Samsung TVs Can Be Hacked Into Endless Restart Loop

← Back to Stories (view on slashdot.org)

Samsung TVs Can Be Hacked Into Endless Restart Loop

Posted by timothy on Tuesday April 24, 2012 @04:57AM from the you-were-warned dept.

Gunkerty Jeb writes "Italian security researcher Luigi Auriemma was trying to play a trick on his brother when he accidentally discovered two vulnerabilities in all current versions of Samsung TVs and Blu-Ray systems that could allow an attacker to gain remote access to those devices. Auriemma claims that the vulnerabilities will affect all Samsung devices with support for remote controllers, and that the vulnerable protocol is on both TVs and Blu-Ray enabled devices. One of the bugs leads to a loop of endless restarts while the other could cause a potential buffer overflow."

41 of 187 comments (clear)

Min score:

Reason:

Sort:

TV by SJHillman · 2012-04-24 05:03 · Score: 3, Interesting

My parents recently got a 52" Internet connected Samsung TV. Any way I could use this to replace the crap Samsung apps with something better?
1. Re:TV by Cenan · 2012-04-24 05:06 · Score: 3, Interesting
  
  If the second bug he found really is a buffer overflow vulnerability, there could be no end to the funny shit you could do to your TV.
  
  --
  ... whatever ...
2. Re:TV by AmberBlackCat · 2012-04-24 05:11 · Score: 3, Interesting
  
  I'm thinking "biggest Android tablet ever". With a Kinect instead of a touchscreen. Or at least a real web browser instead of only being able to look at sites of their "partners".
3. Re:TV by Anaerin · 2012-04-24 05:13 · Score: 4, Informative
  
  Not yet, but as the TVs run Linux underneath (and have published their sourcecode, as they required to by the GPL) they're working on it: http://www.samygo.tv/
4. Re:TV by drinkypoo · 2012-04-24 05:14 · Score: 4, Funny
  
  My parents recently got a 52" Internet connected Samsung TV. Any way I could use this to replace the crap Samsung apps with something better?
  Sure. Just give me the IP address...
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
5. Re:TV by JoeCommodore · 2012-04-24 05:26 · Score: 5, Funny
  
  My parents recently got a 52" Internet connected Samsung TV. Any way I could use this to replace the crap Samsung apps with something better?
  Sure. Just give me the IP address...
  It's 127.0.0.1 - hack away!
  
  --
  "Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
6. Re:TV by bastafidli · 2012-04-24 05:26 · Score: 3, Informative
  
  You can look at any website, not sure what you are talking about.
7. Re:TV by higuita · 2012-04-24 05:35 · Score: 4, Funny
  
  hey, you already created my username and setup my personal password?! ! how did you know then!?
  I will teach you a lesson, i'm doing pipe the /dev/zero to your HD right now!!
  
  --
  Higuita
8. Re:TV by blue_teeth · 2012-04-24 05:51 · Score: 2
  
  "endless restarts"..... Just look at the bright side...enhanced refresh rates and De-gauss!!
9. Re:TV by jaymemaurice · 2012-04-24 06:46 · Score: 2
  
  err, mine is... 0:0:0:0:0:0:0:1
  I have the first IPv6 address! Bought it for lots of money.
  
  --
  120 characters ought to be enough for anyone
10. Re:TV by zizzybaloobah · 2012-04-24 06:50 · Score: 2
  
  Get them a Google TV box (it runs Android Honeycomb). You get the Chrome browser, apps, games, etc, along with a real keyboard (but the keyboard only includes a tiny touch screen area, I'm disappointed to say).
11. Re:TV by fahrbot-bot · 2012-04-24 06:51 · Score: 3, Funny
  
  I will teach you a lesson, i'm doing pipe the /dev/zero to your HD right now!!
  Probably more interesting than most Prime Time shows.
  
  --
  It must have been something you assimilated. . . .
12. Re:TV by sexconker · 2012-04-24 07:44 · Score: 2
  
  Solution: Go out of your way to buy a dumb tv and then hook up a PC to it to do whateverthefuckyouwant.
  Then still get fucked in the ass because "Smart" is the new 3D. Nobody wants it. It will be rammed down your throat regardless.
On The Up Side ... by WrongSizeGlass · 2012-04-24 05:04 · Score: 4, Funny

On the up side you can't be inundated with endless commercials if your TV is in an endless restart loop ;-)
Re:Great trick by xclr8r · 2012-04-24 05:05 · Score: 5, Informative

The buffer overflow is worrisome . A lot of the newer BluRay Players have additional features like netflix over wifi/homenetwork. The basic consumer may put in their credit card (or ____ forbid their debit card) info to start their netflix account.

--
Beware of those who profit off the docile and persecute the unbelievers.
Anybody pine for that golden age by Compaqt · 2012-04-24 05:08 · Score: 5, Insightful

Where we had dumped carburetors for computer-controlled engines, but they didn't need to get updates, and those updates weren't wirelessly and remotely pushed?
Where we had dumped cathode ray tubes for flat, liquid crystal displays, but hadn't put the tubes back into TV by stuffing the Internet (and viruses) into them?
Where we had dumped both rotary and touch tone land line phones for cellular phones that could do most anything you'd want them to, and you carry it whereever you went, but you didn't have to have an antivirus running on the phone and didn't have to worry about your contact details being sent to Nigeria?

