SlideShare uma empresa Scribd logo
1 de 48
SmartTV Security - For Fun and Non-
Profit



                                                      Presented by:
                                Joaquim Espinhara/Ulisses Albuquerque
               jespinhara@trustwave.com/ualbuquerque@trustwave.com


                                                                 © 2012
Who is SpiderLabs?
  SpiderLabs is the elite security team at Trustwave, offering clients the most advanced
  information security expertise and intelligence available today.

  The SpiderLabs team has performed more than 1,500 computer incident response and
  forensic investigations globally, as well as over 15,000 penetration and application security
  tests for Trustwave’s clients.

  The global team actively provides threat intelligence to both Trustwave and growing
  numbers of organizations from Fortune 50 to enterprises and start-ups.

  Companies and organizations in more than 50 countries rely on the SpiderLabs team’s
  technical expertise to identify and anticipate cyber security attacks before they happen.


Featured Speakers at:



Featured Media:



                                                                                              © 2012
SpiderLabs – International Footprint




                                       © 2012
Agenda
•   Disclaimers
•   Motivation
•   Concepts
•   Why “Smart”?
•   Attack Vectors
•   Tools
•   Future Work
•   Conclusion


                     © 2012
$ finger @jespinhara
• Network Security consultant for Trustwave
  Spiderlabs




                                              © 2012
$ finger @urma
• App Security consultant for Trustwave SpiderLabs
   –    Managed security services (full stack)
   –    Trusted [Virtual] Computing
   –    Linux device drivers
   –    Scripting/dynamic language love all around
   –    C whenever static typing is needed
       • OO is fun, Java/C++ are not
 • Breaking stuff is fun, building stuff is funnier,
   building stuff to break stuff is awesome


                                                       © 2012
Disclaimers
• This talk focus on a small subset of Smart TV
  manufacturers
  – TV sets are expensive, more intrusive tests void
    warranties and might brick the devices
  – We used our personal TVs during the tests
  – Manufacturers were not chosen, just what we already
    had at hand




                                                          © 2012
Motivation
• Most devices now provide hardware that is good
  enough even for high-end consumers
  – Hardware alone is no longer enough to drive new
    purchases
  – Software adds possibility of further sales through
    application stores
  – Devices have turned into full fledged software platform
• TVs are ubiquitous
  – Full blown OS in networked devices everywhere



                                                              © 2012
Motivation
• Current research is focused on specific
  devices/platforms/techniques
  – Google TV (Dwenger & Rosenberd, DEFCON20)
  – Smart TV Fuzzing (Kuipers, Starck & Heikkinen,
    whitepaper)
  – HDMI Fuzzing (Andy Davis, Blackhat12)
  – SamyGO Project (alternative firmware for Samsung
    TVs)
  – OpenLG TV Project (alternative firmware for LG TVs)



                                                          © 2012
Motivation
• Hacks are still device/platform specific
   – Enough common ground for a framework though
   – Smart TVs share many common devices and attack
     vectors
   – Network attacks are particularly interesting due to
     interoperability between manufacturers
      • UPnP/DLNA is present in >90% of all TVs




                                                           © 2012
Motivation




             © 2012
Why “Smart”?




 Analog TV signal, digital logic   Digital TV signal, audio/video
 only applies to audio/video       combined with interactive
 post-processing                   content and control data, more
                                   robust
                                   microcontrollers/components
                                   required

                                                                    © 2012
Why “Smart”?
• Manufacturers had to upgrade the components in
  their devices to handle digital TV
  – Interactivity (Ginga, HbbTV, Tru2way)
  – Bandwidth (1080i versus 480p video, 5.1 versus 2.0
    audio)
• Beefier components allow for full fledged software
  stacks




                                                         © 2012
Why “Smart”?
Samsung Smart Hub            LG Dashboard




                    Imagges ae
                                            © 2012
Why “Smart”?




