Abusing the Internet of Things

(Rick Simeone) #1

Samsung uses BusyBox, which combines tiny versions of many common Linux utilities
into a single executable. The BusyBox system is useful for powering consumer devices
because it offers an easy way to include or exclude commands, making it extremely modular.
The Samsung TVs run a binary called exeDSP that basically controls the entire functional-
ity of the system. It is responsible for the user interface navigation, allowing the user to
change settings, and for accessing the applications. The exeDSP binary runs as the root user;
i.e., with full privileges.
The apps written for Samsung TVs contain a minimum of three files: the executable code
(Adobe Flash or a shared object), a bitmap (the icon for the app), and the package description
in a file called clmeta.dat. Here is an example of a clmeta.dat file:


<?xml version="1.0" encoding="utf-8"?>
<contentlibrary>
<contentpackid="tocttou">
<category>Wellness</category>
<title language_id="English">tocttou</title>
<startpointlanguage_id="English">tocttou.so</startpoint>
<thumbnailpath>tocttou.bmp</thumbnailpath>
<totalsize>1</totalsize>
</contentpack>
</contentlibrary>

The startpoint tag specifies the actual binary, which in this case is tocttou.so. The cate
gory tag specifies the type of app, which in this case is Wellness. Other common categories
recognized by Samsung are Game and Children. Mulliner and Michéle noted that applica-
tions of type “Game” are in the form of shared objects, while other categories are typically
Adobe Flash applications.
In the case of shared objects, the Game_Main function call is invoked by the exeDSP exe-
cutable, which is coded using the C programming language. The following is some simple
shared object code:


int Game_Main(char *path, char *udn)
{
system("telnetd &");
return 0;
}

In this case, the application starts up the Telnet service (assuming it is installed on the
system). However, the LExxB650 series of Samsung TVs does not allow the installation of
additional applications that are shared libraries. This severely limits the ability of a third party
to modify the functionality of the TVs, or to install malicious code that could infect the devices
(for example, letting an the attacker invade the owner’s privacy by viewing video from a


THE TOCTTOU ATTACK 125
Free download pdf