Remotely Get Root On Most Smart TVs With Radio Signals

[Rafael Scheel] a security consultant has found that hacking smart TVs takes nothing much more than an inexpensive DVB-T transmitter, The transmitter has to be in range of the target TV and some malicious signals. The hack works by exploiting hybrid broadcast broadband TV signals and widely known about bugs in web browsers commonly run on smart TVs, which seem run in the background almost all the time.

Scheel was commissioned by Cyber security company Oneconsult, to create the exploit which once deployed, gave full root privileges enabling the attacker to setup and SSH into the TV taking complete control of the device from anywhere in the world. Once exploited the rogue code is even unaffected by device reboots and factory resets.

Once a hacker has control over the TV of an end user, he can harm the user in a variety of ways, Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV’s camera and microphone. – Rafael Scheel

Smart TV’s seem to be suffering from  IoT security problems. Turning your TV into an all-seeing, all-hearing surveillance device reporting back to it’s master is straight out of 1984.

A video of a talk about the exploit along with all the details is embedded below.

79 thoughts on “Remotely Get Root On Most Smart TVs With Radio Signals

  1. Well at least you can do something with them when they’re a couple of years old and youtube and netflix change their API and you can’t update the onboard apps.

      1. That’s being generous. For the last three flat panel screens I bought, none made it past 6 months without repairs. At two years, they’re just crippled messes. Of the last SEVEN I bought, only two (both smaller than 30″) hit two years problem and repair free.

        The failure rates on sets in 40″+ range in my experience is 100% within six months.

        I paid around $200 from the WalMart Circle Jerk to roughly $4k from less trashy places. I could shell out even more but for what? A nice road side display six months later.

        Good job assholes. We went from energy sucking CRTs lasting twenty years or more to energy sipping landfill fodder that won’t even survive until the next Black Friday.

          1. I take it as the point that a person who might have spent X amount on a relatively small CRT in 2000, may have replaced it recently with a much larger set up for same inflation adjusted X amount, and be sucking same or more watts…. Ergo, yes it’s theoretically more efficient than before, but if people buy much MORE of it instead then we’re not getting anywhere.

          2. @Nicholas

            Yes 27″ 4:3 CRT and 42″ widescreen are similarly sized TV sets and yes you could attach an amp to a CRT but the internal speaker where sufficient.

          1. maybe he’s playing duck hunt with a real shot gun. I just revived my lcd tv the other day using a heatgun to reflow the chips on the mainboard.

    1. People keep saying this. But seriously who the fuck cares.

      The built in apps for these devices *suck*, most of us own devices which perform better (chromecast, ps4, xbone).

  2. The question is, if you can root a smart TV does that put you in a position to fix it’s security holes or does it need a lobotomy and a second media server running Debian then attached to it? What sort of real hack should we looking at after the TV has been cracked?

    1. This particular exploit utilizes the TVs OTA tuner, and bugs in the software that is always watching the OTA signals.
      (Why it does this always is bizarre, obviously while watching OTA TV you would need to, but if your input is set to HDMI or something there is no call to be using the tuner hardware still)

      You would need to either completely disable all the internal software that uses the TV tuner, everything from the video signal to the guide data to closed captioning, etc. OR disable the hardware tuner circuitry such that it is useless and then hope the software doesn’t complain and refuse to work at all when it can’t find one of its “peripherals”

      I know nothing about antenna design, but should there not be some way to plug a little device in the coax port that purposely causes interference such that you would need to be within an inch of the connector to get any useful signal through?
      Even if so, how much of the other wiring inside the TV will act as an antenna enough to pickup signals?

      Also is the TV a Samsung or LG brand or the like, which have built in cellular modems that phone home for firmware updates? In that case I’d imagine any “fix” you made could easily get wiped out and replaced again the next time it updates itself.

      Personally I’d be a bit leery about using any type of signal jammer device in case it decided to screw with someone elses stuff and not just my own. Also with the cell modem bit I wouldn’t trust any fix I put in place to not get unfixed by their next forced software update.

