How to easily hack your Smart TV : Samsung and LG

Posted on July 7, 2015

Originally called “connected TVs,” and now they are called as “smart TVs”. Any television that can be connected to the Internet to access services, use apps and behave in some way as our computers with web browser. Smart TVs connect to Internet via wired Ethernet connection or Wi-Fi to connect to a home network. Smart TVs require computer chips to juggle video processing, multiple screens and an Internet connection. They also use memory to buffer streaming video and music, and need additional processing power to deal with graphics. The TVs can be controlled by voice commands and by apps running on some Smartphone.

Dan Reynolds, information security solution and training expert of International Institute of cyber security explains that these Smart TVs are not that smart and the security of software isn’t exactly perfect. Smart TVs resemble for us the Internet of things (IoT) but old vulnerabilities which were considered to have completely disappeared are new vulnerabilities again in the Internet of Things (IoT). Sometimes you can easily find a flaw that can enable you to take a variety of actions on the TV, including accessing potentially sensitive data, remote files and information, the drive image and eventually gain root access to the device.

In the article we will be covering different aspects of two most famous brands of Smart TVs Samsung and LG with the help of ethical hacking course professor of IIcybersecurity.

Understanding SAMSUNG SMART TV Operating system

Tizen is an operating system based on the Linux kernel and the GNU C Library implementing the Linux API. It targets a very wide range of devices including smart phones, tablets, in-vehicle infotainment (IVI) devices, smart TVs, PCs, smart cameras, wearable computing, Blu-ray players, printers and smart home appliances. Its purpose is to offer a consistent user experience across devices. Tizen would be implemented in Samsung TVs from 2015.

There are some online community which are working over the Samsung smart TV OS research like ( Sammygo) mentions Dan Reynolds, information security solution and training expert.

How to do analysis over Samsung Smart TV firmware

ExLink connector consist of a cable which has in one side a 3.5mm jack, like the audio ones, and on the other side an RS232 ( Serial ) DB9 connector. This cable will allow you to connect your PC computer to the TV, and enter in the Serial mode. With this you can use a serial Communications Software, like Hyperterminal, Putty from Windows or Linux.

Connecting to Samsung TV

1. Put the TV into Standby Mode, press [Info] then [Menu] then [Mute] and then [Power] when the TV turns on is shows a new Service Menu.
2. Enabled the Hotel Option, and Set the RS-232 interface to UART.
3. Use the Power button the turn the TV off and on again.

TV should now be ready for communication with your PC.

Connecting Wireshark with Smasung Smart TV

There is a Wireshark dissector for Samsung SmartTV protocol.

This dissector allows to filter wireshark captures and decode remote control packets that are sent to the TV by WiFi and packets that are sent from TV to remote control unit. This wireshark plugin, allows simple declarative creation of your own dissectors for custom protocols.

To install the dissector to your wireshark installation, you need to do the following actions:

Download version of WSGD that matches your wireshark version and machine architecture and put it to your wireshark plugins folder. Unzip dissector files (e.g. /usr/lib/wireshark/libwireshark0/plugins/).

To see dissector in action you could do this:

• Run wireshark with installed dissector. Download sample capture file and open it in wireshark.
• Type samsung_remote in the filter field and see filtered Samsung Remote packet.
• Click one of packets marked with SR protocol and see decoded packet data.

You can test the connection with some of the commands

TV On: \x08\x22\x00\x00\x00\x02\xd6\r
TV Off: \x08\x22\x00\x00\x00\x01\xd5
HDMI1: \x08\x22\x0a\x00\x05\x00\xc7
TV Tuner: \x08\x22\x0a\x00\x00\x00\xcc
Volume Up : \x08\x22\x01\x00\x01\x00\xd4
Volume Down : \x08\x22\x01\x00\x02\x00\xd3
Mute Toggle : \x08\x22\x02\x00\x00\x00\xd4
Speaker On : \x08\x22\x0c\x06\x00\x00\xc4
Speaker Off : \x08\x22\x0c\x06\x00\x01\xc3
HDMI 2 : \x08\x22\x0a\x00\x05\x01\xc6
HDMI 3 : \x08\x22\x0a\x00\x05\x02\xc5

Smart TV Hotel Mode Hack

Some models of Samsung TVs have an option, to make the TV works when they’re installed in hotels. This makes the TV to work in an isolated environment that protects some functions from the modifications hotel guests want to do. You can use the steps mentioned below to hack into hotel TV mode and root it.