               © 2012
Why “Smart”?
                                                                                    Samsung & LG
                                                                                   have over 40% of
                                                                                      the market




       http://www.reghardware.com/2012/06/20/lcd_tv_shipments_slip_for_first_time_ever/
                                                                                                  © 2012
Why “Smart”?
• Models
  – LG 47LW5700
  – LG 32LV3700
  – Samsung UN32C5000




                        © 2012
Attack Vectors

           Physical
 Network              Application   Digital TV
           Access




                                                 © 2012
Attack Vectors
• Network
  – UPnP/DLNA
     •   Enabled by default
     •   Not possible to disable on most TV sets
     •   Device enumeration/fingerprinting
     •   Media playback abuse
     •   Information leaks
     •   Focus on device interoperability and home use scenarios




                                                                   © 2012
Attack Vectors


 NOTIFY * HTTP/1.1
 HOST: 239.255.255.250:1900
 CACHE-CONTROL: max-age=1800
 LOCATION: http://192.168.0.14:37904/MediaRenderer1.xml
 NT: upnp:rootdevice
 NTS: ssdp:alive
 SERVER: Linux/2.6.28.9 UPnP/1.0 DLNADOC/1.50 INTEL_NMPR/2.0 LGE_
 USN: uuid:1b12f5e8-1dd2-11b2-9d7b-de7e1af3b7bb::upnp:rootdevice




                                                           © 2012
Attack Vectors

 <pnpx:X_compatibleId>MS_DigitalMediaDeviceClass_DMR_V001</pnpx:X
 <pnpx:X_deviceCategory>MediaDevices</pnpx:X_deviceCategory>
 <df:X_deviceCategory> Multimedia.DMR</df:X_deviceCategory>
 <df:X_modelId>LG Digital Media Renderer TV</df:X_modelId>
 <deviceType>urn:schemas-upnp-org:device:MediaRenderer:1</deviceType>
 <friendlyName>47LW5700-SA</friendlyName>
 <manufacturer>LG Electronics</manufacturer>
 <manufacturerURL>http://www.lge.com</manufacturerURL>
 <modelDescription>UPnP Media Renderer 1.0</modelDescription>




                                                               © 2012
Attack Vectors
• Network
  – IP Remote Control
     • Implemented by most major manufacturers
         –   Samsung
         –   LG
         –   Sony
         –   Panasonic
     • Non-interoperable between brands (as expected)
     • Multiple implementations between device generations
         – Unmaintained old versions unlikely to be patched
     • Fragmentation makes ubiquitous exploits difficult



                                                              © 2012
Attack Vectors




                 © 2012
Attack Vectors




                 © 2012
Attack Vectors
POST /hdcp/api/auth HTTP/1.1           HTTP/1.1 200 OK
Content-Type: application/atom+xml     Date: Fri Dec 30 13:44:44 2011 GMT
Content-Length: 74                     Server: LG HDCP Server
Host: 192.168.0.116:8080               Pragma: no-cache
Connection: Keep-Alive                 Cache-Control: no-store, no-cache, must-reva
                                       Connection: close
<?xml version="1.0" encoding="utf-8"?> Content-Length: 122
<auth><type>AuthKeyReq</type></auth>   Content-Type: application/atom+xml; charset=

                                      <?xml version="1.0" encoding="utf-8"?>
• No SSL                              <envelope>
• Session is persistent (pairing)     <HDCPError>200</HDCPError>
• No device authentication aside      <HDCPErrorDetail>OK</HDCPErrorDetail>
  from session                        </envelope>




                                                                            © 2012
Attack Vectors




                 © 2012
Attack Vectors




                 © 2012
Attack Vectors




                 © 2012
Attack Vectors
• Network
  – IP Remote Control
     • lgcommander.py
        – https://github.com/ubaransel/lgcommander
        – Grants access to service menus through IP remote control
          interface
        – Can be used to enable serial console (Busybox) in certain models
        – Contains mapping of all remote control keycodes
     • Automated remote control through network, including
       interaction with applications
        – Many applications contain paid content
        – Automate purchase of fraudulent/useless paid applications in
          market

                                                                             © 2012
Attack Vectors
• Network
  – Firmware upgrades
     • Requires MITM and spoofing all checked attributes of the
       firmware images
     • Images are encrypted, but keys have been leaked for some
       manufacturers
     • Recent models also digitally sign firmware images
     • Most TVs allow upgrades through USB mass storage devices,
       which does not require network setup




                                                                   © 2012
Attack Vectors
• Physical Access
  – USB
     • All recent TV sets include at least a USB port, many include
       more
     • USB ports are used for
          – Mass storage access (for media files and firmware upgrades)
          – Network devices (wireless dongles)
          – Input devices (uncommon, keyboard/mouse)
     • Vulnerabilities in USB device drivers could be exploited by
       especially crafted USB hardware
          – caiq USB audio interface device long name
            http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0712


