Samsung Smart TV Wi-Fi Direct Improper Authentication

Details
Category: Vulnerabilities
Hits: 1980

Samsung Smart TV Can Be Hacked via Wi-Fi Direct Feature

Advisory Information
 
Title: Samsung Smart TV Wi-Fi Direct Improper Authentication
Advisory ID: NESESO-2017-0313
Advisory URL: http://neseso.com/advisories/NESESO-2017-0313.pdf
Date published: 2017-04-19
Vendors contacted: Samsung
Release mode: User Release
 
Vulnerability Information
 
Class: Improper Authentication [CWE-287]
Impact: Security bypass
Remotely Exploitable: Yes
Locally Exploitable: No
 
Vulnerability Description
 
Samsung Smart TVs running Tizen OS are prone to a security vulnerability that allows an attacker to impersonate a trusted device to obtain unrestricted access without authentication when connected via Wi-Fi Direct[1].
 
Vulnerable Packages
 
UN32J5500 Firmware version 1480
 
Other products and versions might be affected too, but they were not tested.
 
 
Vendor Information, Solutions and Workarounds
 
Neseso recommends to remove all the whitelisted devices and avoid using the WiFi-Direct feature.
 
Contact the vendor for further information.
 
 
Credits
 
This vulnerability was discovered and researched by a member from Neseso Research Team.
 
 
Technical Description
 
Wi-Fi Direct Improper Authentication
 
Wi-Fi Direct, initially called Wi-Fi P2P, is a Wi-Fi standard enabling devices to easily connect with each other without requiring a wireless access point. It is useful for everything from internet browsing to file transfer, and to communicate with one or more devices simultaneously at typical Wi-Fi speeds. In a scenario where two devices want to connect they can authenticate using methods such as PIN, Push-Button or NFC.
 
Samsung TVs has support for Wi-Fi Direct by default and it’s enabled every time the device it’s turn on. The system uses a blacklist/whitelist access control mechanism to avoid asking the user to authenticate devices every time they try to connect using WiFi-Direct. This access control mechanism uses the MAC address to identify the devices, making easy for an attacker to get the necessary information to impersonate a whitelisted device and gain access to the Smart TV. The user will get notified about the whitelisted device connecting to the Smart TV, but no authentication it’s required. Once connected the attacker have access to all the services provided by the TV, such as remote control service or DNLA screen mirroring. If any of the services provided by the Smart TV, once connected using WiFi-Direct, is vulnerable the attacker could gain control of the Smart TV or use it to pivot and gain access to the network where the Smart TV is connected to.