Samsung TVs Can Be Hacked Into Endless Restart Loop 187
Gunkerty Jeb writes "Italian security researcher Luigi Auriemma was trying to play a trick on his brother when he accidentally discovered two vulnerabilities in all current versions of Samsung TVs and Blu-Ray systems that could allow an attacker to gain remote access to those devices. Auriemma claims that the vulnerabilities will affect all Samsung devices with support for remote controllers, and that the vulnerable protocol is on both TVs and Blu-Ray enabled devices. One of the bugs leads to a loop of endless restarts while the other could cause a potential buffer overflow."
TV (Score:4, Interesting)
My parents recently got a 52" Internet connected Samsung TV. Any way I could use this to replace the crap Samsung apps with something better?
Re: (Score:3, Interesting)
Re:TV (Score:4, Interesting)
Re: (Score:3, Informative)
You can look at any website, not sure what you are talking about.
Re: (Score:2)
Yeah, same here. The only restriction on my Samsung set is it will not authenticate. Neither through the normal browser procedure or by entering login credentials in the URL.
Re: (Score:2)
My parent's TV doesn't have any general web browser that I've been able to find on it. All you can download are various apps (some of which give you the functionality of sites like YouTube and Google Maps).
Re: (Score:2)
Re: (Score:2)
Re:TV (Score:5, Informative)
Re: (Score:2)
Re:TV (Score:5, Funny)
My parents recently got a 52" Internet connected Samsung TV. Any way I could use this to replace the crap Samsung apps with something better?
Sure. Just give me the IP address...
Re:TV (Score:5, Funny)
My parents recently got a 52" Internet connected Samsung TV. Any way I could use this to replace the crap Samsung apps with something better?
Sure. Just give me the IP address...
It's 127.0.0.1 - hack away!
Re:TV (Score:5, Funny)
hey, you already created my username and setup my personal password?! ! how did you know then!?
I will teach you a lesson, i'm doing pipe the /dev/zero to your HD right now!!
Re:TV (Score:4, Funny)
I will teach you a lesson, i'm doing pipe the /dev/zero to your HD right now!!
Probably more interesting than most Prime Time shows.
Re: (Score:2)
Thanks! Seems like a good resource for porn and warez, although it looks like I have most of it already.
(Anyone else remember when warez.slashdot.org resolved to 127.0.0.1?)
Re: (Score:2)
err, mine is... 0:0:0:0:0:0:0:1
I have the first IPv6 address! Bought it for lots of money.
Re: (Score:3)
Just look at the bright side...enhanced refresh rates and De-gauss!!
Re: (Score:2)
192.168.1.101
Re: (Score:2)
From TFA:
To exploit Auriemma’s vulnerabilities requires only that the devices are connected to a wi-fi network.
Solution, hard wire and use a firewall. Update the firmware when Samsung fixes it.
Re: (Score:2)
Solution: Ask every household who bought our TV for their fancy living room setup to run a 50 foot ethernet cable along the floor and up the wall to the television, then configure something on their router they've never heard of.
Re: (Score:3)
Solution: Go out of your way to buy a dumb tv and then hook up a PC to it to do whateverthefuckyouwant.
Then still get fucked in the ass because "Smart" is the new 3D. Nobody wants it. It will be rammed down your throat regardless.
Re: (Score:2)
Give it two weeks and you'll have a plethora of hacks that can make your Samsung... well, yours.
no. (Score:2)
the "internet enabled TV" is another case of "feature phone syndrome." there are no "features" because it's all a walled garden of the Telco's choosing, and everything is another ten bucks a month, forever.
my year-old Samsung LCD is slaved to Yahoo TV streaming. hooo-kay, and if it would have said "Won Hyuk Yuk Yuk" it would make no difference. generic Brand X, forget it.
I haven't plugged into the router because if there are no updates per the web site, and no streaming services to be using, the only thi
On The Up Side ... (Score:5, Funny)
Re: (Score:2)
Yes, I have a great DOS on it. (Score:2)
I throw it from the top of a building.