          1. Damn, here I was all ready to just short the antenna middle pin to the shield…

            Better break out the VNA and make sure my 75 ohm load is perfectly linear.

          2. For the cellular modem you need of course a 50 Ohm load for best match. :-) I am sure it will not receive much if you just short the antenna connector out. Of course this could in theory damage the transmitter, in case you think about re-enabling it any time.

  3. By now, it seems that everybody (except the marketing people) knows that when a device have “smart” and/or “IoT” near it’s name, then that device is:
    – dumb,
    – full of bloatware and useless “features”,
    – locked to a single provider,
    – have backdoors by design,
    – spying on its user,
    – it’s a serious security threat for the local network or even for the whole Internet.

    1. Ironically, my TV (by TCL) is considered a smart TV. But it’s really just a TV with a Roku built in. So, where do you draw the line between a smart TV and a set-top box?

      1. Arcade games have had a standard (JAMMA) connector inside since 1985. Why couldn’t smart TVs have something similar? Just eject the manufacturer-provided shitty “smarts” and put in something more competent…

  4. What we need is a hack that completely disables the “smart” and turns the TV into a monitor (and only a monitor; no camera or mic).

    We live in a stupid world where a “smart” TV costs $500 and the same size monitor costs $3000 even though the monitor contains less stuff.

    1. Well, yeah. Because they can subsidize the sale of the $500 smart TV by monitoring everything you do and selling that information to advertisers and/or locking you into proprietary services with recurring fees.

    2. That’s related to what kind of monitor you buy. A low quality monitor will cost you way less. BUT, the normal monitors you buy are either rated for higher pixel response times (‘cuz games), higher color space compatibility, and higher accuracy. These are all features which jack the price up to $3000. If you don’t need them, well, you can easily buy a $400 monitor for about the same price

  5. At what point do we quit calling this crap “incompetent security design” and start calling it “deliberate vulnerability”?

    As someone else mentioned, why is the tuner even powered up when the unit is in HDMI input mode? All the efforts everybody goes through in the name of “low power” and nobody thought to shut off a part that is not being used 90% of the time????

  6. I want to enable the DVR function that Samsung disables for US and Canadian owners of their smart TVs. Then I could plug in a big USB 3.0 hard drive and record HD OTA broadcast.

      1. Smart TV, Smart Phone. If the product has Smart in the name you can be sure that North America won’t be allowed to have the best version of it. I’ve had phones where the Euro or Asian version had things like composite or S-Video out capability or a radio tuner or USB-OTG but the NorthAm version not only didn’t have the feature, it wasn’t even in the hardware where a software hack could enable it.

        Now we have televisions where the same hardware sold on different sides of the planet has features enabled or disabled for various reasons.

        This was also done with Canon and some other printers where in EU and Asia they had the ability to print onto printable optical discs – but for NorthAm the feature was disabled and the disc tray slot blocked off. At least for Canon the tray and disc printing slot cover could be ordered and service mode entered to chose a country setting that had disc printing enabled.

        Why can’t we have a multinational agreement that doesn’t allow for this location based feature limiting crap? If a TV has OTA DVR capability in the hardware, dammit it should have to work *everywhere* that hardware is sold.

        1. Patents….. They’re local to the country, unless registered at an international Patent office (Still only covers participating countries, hence china-mart-alike countries and their many clone devices that otherwise infringes on patents)
          Two people can patent the same thing on the same day

    1. No reason to consider them when you can get a set-top box to connect to a projector. As long as the projector has pretty high lumens it can be used just like a TV would. It’s easy to avoid projectors with cameras or microphones since they would very prominently tout this as a feature and it’d be easy to idenify those parts with the cover off.

  7. The reason it listens to DVB-T is because originally they designed in a feature where manufacturers could have firmware updates broadcast. I don’t think the feature ever really took off, but they keep including it.

    Wouldn’t surprise me if real benefit is in setups like hotels or hospitals etc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s