                                                                          © 2012
Attack Vectors




         Teensy++ 2.0: http://www.pjrc.com/teensy/


                                                     © 2012
Attack Vectors




   Facedancer: http://goodfet.sourceforge.net/hardware/facedancer10/


                                                                       © 2012
Attack Vectors
• Physical Access
  – HDMI
     • Display Data Channel (DDC), I2C based communication
       between devices for “plug and play” operation
        – Used by High-Bandwidth Content Protect (HDCP) and Extended
          Display Identification Data (EDID)
     • Consumer Eletronics Control (CEC)
        – Used to control multiple devices using a single remote control
        – Trademarked names used by manufacturers
            • Anynet (Samsung)
            • Simplink (LG)
            • Bravia SYNC (Sony)



                                                                           © 2012
Attack Vectors
• Physical Access
  – HDMI
     • HDMI Ethernel Channel (HDMI 1.4)
     • Audio Return Channel (HDMI 1.4)
  – HDMI is not a one-way high bandwidth bus only
     • Spanning/routing support
     • Bidirectional communication
     • Hot plug support




                                                    © 2012
Attack Vectors




                 © 2012
Attack Vectors
• Application
  – Browser
  – Browser Plugins
  – Market




                      © 2012
Attack Vectors
• Application
  – Browser




                 © 2012
Attack Vectors
• Application
  – Browser Plugins




                      © 2012
Attack Vectors
• Application
  – Browser Plugins




                      © 2012
Attack Vectors
• Physical Access
  – RS-232C




                    © 2012
Fuzzing
• Emulator
  – Netcast 2.0 (2011)
     • Flash Player 9 or lower (Netcat 2011 does not support Flash
       Player 10).
  – Netcast 3.0 (2012)




                                                                     © 2012
Fuzzing - Emulator
• Netcast 2.0




                     © 2012
Fuzzing - Emulator
• Netcast 3.0




                     © 2012
Future Work
• Focus on different manufacturers
  – A lot of common ground in major features and , but
    many subtle differences in implementations
• SmartBUZZWORD Fuzzer Framework
• Firmware Rootkit
• 0days




                                                         © 2012
Conclusions
• Lots of scary disclaimers and warnings in many
  references
  – Many tests could have gone further, but TV sets are
    expensive
• Boss, we need budget to go further in our tests
  –   TV set(s) we can poke around without fear
  –   USB fuzzing hardware
  –   HDMI test hardware
  –   Advanced tests


                                                          © 2012
Questions?




             © 2012
Trustwave SpiderLabs
SpiderLabs is an elite team of ethical hackers at
Trustwave advancing the security capabilities of
leading businesses and organizations throughout
the world.

More Information:
Web: https://www.trustwave.com/spiderlabs
Blog: http://blog.spiderlabs.com
Twitter: @SpiderLabs

                                                    © 2012

Mais conteúdo relacionado

Mais procurados

Application Asset Management with ThreadFix
 Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 
Canadian Healthcare Codes and Terminology Standards
Canadian Healthcare Codes and Terminology StandardsCanadian Healthcare Codes and Terminology Standards
Canadian Healthcare Codes and Terminology Standards Intelliware Development Inc.
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesDenim Group
 
[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre Euclides[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre EuclidesTI Safe
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsDenim Group
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent CampaignDenim Group
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationDenim Group
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20Denim Group
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Denim Group
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?Denim Group
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...Cyber Security Alliance
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellDenim Group
 
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise ScaleSecuring Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise ScaleDevOps.com
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityKevin Fealey
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesDenim Group
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsDenim Group
 

Mais procurados (20)

Application Asset Management with ThreadFix
 Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 
Canadian Healthcare Codes and Terminology Standards
Canadian Healthcare Codes and Terminology StandardsCanadian Healthcare Codes and Terminology Standards
Canadian Healthcare Codes and Terminology Standards
 
Monitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps PipelinesMonitoring Attack Surface to Secure DevOps Pipelines
Monitoring Attack Surface to Secure DevOps Pipelines
 
[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre Euclides[CLASS 2014] Palestra Técnica - Alexandre Euclides
[CLASS 2014] Palestra Técnica - Alexandre Euclides
 
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and VersionsThe ThreadFix Ecosystem: Vendors, Volunteers, and Versions
The ThreadFix Ecosystem: Vendors, Volunteers, and Versions
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
The Permanent Campaign
The Permanent CampaignThe Permanent Campaign
The Permanent Campaign
 
Benchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR OrganizationBenchmarking Web Application Scanners for YOUR Organization
Benchmarking Web Application Scanners for YOUR Organization
 
OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20OWASP San Antonio Meeting 10/2/20
OWASP San Antonio Meeting 10/2/20
 
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
Do You Have a Scanner or Do You Have a Scanning Program? (AppSecEU 2013)
 
What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?What Permissions Does Your Database User REALLY Need?
What Permissions Does Your Database User REALLY Need?
 
