleed is a good illustration.
- The more features a device has, the higher the risk to have vulnerabilities.
Michele, Benjamin, and Andrew Karpow. “Watch and Be Watched: Compromising All Smart TV Generations.” In Proc. of the 11th Consumer Communications and Networking Conference (CCNC). Las Vegas, NV, USA: IEEE, 2014.