"leads to a loop of endless restarts" (Score:2)
So the hack just tunes the TV to Dave [wikipedia.org], then? :)
Re: (Score:3)
Groundhog Day marathon.
Anybody pine for that golden age (Score:5, Insightful)
Where we had dumped carburetors for computer-controlled engines, but they didn't need to get updates, and those updates weren't wirelessly and remotely pushed?
Where we had dumped cathode ray tubes for flat, liquid crystal displays, but hadn't put the tubes back into TV by stuffing the Internet (and viruses) into them?
Where we had dumped both rotary and touch tone land line phones for cellular phones that could do most anything you'd want them to, and you carry it whereever you went, but you didn't have to have an antivirus running on the phone and didn't have to worry about your contact details being sent to Nigeria?
Re: (Score:2)
The larger programs become, the more likely unexpected states (bugs) will sneak in, and then later be exploited.
Life would be vastly improved if programmers wrote code as small and easy-to-understand as Kolibri OS (fits on a floppy). Or even smaller - the early Mac and AmigaOS fit inside ~64 kilobytes. It is easy to find and located bad states in such small programs.
Re: (Score:3)
No, all those things are crap compared to the wealth of features and connectivity we have now.
A flaw in a car required a full recall to repair it.
TVs could only watch content dictated by the cable company.
Smart phones can do a crap load of handy things.
Re: (Score:2)
Maybe this is false remembrance, but it seems things worked better then.
A car update might have required a recall, but such problems were infrequent. Going forward, it seems they are going to be very frequent.
Reason being, the thinking will be "it's just software". Hardware gets tested till it works. Software gets tested (if at all) till it's time to ship.
Since "it's only software," it can always be updated. So there's not real discipline to get it right the first time.
Re: (Score:2)
Car updates require work on the dealer side paid for by the manufacturer, so they have a vested interest in k
Re: (Score:3)
Because a flaw in a car required a full recall on the auto maker's dime, they made damned sure they got it right the first time. Now that they can just pester the end user with the updates they're approaching the old "OMG It compiled, SHIP IT!!!!!"
Re: (Score:2)
A flaw in a car required a full recall to repair it.
It still does -- most automotive flaws are hardware, not software.
TVs could only watch content dictated by the cable company.
That is, after cable came into being (everyone used to use antennas) and before the VCR was introduced. I have an analog TV I use as a monitor, plugged into the PC with an S-Video cable.
There's no more sane reason to put a computer inside a TV than there is to put a VCR or DVD built into one. Computers have moving parts, things with
Re: (Score:2)
Re: (Score:2)
Sloppy coding and sloppier testing. Welcome to the new world of consumer products.
I bought a Philips HDTV a few years back. I noticed after a few months that the tv would just turn itself back on 10 minutes to a few hours after I turned it off. At first it was kinda freaky to have it flip on in the middle of the night like that! However, quickly realized that others were having the same problems. Contacted Philips and the first thing they did was send out a thumbdrive with the new firmware that "should
Re: (Score:2)
This. Both my Samsung TV and the IPTV set-top box sent by my ADSL provider seem to have been coded by the cheapest monkeys taken off the street, and the development took just enough time to pass a very minimal set of tests. All internal errors are swept under the rug by some very deeply rooted fault handlers, with the result that the menu interface simply freezes for a time whenever it hits an error. Switching the menu language to a less usual choice for the target market leads to a litany of such freezes a
Re: (Score:2)
Where we had dumped cathode ray tubes for flat, liquid crystal displays
Which only work well with one particular resolution and don't handle interlaced legacy content well at all and...
wait, what?
Re: (Score:2)
I just want to go back to the days of the cell phones where you'd press the power button ... and it would turn on.
Not give you a 'booting up' screen or 'loading java' image/video for 3-5 minutes.
Now, if we still had the 100+ hr standby times, I might not have to turn my cell phone off so often, but it's still pretty crappy when you turn your phone back on after the plane lands, and you're already in baggage claim before you can finally check your voicemail.
Re: (Score:2)
after the plane lands, and you're already in baggage claim before you can finally check your voicemail.