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
ASFWS 2012 - Theory vs Practice in implementing Software Security related act...
 
ThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan CornellThreadFix 2.2 Preview Webinar with Dan Cornell
ThreadFix 2.2 Preview Webinar with Dan Cornell
 
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise ScaleSecuring Red Hat OpenShift Containerized Applications At Enterprise Scale
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
 
DevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just SecurityDevSecOps without DevOps is Just Security
DevSecOps without DevOps is Just Security
 
Making Network Security Relevant
Making Network Security RelevantMaking Network Security Relevant
Making Network Security Relevant
 
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security ResourcesThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
ThreadFix 2.4: Maximizing the Impact of Your Application Security Resources
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Running a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source ToolsRunning a Software Security Program with Open Source Tools
Running a Software Security Program with Open Source Tools
 

Semelhante a SmartTV Security

HTC Developer - 2012
HTC Developer - 2012HTC Developer - 2012
HTC Developer - 2012Bruce Jones
 
Zeelogic embedded-offerings
Zeelogic embedded-offeringsZeelogic embedded-offerings
Zeelogic embedded-offeringsZeelogic Solu
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Codemotion
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IRelayware
 
Building a Reliable Remote Communication Device with Java ME8 [CON2285]
Building a Reliable Remote Communication Device with Java ME8 [CON2285]Building a Reliable Remote Communication Device with Java ME8 [CON2285]
Building a Reliable Remote Communication Device with Java ME8 [CON2285]Leonardo De Moura Rocha Lima
 
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmRevolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmHiveMQ
 
Automated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsAutomated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsJay Bryant
 
Living bits and things 2013 - Using peer-to-peer and distributed technologies...
Living bits and things 2013 - Using peer-to-peer and distributed technologies...Living bits and things 2013 - Using peer-to-peer and distributed technologies...
Living bits and things 2013 - Using peer-to-peer and distributed technologies...Carsten Rhod Gregersen
 
Gregory Touretsky - Intel IT- Open Cloud Journey
Gregory Touretsky - Intel IT- Open Cloud JourneyGregory Touretsky - Intel IT- Open Cloud Journey
Gregory Touretsky - Intel IT- Open Cloud JourneyCloud Native Day Tel Aviv
 
Developing a Modern Mobile App Strategy
Developing a Modern Mobile App StrategyDeveloping a Modern Mobile App Strategy
Developing a Modern Mobile App StrategyTodd Anglin
 
Tw Technology Radar Qtb Sep11
Tw Technology Radar Qtb Sep11Tw Technology Radar Qtb Sep11
Tw Technology Radar Qtb Sep11Adrian Treacy
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth Pilli
 
Restaurant billing application
Restaurant billing applicationRestaurant billing application
Restaurant billing applicationch samaram
 
Nassim_TLILI_resume
Nassim_TLILI_resumeNassim_TLILI_resume
Nassim_TLILI_resumeNassim TLILI
 

Semelhante a SmartTV Security (20)

OTT for Mobile Devices
OTT for Mobile DevicesOTT for Mobile Devices
OTT for Mobile Devices
 
HTC Developer - 2012
HTC Developer - 2012HTC Developer - 2012
HTC Developer - 2012
 
Zeelogic embedded-offerings
Zeelogic embedded-offeringsZeelogic embedded-offerings
Zeelogic embedded-offerings
 
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
Sviluppo IoT - Un approccio standard da Nerd ad Impresa, prove pratiche di Me...
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
 
Building a Reliable Remote Communication Device with Java ME8 [CON2285]
Building a Reliable Remote Communication Device with Java ME8 [CON2285]Building a Reliable Remote Communication Device with Java ME8 [CON2285]
Building a Reliable Remote Communication Device with Java ME8 [CON2285]
 
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ SwarmRevolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
Revolutionizing IoT Testing - A Sneak Peek of HiveMQ Swarm
 
Automated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge CloudsAutomated Deployment and Management of Edge Clouds
Automated Deployment and Management of Edge Clouds
 
Living bits and things 2013 - Using peer-to-peer and distributed technologies...
Living bits and things 2013 - Using peer-to-peer and distributed technologies...Living bits and things 2013 - Using peer-to-peer and distributed technologies...
Living bits and things 2013 - Using peer-to-peer and distributed technologies...
 
