Smart-TV Bug Allows Rogue Broadcasts

An attacker could gain remote access by chaining together an exploit for home routers with the TV flaw.

An unpatched vulnerability in smart TVs would allow attackers on the same Wi-Fi network to hijack the TV set to broadcast their own content – including, potentially, fake emergency broadcast messages.

Discovered by security researcher Dhiraj Mishra, the flaw (CVE-2019-12477) is found in the SUPRA Smart Cloud TV brand, which is popular in Russia and Eastern Europe. The TVs are mainly sold via ecommerce sites, in Russia, China and the United Arab Emirates, according to an online search.

The issue lies in the `openLiveURL()` function, which the TV uses to fetch streaming content. However, it lacks authentication requirements or session management, according to Mishra. So, an attacker can trigger the vulnerability by send a specially crafted request to a static URL, which allows the adversary to inject a remote file.

A proof-of-concept video shows the attack:

“I found this vulnerability initially by source-code review and then by crawling the application, and reading every request helped me to trigger this vulnerability,” Mishra said in his writeup on Monday. “Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri=URI.”

The requirement for the attackers to have access to the home Wi-Fi network obviously mitigates the threat to a certain extent. However, the growing tide of internet of things bugs in routers can give attackers remote access to that network. For instance, two models of TP-Link’s budget routers, models TP-Link WR940N and TL-WR941ND, were recently found to be vulnerable to flaws that allow attackers to take control of both.

“In the case of these routers, we found a zero-day in the router could allow malicious third parties to take control of the device from a remote location,” wrote Grzegorz Wypych with IBM Research, in April.

Meanwhile, the SUPRA vulnerability remains unpatched; Mishra said that he couldn’t find a way to contact the vendor. Threatpost also attempted to uncover contact information for SUPRA with no success.

Smart-TV hijacking is not unheard of; in January, hackers took advantage of vulnerable Chromecast and Google Home devices to display messages on consumer TVs promoting well-known YouTube star PewDiePie.

Consumer Reports in 2018 meanwhile identified two smart TV models from Samsung and TCL that included bugs that allowed an attacker to take control of targeted TVs. A hacker who exploited these vulnerability would be able to take control of the TV and change the channel, turn up the volume and play offensive YouTube videos from anywhere on the planet, the report stated.

Other smart TV bugs have cropped up as well. Last fall for instance, security researchers revealed that eight Sony Bravia smart TV models are vulnerable to bugs that could allow complete remote code-execution with root privilege. A compromised TV could be recruited into a botnet or be used as springboard for additional attacks against devices that shared the same network.

And meanwhile, the impact of smart-TV vulnerabilities is growing as more of the sets are deployed.

“[Cybercriminals] increasingly target IoT devices, such as smart TVs, that include always-on connectivity and high-performance GPUs that can be hijacked for malicious purposes,” Tony Loi, Fortinet researcher, explained when describing the Sony flaws.

Suggested articles