Abusing the Internet of Things

(Rick Simeone) #1
TIP

Operation successfully completed.
Now you can flash your TV with ./T-CHL7DEUC directory.

Notice that the SamyGO.py tool decrypts the “encrypted” image with the exact key we
found using the strings command (T-CHE7AUSC). It then patches the firmware to include the
Telnet service and encrypts it with the same XOR key. Now, all the user has to do is place the
T-CHE7AUSC directory and its contents on a USB stick and connect it to the TV. The TV will
then go through the process of upgrading the firmware, which will cause it to enable the Tel-
net function. The default username applied by the patch is root, and there is no password
required (Figure 5-3).


FIGURE 5-3. No password is required to log into the Samsung TV after applying Telnet patch


The SamyGO website contains tons of additional tools that exploit conditions beyond the example lis-
ted in this chapter. If you have a Samsung TV, take a look and see what tools are available that may
interest you.

Give some thought to the gravity of the consequences of Samsung’s failure to compre-
hend the basics of the XOR algorithm. This mistake is helping the SamyGO community to
thrive, which is against the company’s interests. The highly technical users on the SamyGO
forum love to exploit this type of loophole since it gives them tremendous freedom to modify
the devices they have paid for and feel they should be allowed to customize. From Samsung’s
point of view, however, allowing users to tweak the firmware can cause TVs to malfunction.
There are also legal concerns with regard to content providers Samsung may have partnered
with, since firmware tweaks can be abused to allow users to illegally store and distribute pro-
tected media content.
The SamyGO community doesn’t seem particularly savvy when it comes to security,
either. As Figure 5-3 shows, the patches being applied to increase functionality utilize no pass-


YOU CALL THAT ENCRYPTION? 135
Free download pdf