Your Samsung Smart TV might be pretty dumb.
Penetration testing firm Neseso has found that a 32-inch Tizen-based smart TV, first released as part of the 2015 model year and still being sold in North America, isn’t authenticating devices that connect to it via Wi-Fi Direct.
Rather than requiring a password or PIN to authenticate devices that want to connect to the TV – like, say, your smartphone when you want to use it as a remote control – it’s relying on a whitelist of devices that the user’s already authorized.
To do that, Samsung’s Smart TV uses devices’ media access control (MAC) addresses. Those are like a digital fingerprint: a MAC address is constant to a piece of hardware (though it can be spoofed, either for legitimate purposes or by a thief who wants to hide it).
Neseso says a user will be notified about a whitelist device that connects to their Smart TV, but that’s it: if the device is on a whitelist, the TV will just lay out the welcome mat without requiring any authentication.
It’s easy for an attacker to get a whitelisted MAC address, Neseso said. In fact, a few years ago, we saw a US cop sniffing out stolen gadgets by MAC addresses, wardriving in his squad car with some software he rigged up to a thumb drive sized-antenna that plugs into the car’s USB port and looking for MAC addresses that matched those listed in a database of known stolen devices.
After an attacker spoofs a known MAC address, they’d be able to access all the services on the Smart TV, such as remote control service.
An attacker would have to know, ahead of time, the MAC address of, say, your smartphone’s Wi-Fi chip. They’ll also likely have to crouch outside in your shrubbery – given that Wi-Fi Direct doesn’t work over long distances – while clutching their laptop or smartphone to spoof that MAC address and start messing with channel-changing or screen mirroring.
OK, so an attacker can change your channel. Annoying, but hardly earth-shattering, eh? Well, it doesn’t stop with the remote exploitation of channel-surfing. An attacker could use it as a springboard to gain access to whatever network the Smart TV is connected to, Neseso said.
Would an attacker be able to get at your home Wi-Fi network’s name and password? Not necessarily through this Wi-Fi Direct vulnerability. But as another security researcher revealed a few weeks ago, the operating system running on millions of Samsung products – it’s called Tizen – is what Motherboard referred to as a hacker’s dream.
Israeli researcher Amihai Neiderman:
Everything you can do wrong there, they do it. You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.
We’ve certainly heard of Samsung vulnerabilities before. In fact, last month, WikiLeaks published documents that purportedly showed how the CIA can monitor people through their Samsung Smart TVs.
Neseso contacted Samsung starting last month, with the Korean company eventually saying that it didn’t consider the find to be a security vulnerability. That’s why Neseso decided to publish details about it on Full Disclosure, it said.
The security outfit advised Samsung Smart TV owners to remove all their whitelisted devices and to avoid using the WiFi-Direct feature. It didn’t explain precisely how to do that, instead telling users to directly contact Samsung. You might want to poke around in the Network menu under Settings or simply disable Wi-Fi on your smart TV… though that would rob you of all those smart TV features you paid for.
Neseso didn’t test other Samsung models, but it suggested that they too might be vulnerable.
Short of disabling Wi-Fi, we’d suggest keeping an eye out for rustling shrubbery. If your TV channels start changing, call the police and then, by all means, switch off your TV’s Wi-Fi.
Simon McAllister
Shameful! But not surprised to learn this. I own a couple of Samsung Smart TV’s. Purposely, neither with cameras or microphones. Nor do I allow them to access the 20+ IP networks and DNS addresses they attempt to contact. If I lead-line my house, I can secure proximity of the Bluetooth connectivity which cannot be turned off within the menu.