--
I'm not a lawyer, but I play one on the Internet. Blog
1. Re:Anybody pine for that golden age by Ksevio · 2012-04-24 05:17 · Score: 2
  
  No, all those things are crap compared to the wealth of features and connectivity we have now.
  A flaw in a car required a full recall to repair it.
  TVs could only watch content dictated by the cable company.
  Smart phones can do a crap load of handy things.
2. Re:Anybody pine for that golden age by autocannon · 2012-04-24 05:24 · Score: 2
  
  Sloppy coding and sloppier testing. Welcome to the new world of consumer products.
  I bought a Philips HDTV a few years back. I noticed after a few months that the tv would just turn itself back on 10 minutes to a few hours after I turned it off. At first it was kinda freaky to have it flip on in the middle of the night like that! However, quickly realized that others were having the same problems. Contacted Philips and the first thing they did was send out a thumbdrive with the new firmware that "should" fix it. Wouldn't do a thing until I had done that. Of course it didn't solve the problem because it was a faulty motherboard for that series. They did send a tech out to replace it in warranty and the tv still works fine today (5 years now).
  The ease of these updates helps to drive the push to fast, sloppy coding with minimal testing. I just don't see anything on the horizon changing that perspective. If anything, I could see tvs and other internet connected things becoming more google-ish where they just boot up from the interwebz all the time...which is even scarier.
3. Re:Anybody pine for that golden age by Howitzer86 · 2012-04-24 06:10 · Score: 4, Funny
  
  If you're broke like me, you're still living in the golden age.
4. Re:Anybody pine for that golden age by sjames · 2012-04-24 06:10 · Score: 2
  
  Because a flaw in a car required a full recall on the auto maker's dime, they made damned sure they got it right the first time. Now that they can just pester the end user with the updates they're approaching the old "OMG It compiled, SHIP IT!!!!!"
TVs =/= PCs by Dreth · 2012-04-24 05:09 · Score: 2

So now that TVs restart, I'm guessing malware isn't far behind?
After all, if you expect to turn every household device into a typical computer, you're also gonna drag the bad things computers have.
Can we 'regedit' tvs so we can use our own splash logos?

--
All glory to Arstotzka!
1. Re:TVs =/= PCs by arth1 · 2012-04-24 05:28 · Score: 4, Insightful
  
  So now that TVs restart, I'm guessing malware isn't far behind?
  It's already there. Most TVs these days are infected with the HDCP malware.
Looking ahead.. by Severus+Snape · 2012-04-24 05:12 · Score: 2

TV's will eventually have cameras in the front, could be a good method of surveillance.
Original article and scope by enriquevagu · 2012-04-24 05:14 · Score: 5, Informative

The vulnerability is originally disclosed here, not in the posted link.
This vulnerability only works from the same broadcast domain where the TV is, since the remote control protocol relies on broadcast messages to announce the service. This means that your TV cannot be cracked from the Internet. Let's hope that Samsung apply a fix soon, in any case.
1. Re:Original article and scope by sjames · 2012-04-24 06:15 · Score: 2
  
  So that means you have to infect their PC first and use it to route the hack to their TV.
  Or jump on their WiFi.
Sadly, not a surprise by dgatwood · 2012-04-24 05:15 · Score: 2
I own two Samsung Blu-Ray players. I'm not surprised by this in the slightest. You can usually judge the security of an app by how reliably it does its intended function, and their Blu-Ray players are anything but reliable. (Their older TVs work well, but I've never used one of their newer, networked TVs, which I'm assuming are as buggy as their Blu-Ray players.)
For example:
- After a firmware update, one player now stalls for half a second at every DVD layer skip.
- The last two Harry Potter movies have audio glitches throughout (on both players, but not on an LG player).
- After a firmware update, the other player how has sporadic problems switching between different types of media, sometimes requiring a power cycle to get it back into operational status.
And so on. In short, Samsung's software quality control appears to be utterly awful. So hearing that they have security holes is almost as surprising as hearing that Flash has security holes....
--
Check out my sci-fi/humor trilogy at PatriotsBooks.
Did you try... by kiehlster · 2012-04-24 05:15 · Score: 3, Funny

This does eliminate the age old IT question, "Did you try turning it off and on again?"
Given that the TVs are running Linux... by Anaerin · 2012-04-24 05:19 · Score: 4, Informative

Why is this such big news? Did you know you can replace the entire firmware inside your TV too? There's already a group working on getting something usable onto Samsung TVs like these: http://www.samygo.tv/
Re:Init Level 6 by Jahava · 2012-04-24 05:19 · Score: 2

What? Relevance to this story?
Init level 6 is "Reboot", so the system was configured to boot up ... and then reboot ... and reboot ... and reboot... This is relevant to the story because the story is also about an "endless restart loop"!
Re:Init Level 6 by game+kid · 2012-04-24 05:19 · Score: 4, Informative

Runlevel 5 is the typical X level. You switch to runlevel 6 to reboot the system.
So you set inittab to default to level 6 when you want to incur general rage and butthurt with a restart loop. :D

--
You can hold down the "B" button for continuous firing.
Re:Great trick by Jeremiah+Cornelius · 2012-04-24 05:30 · Score: 5, Funny

Hey! Deja Vu,
I think I've seen this movie before...
Hey! Deja Vu,
I think I've seen this movie before...
Hey! Deja Vu,
I think I've seen this movie before...
Hey!

