Direkt zum Hauptbereich

Not so Smart: On Smart TV Apps

One of the main characteristics of Smart TVs are apps. Apps extend the Smart TV behavior with various functionalities, ranging from usage of social networks or payed streaming services, to buying articles on Ebay. These actions demand usage of critical data like authentication tokens and passwords, and thus raise a question on new attack scenarios and general security of Smart TV apps.

These reasons make it interesting enough to do some research on smart TVs. We wrote a paper with the title "Not so Smart: On Smart TV Apps", which will be presented in a few days at the "International Workshop on Secure Internet of Things" (SIoT 2015). In this paper, we investigate attack models for Smart TVs and their apps, and systematically analyze security of Smart TV devices. We point out that some popular apps, including Facebook, Ebay or Watchever, send login data over unencrypted channels. Even worse, we show that an arbitrary app installed on devices of the market share leader Samsung can gain access to the credentials of a Samsung Single Sign-On account. Therefore, such an app can hijack a complete user account including all his devices like smartphones and tablets connected with it. Based on our findings, we provide recommendations that are of general importance and applicable to areas beyond Smart TVs.

You want a short teaser? Sure, why not. Our full paper is available as a PDF file: Download.

During our tests we analyzed the HTTP traffic initiated by the app VEVO (v3.701) on our Samsung Smart TV. Please note that VEVO was also in our Apple TV testbed. However, in the case of Apple TV the HTTP connection was encrypted and we were not able to reproduce our Samsung results on this device. VEVO can be used to watch music videos, artist videos, and original shows on the user's TV. During our analysis of the login procedure we have discovered HTTP GET requests going to scorecardresearch.com. This website is a service from a market research company, primary analysing surveys and web tagging data.

The requests going to this website contain inter alia the following data: Video artist, video player information, current video channel, user identifier, and Samsung SSO username including its password. Please note that these requests are transmitted regularly to provide information like the currently watched video. The crucial point is that the credentials of the user’s Samsung SSO account are submitted unencrypted via HTTP.

Therefore we have at least two attack scenarios. First, the marketing company is able to login with the user’s Samsung SSO account and thus they could have access to all provided services. Second, an eavesdropper could sniff the connection and steal the SSO account’s data.

Beliebte Posts aus diesem Blog

How To Spoof PDF Signatures

One year ago, we received a contract as a PDF file. It was digitally signed. We looked at the document - ignoring the "certificate is not trusted" warning shown by the viewer - and asked ourselfs:

"How do PDF signatures exactly work?"

We are quite familiar with the security of message formats like XML and JSON. But nobody had an idea, how PDFs really work. So we started our research journey.

Today, we are happy to announce our results. In this blog post, we give an overview how PDF signatures work and on top, we reveal three novel attack classes for spoofing a digitally signed PDF document. We present our evaluation of 22 different PDF viewers and show 21 of them to be vulnerable. We additionally evaluated 8 online validation services and found 6 to be vulnerable.

In cooperation with the BSI-CERT, we contacted all vendors, provided proof-of-concept exploits, and helped them to fix the issues and three generic CVEs for each attack class were issued: CVE-2018-16042

DTD Cheat Sheet

When evaluating the security of XML based services, one should always consider DTD based attack vectors, such as XML External Entities (XXE) as,for example, our previous post XXE in SAML Interfaces demonstrates.

In this post we provide a comprehensive list of different DTD attacks.

The attacks are categorized as follows:
Denial-of-Service AttacksClassic XXEAdvanced XXEServer-Side Requst Forgery (SSRF)XIncludeXSLT

Printer Security

Printers belong arguably to the most common devices we use. They are available in every household, office, company, governmental, medical, or education institution.
From a security point of view, these machines are quite interesting since they are located in internal networks and have direct access to sensitive information like confidential reports, contracts or patient recipes.

TL;DR: In this blog post we give an overview of attack scenarios based on network printers, and show the possibilities of an attacker who has access to a vulnerable printer. We present our evaluation of 20 different printer models and show that each of these is vulnerable to multiple attacks. We release an open-source tool that supported our analysis: PRinter Exploitation Toolkit (PRET) https://github.com/RUB-NDS/PRET Full results are available in the master thesis of Jens Müller and our paper. Furthermore, we have set up a wiki (http://hacking-printers.net/) to share knowledge on printer (in)security.
The hi…