That was a good laugh for me.. It's only 10 years ago that you'd had to find a phonecell to call. If you had small change. Which was in europe even more fun - exchange notes, get small change, and only then call. Makes me smile that you find a phone in your pocket taking 3 minutes to get you connected to 3G (and only because you installed too many apps on it) is a serious concern...
Re: (Score:2)
Are you sure it's actually "booting" or was it just in deep sleep and you got snookered by what was displayed on screen?
Kind of like "instant on" TVs.
Re:Anybody pine for that golden age (Score:5, Funny)
Re: (Score:2)
They're not in the 40-60 inches range, but most decent computer monitors now have at least one HDMI input.
Re: (Score:2)
The parent was asking for a "monitor" instead of a TV and said he never used TV features such as tuners and speakers.
I was pointing out that there is monitors with HDMI inputs, which means they can be used by non-computers devices.
Re: (Score:2)
What's crazy strange is how computer makers assume all that people do all day is watch movies (widescreen at that!) all day.
Look at any laptop advertisement. They play up the movie-related features (black blacks! full HD!) On the one hand TV's are too small and yesterday for people to watch movies on, and on the other, people are going to watch on 14-15in screens?
And "full HD". Come on, you got 1080 by dropping 120 pixels off of 1200. It's not like they increased the size. It's annoying how they say "make u
Re: (Score:2)
For the n00b user, BluRay playback is perhaps the final frontier of doing something with your PC that actually requires a decent CPU or video card.
supply and demand (Score:2)
Supply and demand means that TVs will be cheaper than monitors even if you don't use the extra stuff. If you want higher resolution, then you can look at big computer monitors but they're going to be more expensive than a TV of the same size.
I'd love to get a Dell U3011:
30" monitor, IPS, 2560 x 1600
2 HDMI, 2 DVI-D, 1 DisplayPort, 1 VGA, builtin 4-port USB hub and card reader.
Roughly $1000.
TVs =/= PCs (Score:2)
So now that TVs restart, I'm guessing malware isn't far behind?
After all, if you expect to turn every household device into a typical computer, you're also gonna drag the bad things computers have.
Can we 'regedit' tvs so we can use our own splash logos?
Re:TVs =/= PCs (Score:5, Insightful)
So now that TVs restart, I'm guessing malware isn't far behind?
It's already there. Most TVs these days are infected with the HDCP malware.
Re: (Score:2)
Oh, man, combine that with goatse and malware ... imagine the hilarity of your grandmother or someone getting that every time they turn on their TV, or if it *only* shows that. *shudders*
Unfortunately, connecting everything to the internet seems like this is kind of a logical hack to occur. Especially if companies are going to be half assed about validating inputs and the like.
Re: (Score:2)
Funnier would be if the tv had a ghost image of some shock site. "Dude, I don't see it. You must be nuts. (Or twisted...)"
Re: (Score:2)
Can we 'regedit' tvs so we can use our own splash logos?
God NO! That damned registry is one of the things I hate most about Windows. How about text-based configuration files so we can actually read the damned things, like sane OSes have? Or better yet, don't put computers in TVs? A TV should be nothing more than a tuner and monitor, with inputs for other devices -- like DVDs, BluRays, Computers...
Man, I pity people who have only experienced Windows. You don't know what you're missing.
Looking ahead.. (Score:2)
Re: (Score:2)
ISTR a slashdot article talking about this. Samsung are the bright fuckers pushing it.
Original article and scope (Score:5, Informative)
The vulnerability is originally disclosed here [aluigi.org], not in the posted link.
This vulnerability only works from the same broadcast domain where the TV is, since the remote control protocol relies on broadcast messages to announce the service. This means that your TV cannot be cracked from the Internet. Let's hope that Samsung apply a fix soon, in any case.
Re: (Score:3)
So that means you have to infect their PC first and use it to route the hack to their TV.
Or jump on their WiFi.
Re: (Score:2)
But just one more item on a checklist of fun to look for if you already exploited the PC.
Sadly, not a surprise (Score:3)
I own two Samsung Blu-Ray players. I'm not surprised by this in the slightest. You can usually judge the security of an app by how reliably it does its intended function, and their Blu-Ray players are anything but reliable. (Their older TVs work well, but I've never used one of their newer, networked TVs, which I'm assuming are as buggy as their Blu-Ray players.)
