TIPcamera attached to the TV or stealing any credentials that may be stored on the TV). The goal
of the research was to test and demonstrate if there is a way to override this limitation.
The Exploit
Recall that the exeDSP executable runs with root privileges. The exeDSP process is also
responsible for starting up applications that are shared libraries. Since exeDSP does not lower
the privileges of shared libraries that it executes, the ability to install additional third-party
applications is immensely attractive to an attacker, as well as to users who want to extend or
modify the functionality of their TVs. Therefore, the goal of the attack is to somehow get the
TV to allow installation of an external application that is of the Game category, which corre-
sponds to shared library code.
Mulliner and Michéle used a Gumstix expansion board to set up the attack. The Gumstix
board is equipped with a USB OTG port, which allows other USB devices to connect to it as
clients (for example, USB memory sticks and digital cameras). USB OTG also allows the
Gumstix board to function as a client (i.e., to connect to other USB hosts as a storage device,
like a USB memory stick).
The Gumstix board is basically a mini computer. The manufacturer’s instructions on how to connect
to a new Gumstix board are useful in understanding the functionality and capability of the board.The g_file_storage.ko module is part of the Linux USB stack. By using this module and pre-
senting the Gumstix board as a USB storage device, it is possible to analyze what files the TV
reads when presented with an application. In the case of the Samsung TV, non–shared library
applications (i.e., Adobe Flash applications), are copied from the USB device to the TV’s inter-
nal storage and executed. Each application should be in its own directory, which includes a
bitmap file, the clemeta.dat file, and the actual binary as listed in the startpoint tag in
clmeta.dat.
The g_file_storage.ko utility takes the filename of a filesystem image as a parameter and
exports it as a USB device. When connected to a host, each block request is read and sent over.
The researchers modified the utility to also track every block read request in order to ascertain
exactly what information the TV is reading when presented with a new application. The fol-
lowing is a sample output from the modified version of g_file_storage.ko when the TV is pre-
sented with an Adobe Flash application:
11:18:56 TOCTTOU (DIR)
11:18:56 CLMETA.DAT (471b) [/TOCTTOU]
11:18:56 CLMETA.DAT -> read completed!
11:18:56 CACHE (DIR)
11:18:56 CLMETA.DAT (450b) [/CACHE]
11:18:56 CLMETA.DAT -> read completed!
11:19:10 CACHE.BMP (843758b) [/CACHE]126 CHAPTER 5: THE IDIOT BOX—ATTACKING “SMART” TELEVISIONS