Gregory Touretsky - Intel IT- Open Cloud Journey
Gregory Touretsky - Intel IT- Open Cloud JourneyGregory Touretsky - Intel IT- Open Cloud Journey
Gregory Touretsky - Intel IT- Open Cloud Journey
 
Dreambox caMip
Dreambox caMipDreambox caMip
Dreambox caMip
 
Developing a Modern Mobile App Strategy
Developing a Modern Mobile App StrategyDeveloping a Modern Mobile App Strategy
Developing a Modern Mobile App Strategy
 
Introdução ao Tizen
Introdução ao TizenIntrodução ao Tizen
Introdução ao Tizen
 
Tw Technology Radar Qtb Sep11
Tw Technology Radar Qtb Sep11Tw Technology Radar Qtb Sep11
Tw Technology Radar Qtb Sep11
 
Android system security
Android system securityAndroid system security
Android system security
 
Srikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latestSrikanth_PILLI_CV_latest
Srikanth_PILLI_CV_latest
 
Restaurant billing application
Restaurant billing applicationRestaurant billing application
Restaurant billing application
 
Nassim_TLILI_resume
Nassim_TLILI_resumeNassim_TLILI_resume
Nassim_TLILI_resume
 
Android
AndroidAndroid
Android
 
DVO FAQ - Streaming Video
DVO FAQ - Streaming VideoDVO FAQ - Streaming Video
DVO FAQ - Streaming Video
 

Mais de Ulisses Albuquerque

Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside OutUlisses Albuquerque
 
Speeding Up Secure Software Development
Speeding Up Secure Software DevelopmentSpeeding Up Secure Software Development
Speeding Up Secure Software DevelopmentUlisses Albuquerque
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear PhisherUsing Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear PhisherUlisses Albuquerque
 
ROM Hacking for Fun, Profit & Infinite Lives
ROM Hacking for Fun, Profit & Infinite LivesROM Hacking for Fun, Profit & Infinite Lives
ROM Hacking for Fun, Profit & Infinite LivesUlisses Albuquerque
 

Mais de Ulisses Albuquerque (7)

Application Security from the Inside Out
Application Security from the Inside OutApplication Security from the Inside Out
Application Security from the Inside Out
 
Speeding Up Secure Software Development
Speeding Up Secure Software DevelopmentSpeeding Up Secure Software Development
Speeding Up Secure Software Development
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Better Do What They Told Ya
Better Do What They Told YaBetter Do What They Told Ya
Better Do What They Told Ya
 
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear PhisherUsing Online Activity as Digital Fingerprints to Create a Better Spear Phisher
Using Online Activity as Digital Fingerprints to Create a Better Spear Phisher
 
PCI DSS e Metodologias Ágeis
PCI DSS e Metodologias ÁgeisPCI DSS e Metodologias Ágeis
PCI DSS e Metodologias Ágeis
 
ROM Hacking for Fun, Profit & Infinite Lives
ROM Hacking for Fun, Profit & Infinite LivesROM Hacking for Fun, Profit & Infinite Lives
ROM Hacking for Fun, Profit & Infinite Lives
 

Último

Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applicationsnooralam814309
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxNeo4j
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveIES VE
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 

Último (20)

Graphene Quantum Dots-Based Composites for Biomedical Applications
Graphene Quantum Dots-Based Composites for  Biomedical ApplicationsGraphene Quantum Dots-Based Composites for  Biomedical Applications
Graphene Quantum Dots-Based Composites for Biomedical Applications
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptxGraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
GraphSummit Copenhagen 2024 - Neo4j Vision and Roadmap.pptx
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 

