The Pineapple is a useful device for testing IoT devices that connect to the network.
Check out the various additional infusions available for free. For example, you can use
dnsspoof to send the TV any IP address when it looks up the location of a particular server (for
example, you might send 192.168.1.1, where you have a local web server installed, instead of
one of Google’s real IP addresses, when the TV looks up google.com). In a paper titled “Smart
TV Hacking”, Nikos Sidiropoulos and Periklis Stefopoulos found that their Samsung Smart
TV connected to a web server at az43064.vo.msecnd.net to download the firmware update.
They set up a local server on their laptop with the same firmware file and manually created an
entry for az43064.vo.msecnd.net to point to their laptop’s IP address to see if the Smart TV
would download the firmware from their laptop instead. It did. This was an interesting test to
see if the TV contained any static entries for trusted servers (it didn’t). If you come across a
condition such as this, you can easily test this scenario using the dnsspoof infusion on the
Pineapple if you don’t have direct access to the TV’s filesystem (to be able to create a static
entry).
You can also easily capture all network traffic using the tcpdump infusion (and view it
using the Wireshark tool). This can be used to test various functionalities of applications and
reverse engineer their design. And this isn’t just limited to Smart TV’s. Test other IoT devices
you have access to and see what you find. Have fun!
Conclusion
In the scope of our discussion, we learned that Smart TVs are full-blown Linux machines.
These devices are increasingly hopping on to the wireless networks in homes and offices,
where we rely on them to be secure. Smart TV manufacturers also want to make sure these
devices cannot be tampered with, to protect their business. Samsung is one of the most popu-
lar Smart TV manufacturers, and as this chapter has shown, it has had a bad start.
In the world of traditional application security, we’ve learned the basics of applying
encryption the right way, including basic principles such as taking care to perform input vali-
dation. We’ve learned to be careful of web-based design by making sure cross-origin policies
are strictly enforced. For most developers, how to implement such basic security is common
knowledge. However, manufacturers like Samsung have not applied due diligence to security.
This has resulted in millions of TVs sold by Samsung that are connected to the Internet and
are possibly vulnerable to attacks (a lot of Smart TVs have autoupdate functionality enabled,
and this helps the situation, but attackers who’ve managed to make their way in are likely to
disable autoupdates). This situation can be abused by attackers to use the Smart TVs to launch
attacks on other devices on the local network (and also on external third-party targets).
Attackers can also leverage this to gain access to video cameras connected to the TVs,
thereby violating the privacy of families. But it’s not just the attackers; privacy also depends
upon how the system is designed. In an article titled “I’m terrified of my new TV,” author
Michal Price talks of the voice recognition feature in his Smart TV, which comes with this
154 CHAPTER 5: THE IDIOT BOX—ATTACKING “SMART” TELEVISIONS