An attacker could gain remote access by chaining together an exploit for home routers with the TV flaw.
Smart-TV hijacking is not unheard of; in January, hackers took advantage of vulnerable Chromecast and Google Home devices to display messages on consumer TVs promoting well-known YouTube star PewDiePie.
An unpatched vulnerability in smart TVs would allow attackers on the same Wi-Fi network to hijack the TV set to broadcast their own content – including, potentially, fake emergency broadcast messages.
Discovered by security researcher Dhiraj Mishra, the flaw (CVE-2019-12477) is found in the SUPRA Smart Cloud TV brand, which is popular in Russia and Eastern Europe. The TVs are mainly sold via ecommerce sites, in Russia, China and the United Arab Emirates, according to an online search.
he issue lies in the `openLiveURL()` function, which the TV uses to fetch streaming content. However, it lacks authentication requirements or session management, according to Mishra. So, an attacker can trigger the vulnerability by send a specially crafted request to a static URL, which allows the adversary to inject a remote file.
A proof-of-concept video shows the attack:
“I found this vulnerability initially by source-code review and then by crawling the application, and reading every request helped me to trigger this vulnerability,” Mishra said in his writeup on Monday. “Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which allows a local attacker to broadcast fake video without any authentication via a /remote/media_control?action=setUri&uri=URI.”
The requirement for the attackers to have access to the home Wi-Fi network obviously mitigates the threat to a certain extent. However, the growing tide of internet of things bugs in routers can give attackers remote access to that network. For instance, two models of TP-Link’s budget routers, models TP-Link WR940N and TL-WR941ND, were recently found to be vulnerable to flaws that allow attackers to take control of both.
Consumer Reports in 2018 meanwhile identified two smart TV models from Samsung and TCL that included bugs that allowed an attacker to take control of targeted TVs. A hacker who exploited these vulnerability would be able to take control of the TV and change the channel, turn up the volume and play offensive YouTube videos from anywhere on the planet, the report stated.