Philips SmartTV susceptible to serious hack according ReVuln experts

Researchers at ReVuln firm demonstrated how to exploit the last firmware update for Philips SmartTV to steal user’s cookies and other sensitive data.

The excellent team of researchers at ReVuln firm has published another interesting analysis on the possibility to hack Philips SmartTV to steal user’s cookies.

The news is disconcerting and raise serious concerns for user’s privacy, the team of experts succeeded to steal user’s cookies despite the Philips SmartTV is running the latest firmware version, the attacker just need to be within radio range.

The attack was conducted against Philips SmartTV which implements the Miracast standard, a peer-to-peer wireless screencasting standard formed via Wi-Fi Direct connections, similar to the Bluetooth protocol.

Devices that enable Miracast can exchange audio and video to or from a PC and any kind of mobile devices.

As explained by Luigi Auriemma, a researcher at ReVuln (@revuln), the attack to the Philips SmartTV is possible exploiting a recent firmware update that allows anyone within range to connect to the TV simply providing the password “Miracast” that has been hard-coded in the Philips devices.

“The main problem is just Miracast that uses a fixed password, doesn’t show a PIN number to insert and moroever doesn’t ask permission to allow the incoming connection. So basically you just connect directly to the TV via WiFi without restrictions. Miracast is enabled by default and the password cannot be changed. We tried all the possible ways to reset the TV included those methods suggested on the Philips manual (everything is in the first 40 seconds of the video) but the TV just allows anyone to connect. ” said Auriemma.

The security flaw in Philips SmartTV was introduced with the last firm firmware version (ver.QF2EU-0.173.46.0) released in December 2013 running on 55PFL6008S models, according Auriemma other 2013 Philips SmartTV models could be at risk because they use the same firmware.

“Personally we tested only the 55pfl6008s model but that firmware is the same used for all those 2013 models.Just to give you an example 47pfl6158, 55pfl8008 and 84pfl9708 use all the same firmware even if they have different sizes and series.” added Luigi Auriemma.

The hack is very insidious, he took a few seconds to carry out and it is impossible for the victims to detect it.

Attackers, connecting to a Miracast-enabled Wi-Fi network, are able to browse and download any files that may be contained on USB drives plugged into the Philips SmartTV. The researchers at ReVuln also demonstrated that is possible to steal browser cookies that contain sensitive information and are used in some cases by many web services for authentication purpose.

Researchers at ReVuln published a video to show how an attacker can easily steal from the Philips SmartTV the authentication cookies for an existing Gmail account and also user’s data from a USB drive connected to the device. 

It’s not the first time that security experts warn electronic manufacturers on the possible abuse of technologies within their products, in July 2013 the researcher Malik Mesellem demonstrated that SmartTV hacking is a real menace attacking Samsung models forcing their reboot with a HTTP GET request.

The same experts at ReVuln  posted more than one year ago a video to demonstrate how it was possible to attack a Samsung Smart TV exploiting a 0-day vulnerability to gain root access on it. The hacker could remotely wipe data from attached storage devices, monitoring and controlling the victim TV.

In November 2013 a British blogger revealed that his LG SmartTV was collecting and sending details about the owners’ viewing habits, even if the users have activated a privacy setting.

All these cases remark to the security community to seriously consider the risks related to the lack of security in Internet of things paradigm, a multitude of devices, from thermostats to smart meters, could be attacked by cyber criminals. Internet of Things, a business growing at a compound annual rate of 7,9%, is considerable a privileged target for hackers and cyber criminals, it’s time to think of security by design … the hard-coding of password for sure is the antithesis of this concept. 

Back to the case of Philips SmartTV it must be also considered that the firmware is also affected by a directory traversal vulnerability that could give to the attackers the access to the user’files, the bad news is that the flaw was unfixed since at least six months. 

I pretend much more from a giant like Philips.

Pierluigi Paganini

(Security Affairs –  Philips SmartTV, Internet of Things)