Two vulnerabilities in Android-based smart-TVs from Sony, including the flagship Bravia line, could allow attackers to access WiFi passwords and images stored on the devices.
The bugs exist in the Photo Sharing Plus feature of Sony smart-TVs going back to 2015. They were uncovered by xen1thLabs in October; Sony in response has removed the vulnerable application from all new models and the bugs were disclosed on Monday.
It’s important to remember that the vulnerabilities exist not only in homes but also in companies and organizations where smart TVs are used in conference and meeting rooms, widening the scope of the threat surface.
The Photo Sharing Plus application allows the uploading of pictures and multimedia from a smartphone to a TV, in order to show content in a slideshow format. The first vulnerability (CVE-2019-11336) allows an attacker, without authentication, to retrieve the WiFi password created by the television when the Photo Sharing Plus application is started. The second (CVE-2019-10886) allows an attacker to read arbitrary files, including images, located within the TV’s software, without authentication.
On the first point, when started, the app essentially turns the TV into a WiFi access point and shows a WiFi password that allows customers to connect and share their media content, according to xen1thLabs. It’s possible for an attacker to retrieve this password in plaintext from the logs kept in the Photo Sharing Plus API, according to the researchers, which is reachable via the home network or corporate LAN and which has no access restrictions on it.
The second bug opens up internal smart-TV files to cyberattackers: “By default, images used by the Photo Sharing Plus application are stored inside ‘/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/’,” explained the team, in an advisory this week. “The application initiates an access point on the television and a HTTP daemon is listening to a TCP port on the newly created WLAN. Furthermore, this daemon also listens on the LAN side of the television, and it is possible to retrieve these images from the LAN an image using [a hardcoded URL without authentication].”
Further, browsing to the hard-coded web address “http://[ip_tv]:10000/contentshare/image/” allows access to the Android-based root directory of the television, along with its default property files; these include the wireless password for the television.
In either case, attackers could upload their own content or pilfer content from the TV owners.
To be clear, an adversary would need to first access the network in order to exploit either vulnerability – so the attack would be local or require a multi-stage effort involving gaining remote network access.
A list of affected models can be found here – the list is not comprehensive, according to xen1thLabs.
This is not the first issue for Sony TVs and Photo Sharing Plus. In October, security researchers revealed that eight Sony Bravia smart TV models were vulnerable to a command-injection (CVE-2018-16593) bug tied to Photo Sharing Plus.
“This application handles file names incorrectly when the user uploads a media file,” wrote Fortinet’s Tony Loi at the time, who found the vulnerability. “An attacker can abuse such filename mishandling to run arbitrary commands on the system, which can result in complete remote code-execution with root privilege.”
The bugs illustrate the snowballing threat surface of smart devices and the internet of things (IoT), and the need for more awareness on the part of consumers and businesses alike.
“Any one of the billions of devices connected to a network, no matter how small, could be a target for hackers looking for a vulnerable path to a network or as part of a more widespread attack on a particular device type or channel,” said Gil Bernabeu, technical director at GlobalPlatform, in a recent blog on IoT security. “As the number and nature of use cases grow, so too do the risks.”