Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Television Technology

Samsung TVs Can Be Hacked Into Endless Restart Loop 187

Gunkerty Jeb writes "Italian security researcher Luigi Auriemma was trying to play a trick on his brother when he accidentally discovered two vulnerabilities in all current versions of Samsung TVs and Blu-Ray systems that could allow an attacker to gain remote access to those devices. Auriemma claims that the vulnerabilities will affect all Samsung devices with support for remote controllers, and that the vulnerable protocol is on both TVs and Blu-Ray enabled devices. One of the bugs leads to a loop of endless restarts while the other could cause a potential buffer overflow."
This discussion has been archived. No new comments can be posted.

Samsung TVs Can Be Hacked Into Endless Restart Loop

Comments Filter:
  • TV (Score:4, Interesting)

    by SJHillman ( 1966756 ) on Tuesday April 24, 2012 @12:03PM (#39783879)

    My parents recently got a 52" Internet connected Samsung TV. Any way I could use this to replace the crap Samsung apps with something better?

    • Re: (Score:3, Interesting)

      by Cenan ( 1892902 )
      If the second bug he found really is a buffer overflow vulnerability, there could be no end to the funny shit you could do to your TV.
      • Re:TV (Score:4, Interesting)

        by AmberBlackCat ( 829689 ) on Tuesday April 24, 2012 @12:11PM (#39783991)
        I'm thinking "biggest Android tablet ever". With a Kinect instead of a touchscreen. Or at least a real web browser instead of only being able to look at sites of their "partners".
        • Re: (Score:3, Informative)

          by bastafidli ( 820263 )

          You can look at any website, not sure what you are talking about.

          • by splatter ( 39844 )

            Yeah, same here. The only restriction on my Samsung set is it will not authenticate. Neither through the normal browser procedure or by entering login credentials in the URL.

          • My parent's TV doesn't have any general web browser that I've been able to find on it. All you can download are various apps (some of which give you the functionality of sites like YouTube and Google Maps).

          • Hmm maybe it depends on the model. Or maybe I've flipped. Either way, if the web browser works, I could do without rooting the television to make it an Android tablet... for now...
        • Get them a Google TV box (it runs Android Honeycomb). You get the Chrome browser, apps, games, etc, along with a real keyboard (but the keyboard only includes a tiny touch screen area, I'm disappointed to say).
    • Re:TV (Score:5, Informative)

      by Anaerin ( 905998 ) on Tuesday April 24, 2012 @12:13PM (#39784041)
      Not yet, but as the TVs run Linux underneath (and have published their sourcecode, as they required to by the GPL) they're working on it: http://www.samygo.tv/ [samygo.tv]
    • Re:TV (Score:5, Funny)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Tuesday April 24, 2012 @12:14PM (#39784053) Homepage Journal

      My parents recently got a 52" Internet connected Samsung TV. Any way I could use this to replace the crap Samsung apps with something better?

      Sure. Just give me the IP address...

    • From TFA:

      To exploit Auriemma’s vulnerabilities requires only that the devices are connected to a wi-fi network.

      Solution, hard wire and use a firewall. Update the firmware when Samsung fixes it.

      • Solution: Ask every household who bought our TV for their fancy living room setup to run a 50 foot ethernet cable along the floor and up the wall to the television, then configure something on their router they've never heard of.

    • Give it two weeks and you'll have a plethora of hacks that can make your Samsung... well, yours.

    • the "internet enabled TV" is another case of "feature phone syndrome." there are no "features" because it's all a walled garden of the Telco's choosing, and everything is another ten bucks a month, forever.

      my year-old Samsung LCD is slaved to Yahoo TV streaming. hooo-kay, and if it would have said "Won Hyuk Yuk Yuk" it would make no difference. generic Brand X, forget it.

      I haven't plugged into the router because if there are no updates per the web site, and no streaming services to be using, the only thi

  • by WrongSizeGlass ( 838941 ) on Tuesday April 24, 2012 @12:04PM (#39783891)
    On the up side you can't be inundated with endless commercials if your TV is in an endless restart loop ;-)
    • I'm just imagining getting stuck watching the trailer credits / ads on the blue ray discs... over and over and over again...
  • I throw it from the top of a building.

