FIGURE 5-4. Leaked encryption keys are available on the SamyGO forum
Using the leaked keys, it’s easy to decrypt any .cmk file:$ openssl aes-128-cbc -d -K B1D5F122E75D757C79F48886D42F8E1A -in index.html.cmk
-nosalt -iv BFE932F9273DC2A0DFC93F0B8E7AC7C2 -out index.htmlThe index.html file contains JavaScript code. Here is a snippet:<body id='SmartHubBody' onload='SmartHomeMain.onCreate();' onunload='SmartHomeMa
in.onDestroy();' style='background-color: transparent; width: 1920px; height: 10
80px;overflow:hidden;'>This gives us a glimpse into the underlying platform of a Samsung Smart TV. The system
is based on the Linux operating system and configured more or less like any other Linux
device. We’ve seen evidence of the exeDSP executable, configuration files, and the X11 Win-
dow System. We’ve also seen yet another instance where the implemented encryption has
been broken by way of leaked encryption keys available online. Samsung, other Smart TV
manufacturers, and IoT device manufacturers and designers in general should take heed of
these examples and understand that even though they may be using good encryption algo-
rithms, they need to make sure they implement these algorithms with a proper understanding
of their weaknesses.
UNDERSTANDING AND EXPLOITING THE APP WORLD 141