Researchers hack Vizio Smart TVs to access home network

Not only do Vizio’s Smart TVs track users’ viewing habits by default (and that information is sold to third parties who can then use it to deliver targeted ads to other internet-connected devices that share an IP address or other identifier with the Smart TV), but they are also vulnerable to man-in-the-middle attacks that can result in attackers harvesting data that is sent from the TV to the server that collects it, as well as to attacks that could lead to attackers taking over control of the smart device and/or the entire home network.

Or, at least, they were until recently – after Avast researchers discovered these holes, the company was notified and patched them. The update with the patch will be pushed to all the devices in the next few days, and those TVs who have automatic updating on and are online will update themselves.

When the researchers decided to test Vizio’s Smart TV, they hooked it to a wireless access point on a test network, and took a look at the traffic going out and coming in. Among the various online services that the devices was sending requests to, was one (encrypted) to tvinteractive.tv.

As it turns out, the service is run by Cognitive Networks, which identifies what the user is watching (via a “fingerprint”) and sends “an event trigger to the content provider or advertiser”, and they send back a link to the [Active Content Recognition] app to display onscreen.

So far, so good. But, unfortunately, the TV doesn’t check the certificate of the HTTPS connection to control.tvinteractive.tv
“This means we can man-in-the-middle the connection, watch the requests, repeat them to the server, and serve our own fake (static) content back to the TV,” the researchers explained.

“As it turns out, the TV is not checking the certificate of the connection, but it is checking the checksum at the end of the data before it will use the data,” they shared. “We can serve this control data to the TV from our fake web server, but we cannot change the data without breaking the checksum. The checksum is md5, and we assume the control data is combined with a secret to generate the checksum. In the field of cryptography this type of secret key is referred to as ‘salt’.”

Unable to brute-force it, the researchers wanted to see if they can get the salt from the device. They forced their way in via a local command injection into a screen for configuring a hidden wireless network ID, found a way to list the commands, “owned” the TV, and found the salt. This allowed them to use a checksum that will make the sent data be accepted by the TV.

“At this point, we have a possible attack vector into the home network or office through the Smart TV, which can be accomplished by hijacking DNS and serving malicious control data to the TV. Because the TV calls out to a control server by default and does not verify the authenticity of the control server, it allows an attacker in without the need for any incoming ports to be opened,” they concluded.

The good news in all of this is that Vizio has promptly responded when appraised of the situation, and they immediately began working on a fix.

The bad news is that, while IoT devices proliferate, most manufacturers are still not serious about security. Vulnerabilities such as these should have been found and fixed by their team in the first place, and not found later by researchers.

I guess we can count ourselves lucky that there are security researchers interested in poking through these devices, and they can count themselves lucky that the US Library of Congress has allowed them to do so “for purposes of good-faith security research.”