There are lot of Independent projects related to Samsung smart TV on Github Like Samsung-Remote mentions Dan Reynolds, information security solution and training expert.

Understanding LG SMART TV Operating system

When you buy a LG Smart TV you get a LG TV with WebOS operating system. WebOS, also known as LG WebOS, Open WebOS, HP WebOS, or Palm WebOS, is a Linux kernel-based multitasking operating system for smart devices like TVs and smart watches and was formerly a mobile operating system. Initially developed by Palm, which was acquired by Hewlett-Packard, HP made the platform open source, and it became Open WebOS. The operating system was later sold to LG Electronics.

As the WebOS is open source, there are some online open source communities like (openwebosproject, openlgtv) working over the firmware. From these communities you can download operating system firmware and do your own research.

Connecting to Smart TV

First step towards hacking any system is to know about the system. To understand the architecture and monitor the traffic that your Smart TV is sending you will have to connect your computer with Smart TV. To reach at the firmware level you will need to connect via RS-232C interface. You can easily connect to RS-232 cable from television to computer’s USB.

In general we recommend Linux operating system. There are reports from users, which got problems with some USB2Serial adaptors under Windows 7, so at the moment we recommend Windows XP for using USB2Serial adaptors.

Start the TV and go to ‘Options’ menu by using remote control and consider Set ID is set to 1. You will need terminal emulation program such as Hyperterminal or Putty. Set the following configuration 9600 or 115200 baud (on recent firmwares there’s now 115200bps baudrate by default), 8N1, XON/XOFF. Data length: 8 bits, Parity: None, Stop bit: 1 bit, Communication code: ASCII code. By issuing following commands you can check the connection. There a lot of different commands to play with the system.

Transmission / Receiving Protocol

Transmission

[Command1][Command2][ ][Set ID][ ][Data][Cr]

[Command 1] : First command to control the set.(j, k, m or x) [Command 2] : Second command to control the set.

[Set ID] : You can adjust the set ID to choose desired set ID number in Option menu. Adjustment range is 1~ 99. When selecting Set ID 0, every connected the set is controlled. Set ID is indicated as decimal (1~ 99) on menu and as Hexa decimal (0x0~ 0x63) on transmission /receiving protocol.

[DATA] : To transmit the command data. Transmit the FF data to read status of command.

[Cr] : Carriage Return ASCII code 0x0D

[ ] : ASCII code space (0x20)
* In this model, set will not send the status during the standby mode.

OK Acknowledgement

[Command2][ ][Set ID][ ][OK][Data][x]

The set transmits ACK (acknowledgement) based on this format when receiving normal data. At this time, if the data is data read mode, it indicates present status data. If the data is data write mode, it returns the data of the PC computer.

* In this model, set will not send the status during the standby mode. * Data Format
[Command 2] : Use as command.
[Set ID] : Use the small character, if set ID is 10, it will send the 0, a. [DATA] : Use the small character, if data is 0 x ab, it will send the a, b. [OK]: Use the large character.

Error Acknowledgement

[Command2][ ][Set ID][ ][NG][Data][x]

The set transmits ACK (acknowledgement) based on this format when receiving abnormal data from non-viable functions or communication errors.

Data01: Illegal Code
Data02: Not supported function
Data03: Wait more time
* In this model, set will not send the status during the standby mode. * Data Format
[Command 2] : Use as command.
[Set ID] : Use the small character, if set ID is 10, it will send the 0, a. [DATA] : Use the small character, if data is 0 x ab, it will send the a, b. [NG] : Use the large character.