  • So the hack just tunes the TV to Dave [wikipedia.org], then? :)

  • by Compaqt ( 1758360 ) on Tuesday April 24, 2012 @12:08PM (#39783965) Homepage

    Where we had dumped carburetors for computer-controlled engines, but they didn't need to get updates, and those updates weren't wirelessly and remotely pushed?

    Where we had dumped cathode ray tubes for flat, liquid crystal displays, but hadn't put the tubes back into TV by stuffing the Internet (and viruses) into them?

    Where we had dumped both rotary and touch tone land line phones for cellular phones that could do most anything you'd want them to, and you carry it whereever you went, but you didn't have to have an antivirus running on the phone and didn't have to worry about your contact details being sent to Nigeria?

    • The larger programs become, the more likely unexpected states (bugs) will sneak in, and then later be exploited.

      Life would be vastly improved if programmers wrote code as small and easy-to-understand as Kolibri OS (fits on a floppy). Or even smaller - the early Mac and AmigaOS fit inside ~64 kilobytes. It is easy to find and located bad states in such small programs.

    • by Ksevio ( 865461 )

      No, all those things are crap compared to the wealth of features and connectivity we have now.

      A flaw in a car required a full recall to repair it.

      TVs could only watch content dictated by the cable company.

      Smart phones can do a crap load of handy things.

      • Maybe this is false remembrance, but it seems things worked better then.

        A car update might have required a recall, but such problems were infrequent. Going forward, it seems they are going to be very frequent.

        Reason being, the thinking will be "it's just software". Hardware gets tested till it works. Software gets tested (if at all) till it's time to ship.

        Since "it's only software," it can always be updated. So there's not real discipline to get it right the first time.

        • by tlhIngan ( 30335 )

          A car update might have required a recall, but such problems were infrequent. Going forward, it seems they are going to be very frequent.

          Reason being, the thinking will be "it's just software". Hardware gets tested till it works. Software gets tested (if at all) till it's time to ship.

          Since "it's only software," it can always be updated. So there's not real discipline to get it right the first time.

          Car updates require work on the dealer side paid for by the manufacturer, so they have a vested interest in k

      • by sjames ( 1099 )

        Because a flaw in a car required a full recall on the auto maker's dime, they made damned sure they got it right the first time. Now that they can just pester the end user with the updates they're approaching the old "OMG It compiled, SHIP IT!!!!!"

      • by mcgrew ( 92797 ) *

        A flaw in a car required a full recall to repair it.

        It still does -- most automotive flaws are hardware, not software.

        TVs could only watch content dictated by the cable company.

        That is, after cable came into being (everyone used to use antennas) and before the VCR was introduced. I have an analog TV I use as a monitor, plugged into the PC with an S-Video cable.

        There's no more sane reason to put a computer inside a TV than there is to put a VCR or DVD built into one. Computers have moving parts, things with

        • by Ksevio ( 865461 )
          I've seen plenty of TVs with VCR/DVDs in them. There's no reason a computer need moving parts - typically just optical drives and fans need to move. Solid state disks and the Internet replace drives, and low power CPUs mean that fans aren't needed either.
    • Sloppy coding and sloppier testing. Welcome to the new world of consumer products.

      I bought a Philips HDTV a few years back. I noticed after a few months that the tv would just turn itself back on 10 minutes to a few hours after I turned it off. At first it was kinda freaky to have it flip on in the middle of the night like that! However, quickly realized that others were having the same problems. Contacted Philips and the first thing they did was send out a thumbdrive with the new firmware that "should

      • by 21mhz ( 443080 )

        This. Both my Samsung TV and the IPTV set-top box sent by my ADSL provider seem to have been coded by the cheapest monkeys taken off the street, and the development took just enough time to pass a very minimal set of tests. All internal errors are swept under the rug by some very deeply rooted fault handlers, with the result that the menu interface simply freezes for a time whenever it hits an error. Switching the menu language to a less usual choice for the target market leads to a litany of such freezes a

    • by Guppy06 ( 410832 )

      Where we had dumped cathode ray tubes for flat, liquid crystal displays

      Which only work well with one particular resolution and don't handle interlaced legacy content well at all and...

      wait, what?

