Remotely Get Root On Most Smart TVs With Radio Signals

April 6, 2017 by 59 Comments

[Rafael Scheel] a security consultant has found that hacking smart TVs takes nothing much more than an inexpensive DVB-T transmitter, The transmitter has to be in range of the target TV and some malicious signals. The hack works by exploiting hybrid broadcast broadband TV signals and widely known about bugs in web browsers commonly run on smart TVs, which seem run in the background almost all the time.

Scheel was commissioned by Cyber security company Oneconsult, to create the exploit which once deployed, gave full root privileges enabling the attacker to setup and SSH into the TV taking complete control of the device from anywhere in the world. Once exploited the rogue code is even unaffected by device reboots and factory resets.

Once a hacker has control over the TV of an end user, he can harm the user in a variety of ways, Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV’s camera and microphone. – Rafael Scheel

Smart TV’s seem to be suffering from  IoT security problems. Turning your TV into an all-seeing, all-hearing surveillance device reporting back to it’s master is straight out of 1984.

A video of a talk about the exploit along with all the details is embedded below.
Continue reading “Remotely Get Root On Most Smart TVs With Radio Signals”

TV-B-Gone Can Double As A Camera Remote Control

November 3, 2011 by 9 Comments

[Christopher] found a way to get a bit more mileage out of his TV-B-Gone kit. The little device is intended to turn off every television in range with the push of a button. But at its core it’s really just a microcontroller connected to some infrared LEDs. Instead of sending codes to shut of televisions, you can rewrite the firmware to send a camera remote shutter release code.

It doesn’t take too much to pull this off. You need a way to flash new firmware to the device, and you need to know the new code timing that you want to send. Since the firmware is open source it’s easy enough to make code changes, and there are several easy methods of flashing AVR devices (like the tiny85 used here), including using an Arduino as an ISP.

But [Christopher] did more than just add the Nikon code for his camera. He realized that there’s a jumper to select between European or American television codes. Since he wasn’t using the foreign option, he replace that pin header with a switch that selects between normal TV-B-Gone operation and camera shutter release modes. Nice.

This Week In Security: BatBadBut, DLink, And Your TV Too

April 12, 2024 by 23 Comments

So first up, we have BatBadBut, a pun based on the vulnerability being “about batch files and bad, but not the worst.” It’s a weird interaction between how Windows uses cmd.exe to execute batch files and how argument splitting and character escaping normally works. And what is apparently a documentation flaw in the Windows API.

When starting a process, even on Windows, the new executable is handed a set of arguments to parse. In Linux and friends, that is a pre-split list of arguments, the argv array. On Windows, it’s a single string, left up to the program to handle. The convention is to follow the same behavior as Linux, but the cmd.exe binary is a bit different. It uses the carrot ^ symbol instead of the backslash \ to escape special symbols, among other differences. The Rust devs took a look and decided that there are some cases where a given string just can’t be made safe for cmd.exe, and opted to just throw an error when a string met this criteria.

And that brings us to the big questions. Who’s fault is it, and how bad is it? I think there’s some shared blame here. The Microsoft documentation on CreateProcess() strongly suggests that it won’t execute a batch file without cmd.exe being explicitly called. On the other hand, This is established behavior, and scripting languages on Windows have to play the game by Microsoft’s rules. And the possible problem space is fairly narrow: Calling a batch file with untrusted arguments.

Almost all of the languages with this quirk have either released patches or documentation updates about the issue. There is a notable outlier, as the Java language will not receive a fix, not deeming it a vulnerability. It’s rather ironic, given that Java is probably the most likely language to actually find this problem in the wild. Continue reading “This Week In Security: BatBadBut, DLink, And Your TV Too”

Recreating The Golden Era Of Cable TV

July 13, 2023 by 53 Comments

Fewer and fewer people have cable TV subscriptions these days, due to a combination of poor business practices by cable companies and the availability of alternatives to cable such as various streaming platforms. But before the rise of the Internet that enabled these alternatives, there was a short period of time where there were higher-quality channels, not too many commercials, a possibly rose-tinted sense of wonder, and where MTV actually played music. [Irish Craic Party] created this vintage cable TV network to capture this era of television history.

The hardware for this build is a Raspberry Pi driving an LCD display recovered from an old iPad. There’s a custom TV tuner which handles changing the channels and interfaces with an Apple Remote. Audio is sent through old computer speakers, and the case is built from 3D printed parts and some leftover walnut plywood to give it an era-appropriate 80s or early 90s feel. We’ve seen other builds like this before, but where this one really sets itself apart is in the software that handles the (television) programming.

[Irish Craic Party] has gone to great lengths here to recreate the feel of cable TV from decades ago. It has recreations of real channels like HBO, Nickelodeon, and FX including station-appropriate bumpers and commercials. It’s also synchronized to the clock so shows start on the half- or quarter-hour. Cartoons play on Saturday morning, and Nickelodeon switches to Nick-at-Nite in the evenings. There are even channels that switch to playing Christmas movies at the appropriate times, complete with Christmas-themed commercials.

The build even hosts a preview channel, one of the more challenging parts of the build. It continually scrolls through the channels and shows what’s currently playing and what will be showing shortly, complete with a commercial block at the top. For those who were around in the 90s it’s almost a perfect recreation of the experience of watching TV back then. It can even switch to a video game input when tuned to channel 3. There’s almost too much to go into in a short write-up so be sure to check the video after the break.