SmartTV Security

  • 1. SmartTV Security - For Fun and Non- Profit Presented by: Joaquim Espinhara/Ulisses Albuquerque jespinhara@trustwave.com/ualbuquerque@trustwave.com © 2012
  • 2. Who is SpiderLabs? SpiderLabs is the elite security team at Trustwave, offering clients the most advanced information security expertise and intelligence available today. The SpiderLabs team has performed more than 1,500 computer incident response and forensic investigations globally, as well as over 15,000 penetration and application security tests for Trustwave’s clients. The global team actively provides threat intelligence to both Trustwave and growing numbers of organizations from Fortune 50 to enterprises and start-ups. Companies and organizations in more than 50 countries rely on the SpiderLabs team’s technical expertise to identify and anticipate cyber security attacks before they happen. Featured Speakers at: Featured Media: © 2012
  • 3. SpiderLabs – International Footprint © 2012
  • 4. Agenda • Disclaimers • Motivation • Concepts • Why “Smart”? • Attack Vectors • Tools • Future Work • Conclusion © 2012
  • 5. $ finger @jespinhara • Network Security consultant for Trustwave Spiderlabs © 2012
  • 6. $ finger @urma • App Security consultant for Trustwave SpiderLabs – Managed security services (full stack) – Trusted [Virtual] Computing – Linux device drivers – Scripting/dynamic language love all around – C whenever static typing is needed • OO is fun, Java/C++ are not • Breaking stuff is fun, building stuff is funnier, building stuff to break stuff is awesome © 2012
  • 7. Disclaimers • This talk focus on a small subset of Smart TV manufacturers – TV sets are expensive, more intrusive tests void warranties and might brick the devices – We used our personal TVs during the tests – Manufacturers were not chosen, just what we already had at hand © 2012
  • 8. Motivation • Most devices now provide hardware that is good enough even for high-end consumers – Hardware alone is no longer enough to drive new purchases – Software adds possibility of further sales through application stores – Devices have turned into full fledged software platform • TVs are ubiquitous – Full blown OS in networked devices everywhere © 2012
  • 9. Motivation • Current research is focused on specific devices/platforms/techniques – Google TV (Dwenger & Rosenberd, DEFCON20) – Smart TV Fuzzing (Kuipers, Starck & Heikkinen, whitepaper) – HDMI Fuzzing (Andy Davis, Blackhat12) – SamyGO Project (alternative firmware for Samsung TVs) – OpenLG TV Project (alternative firmware for LG TVs) © 2012
  • 10. Motivation • Hacks are still device/platform specific – Enough common ground for a framework though – Smart TVs share many common devices and attack vectors – Network attacks are particularly interesting due to interoperability between manufacturers • UPnP/DLNA is present in >90% of all TVs © 2012
  • 11. Motivation © 2012
  • 12. Why “Smart”? Analog TV signal, digital logic Digital TV signal, audio/video only applies to audio/video combined with interactive post-processing content and control data, more robust microcontrollers/components required © 2012
  • 13. Why “Smart”? • Manufacturers had to upgrade the components in their devices to handle digital TV – Interactivity (Ginga, HbbTV, Tru2way) – Bandwidth (1080i versus 480p video, 5.1 versus 2.0 audio) • Beefier components allow for full fledged software stacks © 2012
  • 14. Why “Smart”? Samsung Smart Hub LG Dashboard Imagges ae © 2012
  • 15. Why “Smart”? © 2012
  • 16. Why “Smart”? Samsung & LG have over 40% of the market http://www.reghardware.com/2012/06/20/lcd_tv_shipments_slip_for_first_time_ever/ © 2012
  • 17. Why “Smart”? • Models – LG 47LW5700 – LG 32LV3700 – Samsung UN32C5000 © 2012
  • 18. Attack Vectors Physical Network Application Digital TV Access © 2012
  • 19. Attack Vectors • Network – UPnP/DLNA • Enabled by default • Not possible to disable on most TV sets • Device enumeration/fingerprinting • Media playback abuse • Information leaks • Focus on device interoperability and home use scenarios © 2012
  • 20. Attack Vectors NOTIFY * HTTP/1.1 HOST: 239.255.255.250:1900 CACHE-CONTROL: max-age=1800 LOCATION: http://192.168.0.14:37904/MediaRenderer1.xml NT: upnp:rootdevice NTS: ssdp:alive SERVER: Linux/2.6.28.9 UPnP/1.0 DLNADOC/1.50 INTEL_NMPR/2.0 LGE_ USN: uuid:1b12f5e8-1dd2-11b2-9d7b-de7e1af3b7bb::upnp:rootdevice © 2012
  • 21. Attack Vectors <pnpx:X_compatibleId>MS_DigitalMediaDeviceClass_DMR_V001</pnpx:X <pnpx:X_deviceCategory>MediaDevices</pnpx:X_deviceCategory> <df:X_deviceCategory> Multimedia.DMR</df:X_deviceCategory> <df:X_modelId>LG Digital Media Renderer TV</df:X_modelId> <deviceType>urn:schemas-upnp-org:device:MediaRenderer:1</deviceType> <friendlyName>47LW5700-SA</friendlyName> <manufacturer>LG Electronics</manufacturer> <manufacturerURL>http://www.lge.com</manufacturerURL> <modelDescription>UPnP Media Renderer 1.0</modelDescription> © 2012
