Smart TVs Open to Remote Attacks

Tuesday, April 1, 2014 @ 08:04 PM gHale

If your television is changing channels without anyone using the remote it could be because your TV just got hacked.

There are some smart Philips TV models that open an insecure wireless network, allowing potential attackers located in the signal range to control the TV remotely and perform unauthorized actions.

Word Zero Day part of Focused Attacks
Attacks in ’13: 200 Per Minute
Security Pros Fret Attacks, not NSA
Talk to Me: Elevating Security Awareness

The potential attacks include: Accessing the TV’s configuration files; accessing files stored on USB devices attached to the TV; broadcasting video, audio and images to the TV; controlling the TVs via an external remote control application and stealing website authentication cookies from the TV’s browser, said researchers from Malta-based vulnerability security firm ReVuln, who also published a video demonstration of what could happen.

The insecure network ends up opened by Miracast, a feature that enables the wireless delivery of audio and video content to the TV screen from desktops, tablets, phones, and other devices.

The Philips TVs running vulnerable firmware versions open a wireless network connection with an identifier that starts with DIRECT-xy and can end up accessed with a hard-coded password, researchers said.

“So basically you just connect directly to the TV via WiFi without restrictions,” the researchers said. “Miracast is enabled by default and the password cannot be changed. We tried all the possible ways to reset the TV included those methods suggested in the Philips manual […] but the TV just allows anyone to connect.”

The problem only exists in newer firmware versions, the ReVuln researchers said. Some models tested in a shop didn’t have this issue, but they were running older firmware, they said.

The researchers tested a Philips 55PFL6008S TV, but believe many 2013 models also suffer from the issue because they share the same firmware. For example, the 47PFL6158, 55PFL8008 and 84PFL9708 models use all the same firmware although they have different screen sizes, they said.

The insecure wireless access combined with a directory traversal vulnerability in the JointSpace service, which allows external programs to remotely control the TV, allows attackers to extract TV configuration files, media files located on the attached USB devices or authentication cookies for Gmail and other sites from the TV browser.

“The cookies of the Opera browser integrated in the TV and used for all the websites (including the TV apps) are all stored in one file with a fixed path and name, so it’s easy to get all of them with one download,” the researchers said.

With these cookies, attackers can potentially gain access to the online accounts of the TV owners. However, the success of such attempts depends on the additional security measures of each website.

Eva Heller, head of global communications at TP Vision, a joint venture between Philips and TPV Technology that manufactures and sells Philips-branded TVs, said the company is working on a mitigation. “Our experts are looking into this and are working on a fix.”

TP recommends consumers switch off the Wi-Fi Miracast function of the TV. To do this, they need to press the HOME button, navigate to Setup, select Network Settings, navigate to Wi-Fi Miracast and set that to OFF.

Leave a Reply

You must be logged in to post a comment.