Thanks to [PCrozier] for the tip!

Continue reading “Recreating The Golden Era Of Cable TV”

A blue PCB remote control

The Remoteduino Nano Is A Tiny IR Remote That’s Truly Universal

June 18, 2023 by 13 Comments

Universal remotes are extremely convenient if they work correctly. But setting them up can be quite a hassle: often, you need to browse through long lists of TV models, key in the codes on the remote with just a blinking LED as confirmation, and then pray that the manufacturer included the correct codes for all your equipment. IR isn’t a very complicated technology, however, so it’s perfectly possible to roll your own universal remote, as [sjm4306] shows in his latest project, the Remoteduino Nano. It’s a fully programmable IR remote that gives you maximum flexibility when emulating the codes for those obscure A/V systems scattered around your home.

The remote runs on an ATmega328p in a tiny QFN package, which drives a standard 5 mm IR LED through a transistor. Eight buttons are available to the user, which can be freely mapped to any desired code. A five-pin header is included to program the ATmega through its serial port. However, this was mainly done to help debug – a user who only needs to program the device once would typically use a pogo-pin-based adapter instead.

Currently, codes can only be programmed through the serial port, but there’s also an IR receiver present that can be used to copy codes from an existing remote. [sjm4306] hasn’t implemented this feature in software yet, but will probably do so in a future update of the project’s Arduino sketch. If you’re impatient, you can also have a go at it yourself since all code and the board’s Gerber files are freely available for download.

Its tiny size makes the Remoteduino Nano a convenient tool to keep in your drawer if you like to tinker with A/V systems and keep losing those remotes. The Nano is actually an improved version of the original Remoteduino project that [sjm4306] developed a couple of years ago. The problem of a truly universal remote is one that dates back several decades, however.

Continue reading “The Remoteduino Nano Is A Tiny IR Remote That’s Truly Universal”

The CCTV Cameras That Recorded The Chernobyl Disaster And Aftermath

May 29, 2023 by 9 Comments
The Soviet KTP-63-based remote controlled camera system, including switch and control panel. (Credit: Chernobyl Family on YouTube)
The Soviet KTP-63-based remote-controlled camera system, including switch and control panel. (Credit: Chernobyl Family on YouTube)

When we picture the Chernobyl Nuclear Power Plant disaster and its aftermath, we tend to recall just the commonly shared video recorded by television crews, but the unsung heroes were definitely the robotic cameras that served to keep an eye on not only the stricken reactor itself but also the sites holding contaminated equipment and debris. These camera systems are the subject of a recent video by the [Chernobyl Family] channel on YouTube, as they tear down, as well as plug in these pinnacles of 1980s vidicon-based Soviet engineering.

When the accident occurred at the #4 reactor at the Chernobyl Nuclear Power Plant (ChNPP) in 1986, engineers not only scrambled to find ways to deal with the immediate aftermath but also to monitor and enter radioactive areas without exposing squishy human tissues. This is where the KTP-63 and KTP-64  cameras come into play. One is reminiscent of your typical security camera, while the other is a special model that uses a mirror instead of directly exposing the lens and tube to radiation. As a result, the latter type was quite hardy. Using a central control panel, multiple cameras could be controlled.

When mounted to remotely controlled robots, these cameras were connected to an umbilical cord that gave operators eyes on the site without risking any lives, making these cameras both literally life-savers and providing a solid template for remote-controlled vehicles in future disaster zones.

Editor’s note: Historically, the site was called Чернобыль, which is romanized to Chernobyl, but as a part of Ukraine, it is now Чорнобиль or Chornobyl. Because the disaster and the power plant occurred in 1986, we’ve used the original name Chernobyl here, as does the YouTube channel.

Continue reading “The CCTV Cameras That Recorded The Chernobyl Disaster And Aftermath”

This Standalone Camera Gets The Picture Through With SSTV

November 20, 2022 by 12 Comments

These days, sending a picture to someone else is as simple as pulling out your smartphone and sending it by email or text message. It’s so simple a child can do it, but that simple user experience masks a huge amount of complexity, from the compression algorithms in the phones to the huge amount of distributed infrastructure needed to connect them together. As wonderful and enabling as all that infrastructure can be, sometimes it’s just too much for the job.

That seems to have been the case for [Dzl TheEvilGenius], who just wanted to send a low-resolution image from a remote location. It turns out that hams solved that problem about 70 years ago with slow-scan television, or SSTV. While most of the world was settling down in front of “I Love Lucy” on the regular tube, amateur radio operators were figuring out how to use their equipment to send pictures around the world. But where hams of yore had to throw a considerable amount of gear at the problem, [Dzl] just used an ESP-32 with a camera and some custom code to process the image. The output from one of the MCU’s GPIO pins is a PWM audio signal which can be fed directly into the microphone input of a cheap portable transceiver.

To decode the signal, [Dzl] used one of the many SSTV programs available. There’s no mention of the receiver, although it could be pretty much anything from another Baofeng to an SDR dongle. The code is available in the article, as is an audio file of an encoded image, if you just want to play around with the receiving and decoding side of the equation.

We could see something like this working for a remote security camera, or even for scouting hunting spots. If you want to replicate this, remember that you’ll need a license if you want to transmit on the ham bands — relax, it’s easy.