--
"Flyin' in just a sweet place,
Never been known to fail..."
Re:"leads to a loop of endless restarts" by dgatwood · 2012-04-24 05:32 · Score: 2

Groundhog Day marathon.

--
Check out my sci-fi/humor trilogy at PatriotsBooks.
Re:Great trick by Anonymous Coward · 2012-04-24 05:33 · Score: 5, Informative

(or ____ forbid their debit card)
And?
Unless you have a very terrible bank and/or don't bother checking your account ever, this isn't exactly a big deal. I just went through this a few weeks ago, when yonder random payment processor got owned hardcore.
Checked my account - like I do regularly, and found a weird charge. Called up my bank, said, "What is this I don't even?" Bam. Charge killed, money returned, new card in the mail, before I could even say, "Wow, you guys aren't nearly as evil as the Internet led me to believe."
Of course, I suppose the fact that I actually bother checking my account activity regularly makes me some sort of Fiscal Wizard compared to your average person. :p
Why should a TV have a built in computer? by DickBreath · 2012-04-24 05:59 · Score: 2
Either the computer part should be a replaceable module, or it should be a separate box. (eg, a Google TV box, or an Apple TV box -- not built into the set).

Consider:
- The TV will last you probably ten years
- The computer will be hacked within one year
- The computer will be obsolete within two years
- The servers it phones home to will be gone within four years (eg, Zune, Plays For Sure, etc)
Similarly, a computer monitor should not have a built in computer (or vice versa), unless the computer is a replaceable module. The TV or Monitor still have a lot of lifetime (and economic value) long after the computer is hopelessly obsolete. (Yes, I'm looking at you, iMac integrated computer and monitor. But then Apple products seem to be for people with more money then sense.)

- - - - - - -
All that is necessary for Apple to triumph is for Google men to do nothing.
--

I'll see your senator, and I'll raise you two judges.
Re:Great trick by UnknowingFool · 2012-04-24 06:01 · Score: 2

That depends on how they implement it. For my bluray player netflix setup, they put a unique ID on the screen and told me to authenticate it on my account using my computer. So the bluray player never accessed any information about my account. My bluray doesn't have a web browser built-in only Internet access.

--
Well, there's spam egg sausage and spam, that's not got much spam in it.
Re:Great trick by UnknowingFool · 2012-04-24 06:07 · Score: 4, Informative

Some banks have very good fraud detection systems and it is in their interest to have them. The sooner they detect it, the less headache they have to deal with. One of my banks froze my card after I made several unexpected large purchases in one day. Another one called me when they noticed suspicious charges to confirm that I did make them. Someone got my card number, but I still had my card so I would not have reported it stolen or lost.

--
Well, there's spam egg sausage and spam, that's not got much spam in it.
Re:Great trick by Anonymous Coward · 2012-04-24 06:08 · Score: 3, Funny

This or this or this or this or this?
Re:Great trick by djl4570 · 2012-04-24 06:15 · Score: 2

It's deja vu all over again.
Re:Great trick by jimbolauski · 2012-04-24 06:28 · Score: 3, Informative

What the GP is saying is that many banks will issue refunds immediately for fraudulent purchases, and will remove any overdrafts fees if any occurred. In my experience that is how banks work, legally they are not obligated to do so but do so to keep their customers happy. I don't use my debt card for purchases due to the risks but have not heard of any body getting told by the bank that it's not the banks responsibility. Further any overdrafts that occurred from the fraudulent charges will not be assessed because of how they occurred.

--
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
Re:Great trick by Mitreya · 2012-04-24 06:46 · Score: 2

Unless you have a very terrible bank and/or don't bother checking your account ever, this isn't exactly a big deal. I just went through this a few weeks ago, when yonder random payment processor got owned hardcore.
Problem is they don't have to. The behavior will vary bank to bank, and running into such issue is how you learn. A bank might also say "sorry, the money is gone - transfer credentials were legitimate". And there will be nothing you can do.
Credit cards, on the other hand, provide chargeback as one of the services (often by screwing the vendor always assuming their fault, but that's another story and doesn't typically concern the buyer).
Re:Great trick by interkin3tic · 2012-04-24 07:08 · Score: 2

Some banks are so good at fraud detection, they shut down your bank account when you make a purchase overseas even after telling them a week in advance exactly where you were going, leaving you in a foreign country with no money.

To be fair, any large organization is going to make clerical errors, and it's better that they err on that side, since it happens a lot less frequently.