Power (Command: k a)

To control Power On/Off of the set.

Transmission [k][a][ ][Set ID][ ][Data][Cr]

Data 00: Power Off Data 01: Power On

Acknowledgement [a][ ][Set ID][ ][OK/NG][Data] [x]

* In a like manner, if other functions transmit ‘FF’ data based on this format, Acknowledgement data feedback presents status about each function.

* Note: In this model, set will send the Acknowledge after power on processing completion.

There might be a time delay between command and acknowledge.

Or you can use also use scripts available in Internet like libLGTV_serial. Mike Stevans, professor of ethical hacking course in México explains that libLGTV_serial is a Python library to control LG TVs (or monitors with serial ports) via their serial (RS232) port.

LG TV USB IR-Hack with Arduino

You can easily hack your LG TV with an adruino card via uploading  scripts.

This infrared remote library consists of two parts: IRsend transmits IR remote packets, while IRrecv receives and decodes an IR message.

#include <IRremote.h>
IRsend irsend;

void setup()
{
  Serial.begin(9600);
}

void loop() {
  if (Serial.read() != -1) {
    for (int i = 0; i < 3; i++) {
      irsend.sendSony(0xa90, 12); // Sony TV power code
      delay(100);
    }
  }
} 

#include <IRremote.h>

int RECV_PIN = 11;
IRrecv irrecv(RECV_PIN);
decode_results results;

void setup()
{
  Serial.begin(9600);
  irrecv.enableIRIn(); // Start the receiver
}

void loop() {
  if (irrecv.decode(&results)) {
    Serial.println(results.value, HEX);
    irrecv.resume(); // Receive the next value
  }
}

You can learn more about adruino hacks from Github projects and open source communities.

How to activate USB player via serial

1. Connect PC via COM port or USB2COM (USBtoRS232) adapter into RS232 connector on the TV
2. Run terminal program on the PC (hyperterminal or putty for example)
3. Set following parameters for COM port: speed 9600, flow control: none. Leave all other at the defaults.
4. In terminal enter: “ab 0 ff” and press “Enter”. You should get following response “01 ok????x”, where ???? is the Tool option number. Remember it or write on the piece of paper.
5. To activate USB media player enter: “ab 0 6″ and press enter.
6. Switch off/on the TV. USB icon should appear in the main TV menu.

Custom Firmwares

You can download old firmware’s from official LG websites or for Internet forums. These firmware’s are customized as per user needs.

Mike Stevens, professor of hacking course in México explains that along with serial commands, scripts and along with vulnerabilities anybody can hack a smart TV. Some of the known vulnerabilities for which different exploits are available in black market are:

Weak Authentication

The protocol is very simple in terms of authentication and the authentication packet only needs an IP address, a MAC address and a hostname for authentication. You can easily break the protocol. Also the client side authentication is that that strong. Also the protocol does not handle NULL MAC address value authentication and thus any device with NULL MAC address value can connect to the TV.

Vulnerable TV’s APIs

A hacker can hack and install malware through TV’s APIs like File.Unzip or Skype. These can be used to copy files to any writeable file system on the target and install a backdoor.

Man in Middle attack vulnerabilities

By using MIM attack vulnerabilities a hacker can sniff the data as TV doesn’t check server certificates. Thus with fake certificates a hacker can easily do Man in Middle attack. 

As per information security solution and training experts, creating malware for Smart TV is not so different from creating malware for PCs or Linux systems. The base OS is Linux and have vulnerabilities. Thus by using the serial commands and vulnerabilities a hacker can easily hack into smart TV. Also as there are no anti-viruses or anti malware solutions available for smart TVs, thus it becomes easier for a hacker to hack into Smart TVs.

Source:

www.openlgtv.org.ru

www.wiki.samygo.tv

www.iicybersecurity.com