For example:
And so on. In short, Samsung's software quality control appears to be utterly awful. So hearing that they have security holes is almost as surprising as hearing that Flash has security holes....
Re: (Score:2)
Did you try... (Score:4, Funny)
Given that the TVs are running Linux... (Score:5, Informative)
Re: (Score:2)
Some things .... (Score:2)
Why should a TV have a built in computer? (Score:3)
Consider:
Similarly, a computer monitor should not have a built in computer (or vice versa), unless the computer is a replaceable module. The TV or Monitor still have a lot of lifetime (and economic value) long after the computer is hopelessly obsolete. (Yes, I'm looking at you, iMac integrated computer and monitor. But then Apple products seem to be for people with more money then sense.)
- - - - - - -
All that is necessary for Apple to triumph is for Google men to do nothing.
for non-techie people (Score:2)
They want to be able to advertise "with builtin netflix support!". Combine that with the fact that most people can't hook up their own cable box, and you have answered your own question.
Re: (Score:2)
Pretty soon built-in netflix support will be annoying as hell because I'll have 15 ways to watch Netflix on my monitor: built-in monitor, XBOX, PS3, PC, and phone (docked with the TV of course), So when grandma comes over to watch Netflix there will be 15 ways to get to it, all with slightly different UIs, and a different controller for each one.
Re: (Score:2)
Similarly, a computer monitor should not have a built in computer (or vice versa), unless the computer is a replaceable module. The TV or Monitor still have a lot of lifetime (and economic value) long after the computer is hopelessly obsolete. (Yes, I'm looking at you, iMac integrated computer and monitor. But then Apple products seem to be for people with more money then sense.)
I'm sorry, instead of "iMac" I think you meant to say "laptop computer", which vastly outsell traditional desktop computers these days.
Groundhog Day (Score:2)
This trick will be great for watching Groundhog Day!
Samsung (Score:2)
Samsung Means To Come [yhchang.com]
(Sound Recommended)
-
Well, at least there's an easy fix ... (Score:2)
If you wait a few months, you'll probably have a capacitor die in the power supply and it'll stop rebooting.
Dubious at best (Score:2)
Then after another five seconds, he claims, the TV automaticall restarts. Then the process repeats itself forever, even after unplugging the TV. Eventually, Auriemma managed to reset the TV in service mode.
Boot loops even when disconnected from power?
Either Samsung has secretly perfected OTA power transmission, or this is a load of crap. Then again, the writer refers to a punk kid dicking with his brother's TV as an "Italian security researcher," so I guess I shouldn't be all that surprised.
Re: (Score:2)
Re: (Score:2)
They probably meant after you unplug it and plug it back in.
Probably, but I'm not the idiot "journalist" who wrote it, so I have to infer what I can from what's written.
Seriously, this was one of the most poorly written pieces I've seen in some time.
And I read Yahoo News with a fair amount of regularity, so that's really saying something.
At least he spelled most of the words right...
Re: (Score:2)
Re: (Score:2)
Eventually you'll learn not to RTFA.
Ah.
Mea Culpa.
A serious bug (Score:2)
For those who didn't RTFA, each IP based remote has a name string included in the message. If that name contains a linefeed or other invalid character, the TV will go into the endless loop.
It can be recovered by going into "service mode", but apparently Samsung doesn't consider that to be an end-user procedure sinmce incorrect settings enetred there will brick the TV.
Re:Great trick (Score:5, Informative)
Re:Great trick (Score:5, Funny)
Hey! Deja Vu,
I think I've seen this movie before...
Hey! Deja Vu,
I think I've seen this movie before...
Hey! Deja Vu,
I think I've seen this movie before...
Hey!
Re: (Score:3, Funny)
This [imdb.com] or this [imdb.com] or this [imdb.com] or this [imdb.com] or this? [imdb.com]
Re: (Score:3)
Gary Larson (Score:2)
This has Gary Larson written all over it.
