UPDATE — Some versions of Philips’ internet-enabled SmartTVs are vulnerable to cookie theft and a mélange of other tricks that abuse a lax WiFi setting.
The problem lies in Miracast, a WiFi feature that comes enabled by default, with a fixed password, no PIN, and no request of permission, according to researchers at the Malta-based firm ReVuln.
The vulnerability allows anyone within range of the device’s WiFi adapter to connect to the TV and access its many features. This includes being able to access potentially sensitive information within the TV’s system and configuration files as well as any files that may be on a USB stick connected to the TV. If the user browses the Internet on the same TV, an attacker could also be able to glean some of the cookies used to access certain websites.
The WiFi hole could also open the TV up to a whole mess of hijinks: An attacker could broadcast their own video, audio or images to the TV, and change the channel on a whim, without the viewer being any the wiser.
A video posted by ReVuln’s Luigi Auriemma on Wednesday points out that the default settings are present in the TV’s most recent firmware update, QF2EU-0.173.46.0, which allows anyone to connect to the device’s WiFi without authorization and without asking permission. The device’s hardcoded password is just ‘Miracast,’ and after users are connected they are not given the option to set a custom password.
In the proof of concept video Auriemma goes on to steal files from a USB device that’s plugged into the device, along with Gmail cookie files stored in the web browser.
According to ReVuln the vulnerabilities exist in all 2013 models of SmartTV (6, 7, 8, 9xxx) that have the most recent firmware installed.
The WiFi Alliance, a consortium in charge of overseeing all things WiFi said later Friday that it was looking into the vulnerability and have been in touch with Philips regarding the security of Miracast.
“The recent report of a non-compliant passphrase implementation appears to be limited to a single vendor’s implementation,” a statement from the Alliance read Friday. “We enforce the requirements of our certification programs and have been in contact with the company in question to ensure that any device bearing the Miracast mark meets our requirements.”
The vulnerability is the latest in the line of “internet of things” instabilities, software flaws that plague everyday items that connected to the internet such as vehicles, light bulbs and medical devices.
The researchers at ReVuln found a flaw similar to the SmartTV bug in Samsung’s LED 3D TV last year where in an attacker could exploit a vulnerability to retrieve personal information from the device, spy on users and root the TV remotely.