    • I just want to go back to the days of the cell phones where you'd press the power button ... and it would turn on.

      Not give you a 'booting up' screen or 'loading java' image/video for 3-5 minutes.

      Now, if we still had the 100+ hr standby times, I might not have to turn my cell phone off so often, but it's still pretty crappy when you turn your phone back on after the plane lands, and you're already in baggage claim before you can finally check your voicemail.

      • by xonen ( 774419 )

        after the plane lands, and you're already in baggage claim before you can finally check your voicemail.

        That was a good laugh for me.. It's only 10 years ago that you'd had to find a phonecell to call. If you had small change. Which was in europe even more fun - exchange notes, get small change, and only then call. Makes me smile that you find a phone in your pocket taking 3 minutes to get you connected to 3G (and only because you installed too many apps on it) is a serious concern...

    • by Howitzer86 ( 964585 ) on Tuesday April 24, 2012 @01:10PM (#39784975)
      If you're broke like me, you're still living in the golden age.
  • So now that TVs restart, I'm guessing malware isn't far behind?

    After all, if you expect to turn every household device into a typical computer, you're also gonna drag the bad things computers have.

    Can we 'regedit' tvs so we can use our own splash logos?

    • Re:TVs =/= PCs (Score:5, Insightful)

      by arth1 ( 260657 ) on Tuesday April 24, 2012 @12:28PM (#39784285) Homepage Journal

      So now that TVs restart, I'm guessing malware isn't far behind?

      It's already there. Most TVs these days are infected with the HDCP malware.

    • Can we 'regedit' tvs so we can use our own splash logos?

      Oh, man, combine that with goatse and malware ... imagine the hilarity of your grandmother or someone getting that every time they turn on their TV, or if it *only* shows that. *shudders*

      Unfortunately, connecting everything to the internet seems like this is kind of a logical hack to occur. Especially if companies are going to be half assed about validating inputs and the like.

    • by mcgrew ( 92797 ) *

      Can we 'regedit' tvs so we can use our own splash logos?

      God NO! That damned registry is one of the things I hate most about Windows. How about text-based configuration files so we can actually read the damned things, like sane OSes have? Or better yet, don't put computers in TVs? A TV should be nothing more than a tuner and monitor, with inputs for other devices -- like DVDs, BluRays, Computers...

      Man, I pity people who have only experienced Windows. You don't know what you're missing.

  • TV's will eventually have cameras in the front, could be a good method of surveillance.
  • by enriquevagu ( 1026480 ) on Tuesday April 24, 2012 @12:14PM (#39784055)

    The vulnerability is originally disclosed here [aluigi.org], not in the posted link.

    This vulnerability only works from the same broadcast domain where the TV is, since the remote control protocol relies on broadcast messages to announce the service. This means that your TV cannot be cracked from the Internet. Let's hope that Samsung apply a fix soon, in any case.

    • by sjames ( 1099 )

      So that means you have to infect their PC first and use it to route the hack to their TV.

      Or jump on their WiFi.

  • by dgatwood ( 11270 ) on Tuesday April 24, 2012 @12:15PM (#39784069) Homepage Journal

    I own two Samsung Blu-Ray players. I'm not surprised by this in the slightest. You can usually judge the security of an app by how reliably it does its intended function, and their Blu-Ray players are anything but reliable. (Their older TVs work well, but I've never used one of their newer, networked TVs, which I'm assuming are as buggy as their Blu-Ray players.)

    For example:

    • After a firmware update, one player now stalls for half a second at every DVD layer skip.
    • The last two Harry Potter movies have audio glitches throughout (on both players, but not on an LG player).
    • After a firmware update, the other player how has sporadic problems switching between different types of media, sometimes requiring a power cycle to get it back into operational status.

    And so on. In short, Samsung's software quality control appears to be utterly awful. So hearing that they have security holes is almost as surprising as hearing that Flash has security holes....

