Sony Remote Denial-of-Service Triggered Over HbbTV Vulnerability

02 July 2019

 

CVE   

 

CVE-2019-11889

 

CVSS SCORE

 

7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

 

XID

 

XL-19-014

 

AFFECTED VENDORS

 

Sony

 

CREDIT

 

xen1thLabs - Telecom Labs

 

VULNERABILITY SUMMARY 

 

 

 

 

 

xen1thLabs has found a vulnerability in Sony products and coordinated the disclosure of these security flaws with Sony. The vulnerability has been found in the Sony Bravia Smart TV by xen1thLabs while auditing the security of Smart TVs.

This vulnerability allows an attacker to remotely crash the HbbTV rendering engine and block the TV. The reference of the vulnerability is: CVE-2019-11889.

The list of affected models has not been shared by Sony.

Sony shared the following analysis: “MITM attack by http connection is caused by the specification of the HbbTV service”. 

TECHNICAL DETAILS

 

 

     

 

 

By sending a specifically crafted webpage over HbbTV (please see the presentation at HiTB Dubai 2018 - https://conference.hitb.org/hitbsecconf2018dxb/sessions/hacking-into-broadband-and-broadcast-tv-systems/), it is possible to freeze the television remotely.

The remote control does not appear to work except the PROG+ and PROG- buttons. Only changing channels allows to 'un-freeze' the television. Android is supposed to kill blocked applications.

In order to reproduce the behavior, start by generating a webpage using: 

 

 

dd if=/dev/zero of=index.html bs=1M count=2048

 

Using the software-defined radio, send a DVB-T signal containing a HbbTV application that force the targeted Smart TV to load a file from a controlled server.

By forcing the Smart TV to load the generated file, it can be observed from the logs, only between 180KB and 250KB are served before the HbbTV application freezes:

 

 

vaccess.log:127.0.1.1:80 192.168.1.191 - - [01/Apr/2019:06:40:54 -0400] "GET /hbbtvtest/test3/ HTTP/1.1" 200 178647 "http://x.test/hbbtvtest/index.php" "Mozilla/5.0 (Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 OPR/29.0.1803.0 OMI/4.5.23.37.ALSAN5.131 HbbTV/1.2.1 (; Sony; KD-65X7500D; v1.000000000; 2016;) sony.hbbtv.tv.2016HE"

   
 

vaccess.log.1:127.0.1.1:80 192.168.1.191 - - [01/Apr/2019:02:36:16 -0400] "GET /hbbtvtest/test3/ HTTP/1.1" 200 170543 "http://x.test/hbbtvtest/index.php" "Mozilla/5.0 (Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36 OPR/29.0.1803.0 OMI/4.5.23.37.ALSAN5.131 HbbTV/1.2.1 (; Sony; KD-65X7500D; v1.000000000; 2016;) sony.hbbtv.tv.2016HE"

 

PROOF OF CONCEPT 

 

 

 

No PoC released due to low complexity level of exploitation as Sony is not planning to release a security patch.

 

AFFECTED SYSTEMS 

  

Sony BRAVIA Smart TV

 

SOLUTION 

 

 

 

 

 

 

Sony provided the following recommendation:

"Sony’s manual instructs users to: Make sure to connect to the Internet or home network via a router, which will minimize this risk. In addition, these two symptoms can be recovered by unplugging the power supply cable. The TV cannot be broken and there is no internal data that can be stolen by these actions." (May 30th, 2019).

And informed xen1thLabs that:

“we will not be releasing any notifications.” (June 19th, 2019).

 

DISCLOSURE TIMELINE 

 

 

 

 

 

 

 

 

 

 

01/04/2019 - Vulnerabilities have been found by xen1thLabs

28/04/2019 - xen1thLabs send the report to Sony through their HackerOne Bug bounty program

02/05/2019 - Updates requested from xen1thLabs through HackerOne

10/05/2019 - Vulnerabilities have been confirmed by Sony through HackerOne

14/05/2019 - xen1thLabs requests a CVE from MITRE

30/05/2019 - Sony inform xen1thLabs of the solutions recommended for users through HackerOne

30/05/2019 - xen1thLabs request the confirmation from Sony that no security patches will be provided through HackerOne

07/06/2019 - Sony informs the following "Due to the evaluation conducted by our product team we will be closing out this ticket" through HackerOne

26/06/2019 - Public disclosure