  • 22. Attack Vectors • Network – IP Remote Control • Implemented by most major manufacturers – Samsung – LG – Sony – Panasonic • Non-interoperable between brands (as expected) • Multiple implementations between device generations – Unmaintained old versions unlikely to be patched • Fragmentation makes ubiquitous exploits difficult © 2012
  • 23. Attack Vectors © 2012
  • 24. Attack Vectors © 2012
  • 25. Attack Vectors POST /hdcp/api/auth HTTP/1.1 HTTP/1.1 200 OK Content-Type: application/atom+xml Date: Fri Dec 30 13:44:44 2011 GMT Content-Length: 74 Server: LG HDCP Server Host: 192.168.0.116:8080 Pragma: no-cache Connection: Keep-Alive Cache-Control: no-store, no-cache, must-reva Connection: close <?xml version="1.0" encoding="utf-8"?> Content-Length: 122 <auth><type>AuthKeyReq</type></auth> Content-Type: application/atom+xml; charset= <?xml version="1.0" encoding="utf-8"?> • No SSL <envelope> • Session is persistent (pairing) <HDCPError>200</HDCPError> • No device authentication aside <HDCPErrorDetail>OK</HDCPErrorDetail> from session </envelope> © 2012
  • 26. Attack Vectors © 2012
  • 27. Attack Vectors © 2012
  • 28. Attack Vectors © 2012
  • 29. Attack Vectors • Network – IP Remote Control • lgcommander.py – https://github.com/ubaransel/lgcommander – Grants access to service menus through IP remote control interface – Can be used to enable serial console (Busybox) in certain models – Contains mapping of all remote control keycodes • Automated remote control through network, including interaction with applications – Many applications contain paid content – Automate purchase of fraudulent/useless paid applications in market © 2012
  • 30. Attack Vectors • Network – Firmware upgrades • Requires MITM and spoofing all checked attributes of the firmware images • Images are encrypted, but keys have been leaked for some manufacturers • Recent models also digitally sign firmware images • Most TVs allow upgrades through USB mass storage devices, which does not require network setup © 2012
  • 31. Attack Vectors • Physical Access – USB • All recent TV sets include at least a USB port, many include more • USB ports are used for – Mass storage access (for media files and firmware upgrades) – Network devices (wireless dongles) – Input devices (uncommon, keyboard/mouse) • Vulnerabilities in USB device drivers could be exploited by especially crafted USB hardware – caiq USB audio interface device long name http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0712 © 2012
  • 32. Attack Vectors Teensy++ 2.0: http://www.pjrc.com/teensy/ © 2012
  • 33. Attack Vectors Facedancer: http://goodfet.sourceforge.net/hardware/facedancer10/ © 2012
  • 34. Attack Vectors • Physical Access – HDMI • Display Data Channel (DDC), I2C based communication between devices for “plug and play” operation – Used by High-Bandwidth Content Protect (HDCP) and Extended Display Identification Data (EDID) • Consumer Eletronics Control (CEC) – Used to control multiple devices using a single remote control – Trademarked names used by manufacturers • Anynet (Samsung) • Simplink (LG) • Bravia SYNC (Sony) © 2012
  • 35. Attack Vectors • Physical Access – HDMI • HDMI Ethernel Channel (HDMI 1.4) • Audio Return Channel (HDMI 1.4) – HDMI is not a one-way high bandwidth bus only • Spanning/routing support • Bidirectional communication • Hot plug support © 2012
  • 36. Attack Vectors © 2012
  • 37. Attack Vectors • Application – Browser – Browser Plugins – Market © 2012
  • 38. Attack Vectors • Application – Browser © 2012
  • 39. Attack Vectors • Application – Browser Plugins © 2012
  • 40. Attack Vectors • Application – Browser Plugins © 2012
  • 41. Attack Vectors • Physical Access – RS-232C © 2012
  • 42. Fuzzing • Emulator – Netcast 2.0 (2011) • Flash Player 9 or lower (Netcat 2011 does not support Flash Player 10). – Netcast 3.0 (2012) © 2012
  • 43. Fuzzing - Emulator • Netcast 2.0 © 2012
  • 44. Fuzzing - Emulator • Netcast 3.0 © 2012
  • 45. Future Work • Focus on different manufacturers – A lot of common ground in major features and , but many subtle differences in implementations • SmartBUZZWORD Fuzzer Framework • Firmware Rootkit • 0days © 2012
  • 46. Conclusions • Lots of scary disclaimers and warnings in many references – Many tests could have gone further, but TV sets are expensive • Boss, we need budget to go further in our tests – TV set(s) we can poke around without fear – USB fuzzing hardware – HDMI test hardware – Advanced tests © 2012
  • 47. Questions? © 2012
  • 48. Trustwave SpiderLabs SpiderLabs is an elite team of ethical hackers at Trustwave advancing the security capabilities of leading businesses and organizations throughout the world. More Information: Web: https://www.trustwave.com/spiderlabs Blog: http://blog.spiderlabs.com Twitter: @SpiderLabs © 2012

