for a password, an attacker can use this method to log in to the TV (using a Telnet client) with
no password and directly obtain a root shell.
This is a great example of how a simple attack can be used to bypass restrictions and secu-
rity functionality designed into popular Smart TVs. Even though this attack requires physical
access to the TV, it is still interesting because it exploits a simple vulnerability: the TV doesn’t
check the categorization of the application when rereading the clmeta.dat file.
We shouldn’t discount the probability of an attack because it requires physical access. A
specific family could indeed be targeted via a social engineering attack. This could take the
form of a modified board (such as the Gumstix) being physically mailed to the family in the
guise of an official update from the manufacturer. Because many Smart TVs include cameras
for video calls (or allow third-party cameras to be plugged in), falling victim to this ploy can
result in loss of privacy in addition to the risk of the Smart TV being compromised and
abused to launch further attacks into the home network.
The countermeasure for this attack is quite simple. The TV should first copy any third-
party application onto local storage and then check the categorization. If the categorization
check fails, the TV should discard and reject the application. This is also true for other types of
IoT devices that allow users to install only certain types of applications. This will help ensure
that the IoT devices users depend on for their privacy are safe and not vulnerable to simple
attacks like TOCTTOU.
You Call That Encryption?
The field of cryptography is alive and thriving. Advances in encryption algorithms and compu-
tational power are helping to protect our data and the integrity of our software and hardware.
IoT devices are and will continue to be dependent on encryption to make sure the privacy of
the user is protected and their own integrity is not compromised. Encryption algorithms are
great tools to leverage to promote secure design, but ultimately, the architects and developers
must have a proper understanding of how the algorithms work to be able to design them
securely. Lack of comprehension of the fundamentals of encryption algorithms can and will
make the end product vulnerable to flaws and attacks.
In this section, we will take a look at how the lack of understanding of basic encryption
algorithms led a Samsung Smart TV to become vulnerable to a local (physical access required)
attack that allowed the user to modify the TV’s firmware. This is a similar outcome to the
TOCTTOU scenario, but the attack vector exploits an implementation flaw that uses XOR
encryption. We will quickly recap the XOR algorithm and analyze how the attack works.
Understanding XOR
XOR (eXclusive OR, see="XOR encryption”) is a Boolean algebra function. Quite simply, it
will return true if one, and only one, of the two operators is true. With this logic, the following
table holds true:
YOU CALL THAT ENCRYPTION? 129