Abusing the Internet of Things

(Rick Simeone) #1

words, or in some cases weak passwords (such as SamyGO). Not only can a sophisticated user
place malware on a TV she has physical access to (by patching the firmware to include remote
monitoring tools), but malware on other devices on the same network as that of the Samsung
TV can attempt to log into tweaked TV set use either a null password or SamyGO.
The firmware we studied was last updated on 2009. This is because there is little hope for
Samsung to rectify this problem on older TVs. If Samsung decided to patch this issue, the
patch would have to be encrypted using the flawed XOR mechanism in order for the existing
TVs to be able to apply it in the first place. This situation would allow people to decrypt the
patch and analyze it in the clear. Even if Samsung were to find a way to patch the issue that
didn’t use the flawed encryption mechanism, it would be operationally infeasible since the
users wouldn’t simply be able to apply the latest patch, which is what most users do; they’d be
required to first issue the critical patch that fixed the XOR flaw so that their TVs could under-
stand the new encryption mechanism used to protect the latest firmware file. See the amount
of mess this has created?
The slang term encraption (with the emphasis on crap) is affectionately used by the cyber-
security community to call out badly implemented encryption. As this case shows, the title of
this section is entirely justified.


Understanding and Exploiting the App World


Smart TVs offer apps such as Skype, the popular videoconferencing solution. In this section,
we will take a deeper look into the world of apps on TVs to understand how they work and the
security mechanisms surrounding them. In the future, more and more people are going to
use and rely on apps on their Smart TVs, so the potential for abuse will become higher. This
is because more apps will mean more code is written to run on TVs, and this code may con-
tain security vulnerabilities. The popularity of apps will also draw the interest of malicious
attackers who have an interest in continuing to find avenues to exploit systems to steal data
from victims.


Decrypting Firmware


To have a deeper understanding of how apps work, we need to become familiar with the
underlying platform that supports the functionality of a Smart TV. We’ve discussed the weak
XOR encryption used in Samsung TVs that allows for the decryption and patching of firm-
ware. Samsung has countered this by encrypting the firmware using AES in newer models of
its Smart TVs. However, the secret encryption key has been leaked and is available to the pub-
lic. It is unclear how this happened, but tools from the SamyGO website contain this key and
can easily decrypt the firmware downloaded from the Samsung website.
Let’s start with a firmware version that we know has been encrypted utilizing AES:


$ ls -l T-ECPDEUC/image/
total 197164

136 CHAPTER 5: THE IDIOT BOX—ATTACKING “SMART” TELEVISIONS
Free download pdf