    • by 21mhz ( 443080 )
      Somewhat illustratively, one of their best cash cow platforms, Android, is the least tainted by them (still, the drivers... anyone seen the source?). I feel pity for the poor Tizen.
  • by kiehlster ( 844523 ) on Tuesday April 24, 2012 @12:15PM (#39784079) Homepage
    This does eliminate the age old IT question, "Did you try turning it off and on again?"
  • by Anaerin ( 905998 ) on Tuesday April 24, 2012 @12:19PM (#39784157)
    Why is this such big news? Did you know you can replace the entire firmware inside your TV too? There's already a group working on getting something usable onto Samsung TVs like these: http://www.samygo.tv/ [samygo.tv]
  • Comment removed based on user account deletion
  • Just shouldn't be connected to the internet. There is really no good cause to connect your TV or Blu-ray to the internet. Instead, use a purpose built device like an AppleTV. I'll admit, the remote exploit is funny
  • by DickBreath ( 207180 ) on Tuesday April 24, 2012 @12:59PM (#39784813) Homepage
    Either the computer part should be a replaceable module, or it should be a separate box. (eg, a Google TV box, or an Apple TV box -- not built into the set).

    Consider:
    • The TV will last you probably ten years
    • The computer will be hacked within one year
    • The computer will be obsolete within two years
    • The servers it phones home to will be gone within four years (eg, Zune, Plays For Sure, etc)

    Similarly, a computer monitor should not have a built in computer (or vice versa), unless the computer is a replaceable module. The TV or Monitor still have a lot of lifetime (and economic value) long after the computer is hopelessly obsolete. (Yes, I'm looking at you, iMac integrated computer and monitor. But then Apple products seem to be for people with more money then sense.)


    - - - - - - -
    All that is necessary for Apple to triumph is for Google men to do nothing.

    • They want to be able to advertise "with builtin netflix support!". Combine that with the fact that most people can't hook up their own cable box, and you have answered your own question.

      • by MobyDisk ( 75490 )

        Pretty soon built-in netflix support will be annoying as hell because I'll have 15 ways to watch Netflix on my monitor: built-in monitor, XBOX, PS3, PC, and phone (docked with the TV of course), So when grandma comes over to watch Netflix there will be 15 ways to get to it, all with slightly different UIs, and a different controller for each one.

    • Similarly, a computer monitor should not have a built in computer (or vice versa), unless the computer is a replaceable module. The TV or Monitor still have a lot of lifetime (and economic value) long after the computer is hopelessly obsolete. (Yes, I'm looking at you, iMac integrated computer and monitor. But then Apple products seem to be for people with more money then sense.)

      I'm sorry, instead of "iMac" I think you meant to say "laptop computer", which vastly outsell traditional desktop computers these days.

  • This trick will be great for watching Groundhog Day!

  • Samsung Means To Come [yhchang.com]
    (Sound Recommended)

    -

  • If you wait a few months, you'll probably have a capacitor die in the power supply and it'll stop rebooting.

  • This is why you should always RTFA:

    Then after another five seconds, he claims, the TV automaticall restarts. Then the process repeats itself forever, even after unplugging the TV. Eventually, Auriemma managed to reset the TV in service mode.

    Boot loops even when disconnected from power?

    Either Samsung has secretly perfected OTA power transmission, or this is a load of crap. Then again, the writer refers to a punk kid dicking with his brother's TV as an "Italian security researcher," so I guess I shouldn't be all that surprised.

    • They probably meant after you unplug it and plug it back in.
      • They probably meant after you unplug it and plug it back in.

        Probably, but I'm not the idiot "journalist" who wrote it, so I have to infer what I can from what's written.

        Seriously, this was one of the most poorly written pieces I've seen in some time.

        And I read Yahoo News with a fair amount of regularity, so that's really saying something.


        At least he spelled most of the words right...

  • For those who didn't RTFA, each IP based remote has a name string included in the message. If that name contains a linefeed or other invalid character, the TV will go into the endless loop.

    It can be recovered by going into "service mode", but apparently Samsung doesn't consider that to be an end-user procedure sinmce incorrect settings enetred there will brick the TV.

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...