Re:Great trick (Score:5, Informative)
(or ____ forbid their debit card)
And?
Unless you have a very terrible bank and/or don't bother checking your account ever, this isn't exactly a big deal. I just went through this a few weeks ago, when yonder random payment processor got owned hardcore.
Checked my account - like I do regularly, and found a weird charge. Called up my bank, said, "What is this I don't even?" Bam. Charge killed, money returned, new card in the mail, before I could even say, "Wow, you guys aren't nearly as evil as the Internet led me to believe."
Of course, I suppose the fact that I actually bother checking my account activity regularly makes me some sort of Fiscal Wizard compared to your average person. :p
Re:Great trick (Score:5, Informative)
Re: (Score:3)
To be fair, any large organization is going to make clerical errors, and it's better that they err on that side, since it happens a lot less frequently.
Re: (Score:2)
You know you pay for that, right? The service charges your bank and/or credit card processor charge the vendors take into account their work to prevent fraud. I believe they pass all fraudulent charges back to the merchant who rang them, so in this case wherever the thieves used your card will lose the funds. All of that is passed back to the consumer in the form of higher prices.
So no, it's not a tragedy if a card is occasionally misplaced and misused, but it's still a leech on the system - EVERYONE's s
Re: (Score:3)
Unless you have a very terrible bank and/or don't bother checking your account ever, this isn't exactly a big deal. I just went through this a few weeks ago, when yonder random payment processor got owned hardcore.
Problem is they don't have to. The behavior will vary bank to bank, and running into such issue is how you learn. A bank might also say "sorry, the money is gone - transfer credentials were legitimate". And there will be nothing you can do.
Credit cards, on the other hand, provide chargeback as one of the services (often by screwing the vendor always assuming their fault, but that's another story and doesn't typically concern the buyer).
Re: (Score:2)
Of course, I suppose the fact that I actually bother checking my account activity regularly makes me some sort of Fiscal Wizard compared to your average person. :p
Not bad. Now proceed to that hole in the ground for proctology class.
Re:Great trick (Score:4, Informative)
Re: (Score:2)
Any issues I've had from debit card or credit card fraud from my bank, has had the money fixed/cleared in under 24 hours.
Some people have faster / more responsive banks. That doesn't make them clueless. You however...
Re: (Score:2)
The last banking error I had to deal with took less than 48 hours to fix.
But Canadian banks aren't allowed to delay the repair process so they can keep lending out YOUR money while they "fix" the problem as they do in the US.
The last US based bank problem I had took a month to fix; it was the same problem I had here in Canada -- an incomplete/invalid transaction that "withdrew" money from my account but didn't properly "deposit" it with the retail store, leaving insufficient funds to retry the transact
Re: (Score:3)
Re: (Score:2)
Can name one Netflix device that takes CC number? I never seen that. They all either take your Netflix username/password pair or like the Wii give you number you then enter on the website with your PC.
Not that Joe Sixpack's un-patched, allow all outbound firewall or not firewalled, Windows PC logged on as 'Administrator' is much safer to type a CC number on but still.
Re: (Score:2)
Hey, speaking of which, anybody know how to boot to a vterm in Ubuntu?
Used to be you could do that in Redhat by going to a different runlevel. Not sure the recommended way for that in Ubuntu and friends.
(Also, anybody remember running "win" to start Windows from DOS and getting looks from the old-timers in the office when you started that new-fangled graphical thing?)
Re: (Score:3)
What? Relevance to this story?
Init level 6 [wikipedia.org] is "Reboot", so the system was configured to boot up ... and then reboot ... and reboot ... and reboot... This is relevant to the story because the story is also about an "endless restart loop"!
Re: (Score:2)
Re:Init Level 6 (Score:5, Informative)
Runlevel 5 is the typical X level. You switch to runlevel 6 to reboot the system. [wikipedia.org]
So you set inittab to default to level 6 when you want to incur general rage and butthurt with a restart loop. :D
Re: (Score:2)
Because he set the config file to INIT 6, and the system was stuck in permanent reboot.
Re: (Score:2)
Re: (Score:2)
http://www.tvbgone.com/ [tvbgone.com]