Italian security researcher Luigi Auriemma was trying to play a trick on his brother when he accidentally discovered two vulnerabilities in all current versions of Samsung TVs and Blu-Ray systems that could allow an attacker to gain remote access to those devices.
Auriemma claims that the vulnerabilities will affect all Samsung devices with support for remote controllers, and that the vulnerable protocol is on both TVs and Blu-Ray enabled devices.
One of the bugs leads to a loop of endless restarts while the other could cause a potential buffer overflow.
Auriemma discovered the issues accidentally. He told Threatpost via email that he was trying to play a trick on his brother. He only wanted to send a remote controller request with a funny message, but he ended up nearly destroying the TV.
To exploit Auriemma’s vulnerabilities requires only that the devices are connected to a wi-fi network.
As background, Auriemma explains that when the device receives a controller packet it displays message informing users that a new ‘remote’ has been detected, and prompts the user to ‘allow’ or ‘deny’ access. Included with this remote packet is a string field used for the name of device. Auriemma found that if he altered the name string to contain line feed and other invalid characters, the device would enter an endless loop.
Auriemma claims that nothing really happens for the first five seconds, but then he lost control of the TV, both manually on the control panel and with the remote. Then after another five seconds, he claims, the TV automaticall restarts. Then the process repeats itself forever, even after unplugging the TV. Eventually, Auriemma managed to reset the TV in service mode. He writes that users can avoid the situation altogether by hitting ‘exit’ when prompted to ‘allow’ or ‘deny’ the new remote device.
As for the buffer overflow, Auriemma determined that he could crash devices by setting the MAC address to a long string. He is only guessing that this is a buffer overflow vulnerability, and he told Threatpost via email that the vulnerability would be much more “attractive” if it was in fact a buffer overflow vulnerability.
“The bugs have been tested on a d6000 and d6050 TV, but it’s highly possible that many of the Samsung devices supporting this protocol are vulnerable because d6xxx is a recent TV and usually these ‘core’ components are like libraries shared with other devices that make use of the same protocol,” he said via email.
Auriemma claims there is no fix for these bugs because he was unable to report the bugs to Samsung. He has also received no word from Samsung. He claims that Samsung doesn’t even have a channel through which to report these types of bugs.
All of a sudden replacing my old-faithful Sony rear-projector with one of those spiffy new Samsung panels doens’t look like such a good idea.
I’m not surprise – Samsung has no real software test group to test out their software release.
I’ve been emailing and calling samsung regularly for 3 years trying to get an audio-related firmware bug fix (one that can destroy audio equipment when you turn the tv on if not careful!). So far, nothing. No response at all, ever. When I call the Samsung rep swears they will investigate and get back to me, they never do. Bottom line: Samsung have the worst customer service around, to the point of being 100% non-existant. Avoid them at all costs if you care about such things. I sure won’t ever buy another Samsung tv.
Ugh, I read this knowing that I picked up a Samsung TV and BR disk player late last year. Both are working great and I’m very satisfied with their performance.
I do have both connected to my home network. The BR player has Netflix and some other cool ‘Smart Hub’ apps, so that works pretty good. I opted for the cheaper TV that does not include ‘Smart Hub’ (why bother when the BR player has it built in?). But I actually have zero fear of being struck down by anyone exploiting this bug.
First they would have to actually gain access to my network. So they’d have to get past my firewall. Then they would have to actually detect my Samsung equipment. Finally, they’d have to go through the effort of writing exploit tools just for the shear sake of making my TV and BRD player act up. I would like to think that they would at some point think to themselves, Hey lets go mess around with his infinitely more interesting PCs rather than put his TV into foobar mode.
And Samsung’s Android 10.5 device also had a fundemental flaw after a recent firmware upgrade…throwing the entire unit into an endless loop…which could only be repaired by returning the pad to Samsung. No other fix available. Astonishing way to run a business. Astonishing way to build a product… where it can’t be reset out of the endless software reboot loop. They need serious grownups testing their products…
And add to that:
My Samsung Galaxy W smart phone was doing the basically the same thing.
It was restarting every hour or so. I got that replaced with another brand new one.
That one the soft keys failed.
Now I’m on the 3rd Galaxy W unit Let hope it doesnt do anything stupid.
BTW I’m with VodaFail.
This happened to my tv, some months ago. I still have the tv. so will try to fix it, thanks so much.
hmm, conversation doesn’t appear to be threaded – my explanation is in response to Cyclone’s post.
Aounds like its time Samsung its swan song.
Would this also apply to wifi sets Samsung makes for other brands…
Samsung are too busy trying to out-do Apple with their new products to be interested in their old products.
Yeah, americans discover this, they doscover that, they find this fault, that fault, an endless loop of idiots who dont have anything better to do in their life rather than waste it scooping for mistakes on products…. how about you schmucks there try spending your time doing something constructive, like get an education, or plant a tree, or even dig a cave and then go and live in it…. morons…!!!
This reminds me of why the Columbia and Challenger didnt fail….Billions of dollars wasted on something that blew up and killed so many people… at least a tv doesnt cost much and it dont kill anyone… if NASA couldnt get it right on a multi billion dollar product, why do u expect a few hundred dollars worth of a tv to be perfect ???
get a life people…
Glad i read this, was working on the packet the other day trying to control my tv
The information is very interesting with great pleasure i read your blog.Its really nice and interesting.I recently came across your blog and have been reading along.I think i would leave my first comment but don’t know what to say except that I have enjoyed reading.And its a nice blog.I will keep visiting this blog very often.
Samrx
But they actually answer the phone, and have a semblance of what you are talking about.
That is loads above most customer service departments for comsumer gear.
it’s not that much effort at all… if a hacker can get their code executed on a local system of yours (that’s actually the *only* tricky part really) then it’s easy: the tv advertises itself via ssdp (aka: upnp/dnla) and the exploit itself is pretty much explained in most of the articles (ie. send malformed pairing requests via ssdp/upnp)
like i say, the tricky bit is getting the code executed locally – all that really means is that the next (windows) virus or socially-engineered trojan (this latter option also being applicable also to osx as well as windows, to some degree, as the recent flashback trojan has shown – and although linux is less susceptible to social-engineering via installs, due to most s/w coming from a ‘trusted’ repo, linux does sometimes have local-code-execution vulnerabilities from time-to-time) could easily take out your samsung kit /as well/ as doing all the usual virus/trojan/malware stuff too.
your stance of ‘zero fear’ is a misjudgement, and seems to be based upon ignorance of security more than anything else.
- hope that helps?
Recently had this issue with a Galaxy Nexus running Android 4.0.2. The device would reboot intermittently and then continue crashing and rebooting (I stopped counting one cycle at 8 crash/reboots) until it finally locked.
“They need serious grownups testing their products…”
I’ll second that sentiment.
^Live in ignorant bliss