Sony Smart TV Bug Allows Remote Access, Root Privileges

Software patching becomes a new reality for smart TV owners.

As the number of smart TVs grows, so does the number of vulnerabilities inside of them. On Thursday, security researchers revealed that eight Sony Bravia smart TV models are vulnerable to three separate bugs, one rated critical.

The flaws – a stack buffer overflow, a directory traversal and a command-injection bug – were found by Fortinet in March by its FortiGuard Labs team. The most serious of the vulnerabilities is the command-injection (CVE-2018-16593) bug, which is tied to a proprietary Sony application called Photo Sharing Plus. The app allows users to share multimedia content from their phones or tablets via Sony TVs.

“This application handles file names incorrectly when the user uploads a media file,” wrote Fortinet’s Tony Loi, who found the vulnerability. “An attacker can abuse such filename mishandling to run arbitrary commands on the system, which can result in complete remote code-execution with root privilege.”

Fortinet researchers said a compromised TV could be recruited into a botnet or be used as springboard for additional attacks against devices that shared the same network. To be successful, an adversary would need to be on the same wireless network as the Sony TV.

Similar to the previous vulnerability, the other two Sony Bravia bugs are also tied to Sony’s Photo Sharing Plus application, but are rated high severity. The stack buffer overflow (CVE-2018-16595) is a “memory corruption vulnerability that results from insufficient size checking of user input,” Loi wrote in a technical write up.

The directory-traversal vulnerability (CVE-2018-16594) relates to the way the Photo Sharing Plus app handles file names. “An attacker can upload an arbitrary file with a crafted file name (e.g.: ../../) that can then traverse the whole filesystem,” the researcher wrote.

Fortinet said Sony’s over-the-air patch needs a user’s approval and a network connection to work. In its security bulletin, Sony said that impacted televisions are set to automatically receive updates by default, and should have already. Affected Bravia models include: R5C, WD75, WD65, XE70, XF70, WE75, WE6 and WF6.

Loi also cautioned that the vulnerability landscape for smart-TV platforms and other net-connected devices is growing. “[Cybercriminals] increasingly target IoT devices, such as smart TVs, that include always-on connectivity and high-performance GPUs that can be hijacked for malicious purposes,” he wrote. Those powerful GPUs can commandeered for cryptomining, and increasingly are falling victim to it.

Earlier this year, Consumer Reports identified two smart TV models from Samsung and TCL that included bugs that allowed an attacker to take control of targeted TVs. A hacker who exploited these vulnerability would be able to take control of the TV and change the channel, turn up the volume and play offensive YouTube videos from anywhere on the planet, the report stated.

This attack surface is growing, too: According to market researchers at GFK, more than half of all 2017 TV sales in the U.S. were smart TVs.

Suggested articles