Notas do Editor

  1. ----- Meeting Notes (11/8/12 10:58) -----Falar um pouco das aranhas.
  2. Raw data:Cornelio Procopio, Parana, BrazilRecife, Pernambuco, BrazilRibeirao Preto, Sao Paulo, BrazilMexico City, MexicoMelbourne, AustraliaHong KongBangalore, IndiaTucson, AzGrand Rapids, MILos Angeles, CASan Francisco, CAPortland, ORRaleigh, NCColorado Springs, CODenver, COMilwaukee, WIAustin, TexasBoston, MassachusettsDenver, Colorado,Indianapolis, IndianaNew York City, New YorkOttawa, CanadaMilwaukeeCincinattiClevelandWashington DCSao Paulo, BrazilLondon, UkManchester, UkLuton, UKMalaga, SpainChicago, ILHelena, MTTulsa, OK
  3. ----- Meeting Notes (11/8/12 10:58) -----Marcas utilizadas: LG e SAMSUNG
  4. ----- Meeting Notes (11/8/12 10:58) -----Exemplo video da Sony falando como é facil. Não tem que ser dificil.
  5. ----- Meeting Notes (11/8/12 10:58) -----Adicionar especificações de Hardware da TV.
  6. ----- Meeting Notes (11/8/12 10:58) -----plexapp.comExclusividade LG
  7. Multiple buffer overflows in the caiaq Native Instruments USB audio functionality in the Linux kernel before 2.6.38-rc4-next-20110215 might allow attackers to cause a denial of service or possibly have unspecified other impact via a long USB device name, related to (1) the snd_usb_caiaq_audio_init function in sound/usb/caiaq/audio.c and (2) the snd_usb_caiaq_midi_init function in sound/usb/caiaq/midi.c.
  8. US$24, Teensy 3.0 US$19, self-contained USB device emulation
  9. USB host emulation using Python code
  10. Colocarfoto da entrada HDMI da TVComentar:HEC – HDMI Ethernet ChannelHDCP – High-bandwidth Digital Content ProtectionCEC – Consumer Eletronics Control
  11. Colocarfoto do dashboard de aplicações.Falar dos browsers disponiveisColocar video do fuzzing crashando a tvColocarimagem da atualização do flash
  12. Old ref fuzzerO problemaestáemdebugar o crash. Poisalgumas TVs nãooferemfacilmente o modo debug.
  13. Colocarfoto do dashboard de aplicações.Falar dos browsers disponiveisColocar video do fuzzing crashando a tvColocarimagem da atualização do flash
  14. Colocarfoto do dashboard de aplicações.Falar dos browsers disponiveisColocar video do fuzzing crashando a tvColocarimagem da atualização do flash
  15. Falar um poucosobre fuzzing Fuzzerar no simuladorobviamente tem suasparticularidadesjáquemuitosrecursosnãoestãodisponiveis.
  16. Falar um poucosobre fuzzing Fuzzerar no simuladorobviamente tem suasparticularidadesjáquemuitosrecursosnãoestãodisponiveis.
  17. Virtual Box