Samsung TVs that have Wi-Fi and other advanced capabilities have a flaw that could allow an attacker to take control of the device.
The end result is the attacker could remotely access the remote control for the TV, retrieve files located on any USB drive attached to the TV and even install malicious software on the TV. Samsung produces a line of TVs that have a variety of advanced capabilities, including the ability install apps such as Pandora, Skype and others. Voice commands and by apps running on some Samsung phones and tablets can control the TVs.
Luigi Auriemma, a founder of ReVuln, a security consultancy and research firm that discovers and sells Zero Day vulnerabilities, found an attacker can leverage the flaw in the Samsung smart TVs and gain root access. ReVuln, as a matter of policy, doesn’t disclose vulnerabilities to vendors, but the company posted a video demonstration of the exploit for the Samsung TVs in action.
Earlier this year, Auriemma was looking for a way to reprogram the remote control for his brother’s Samsung TV when he stumbled upon a bug that enabled him to cause the TV to restart endlessly. That Samsung TV flaw was also present in some Blu-Ray players and Auriemma said he was able to cause the endless restart loop in that case by altering a field in a packet sent by a remote control to the TV.
“This one is a new undisclosed one found with and for my ReVuln company that allows access to files and partitions available on the TV from the remote,” Auriemma said.
“The video shows also a couple of scenarios in which it is possible to abuse such a vulnerability for stealing sensitive information or controlling the TV (with the possibility of installing malicious software on it using some features of Smart TVs).”
Smart TVs are showing up in large numbers in the U.S. market, as manufacturers try to bridge the gap between the Web and home entertainment. They offer consumers the ability to mix Web-based content (or what’s usually thought of as Web content) such as apps and news content with normal TV programming and video streaming.
Auriemma said the best mitigation right now is for owners of vulnerable Samsung TVs is to disable the online functionality.