Samsung TVs Can Be Hacked Into Endless Restart Loop

Gunkerty Jeb writes "Italian security researcher Luigi Auriemma was trying to play a trick on his brother when he accidentally discovered two vulnerabilities in all current versions of Samsung TVs and Blu-Ray systems that could allow an attacker to gain remote access to those devices. Auriemma claims that the vulnerabilities will affect all Samsung devices with support for remote controllers, and that the vulnerable protocol is on both TVs and Blu-Ray enabled devices. One of the bugs leads to a loop of endless restarts while the other could cause a potential buffer overflow."

On The Up Side ...

[WrongSizeGlass]

On the up side you can't be inundated with endless commercials if your TV is in an endless restart loop ;-)

Re:Great trick

[xclr8r]

The buffer overflow is worrisome . A lot of the newer BluRay Players have additional features like netflix over wifi/homenetwork. The basic consumer may put in their credit card (or ____ forbid their debit card) info to start their netflix account.

Anybody pine for that golden age

[Compaqt]

Where we had dumped carburetors for computer-controlled engines, but they didn't need to get updates, and those updates weren't wirelessly and remotely pushed?

Where we had dumped cathode ray tubes for flat, liquid crystal displays, but hadn't put the tubes back into TV by stuffing the Internet (and viruses) into them?

Where we had dumped both rotary and touch tone land line phones for cellular phones that could do most anything you'd want them to, and you carry it whereever you went, but you didn't have to have an antivirus running on the phone and didn't have to worry about your contact details being sent to Nigeria?

Re:Anybody pine for that golden age

[Howitzer86]

If you're broke like me, you're still living in the golden age.

Re:TV

[Anaerin]

Not yet, but as the TVs run Linux underneath (and have published their sourcecode, as they required to by the GPL) they're working on it: http://www.samygo.tv/

Re:TV

[drinkypoo]

My parents recently got a 52" Internet connected Samsung TV. Any way I could use this to replace the crap Samsung apps with something better?

Sure. Just give me the IP address...

Original article and scope

[enriquevagu]

The vulnerability is originally disclosed here, not in the posted link.

This vulnerability only works from the same broadcast domain where the TV is, since the remote control protocol relies on broadcast messages to announce the service. This means that your TV cannot be cracked from the Internet. Let's hope that Samsung apply a fix soon, in any case.

Given that the TVs are running Linux...

[Anaerin]

Why is this such big news? Did you know you can replace the entire firmware inside your TV too? There's already a group working on getting something usable onto Samsung TVs like these: http://www.samygo.tv/

Re:Init Level 6

[game+kid]

Runlevel 5 is the typical X level. You switch to runlevel 6 to reboot the system.

So you set inittab to default to level 6 when you want to incur general rage and butthurt with a restart loop. :D

Re:TV

[JoeCommodore]

My parents recently got a 52" Internet connected Samsung TV. Any way I could use this to replace the crap Samsung apps with something better?

Sure. Just give me the IP address...

It's 127.0.0.1 - hack away!

Re:TVs =/= PCs

[arth1]

So now that TVs restart, I'm guessing malware isn't far behind?

It's already there. Most TVs these days are infected with the HDCP malware.

Re:Great trick

[Jeremiah+Cornelius]

Hey! Deja Vu,

I think I've seen this movie before...

Hey! Deja Vu,

I think I've seen this movie before...

Hey! Deja Vu,

I think I've seen this movie before...

Hey!

Re:Great trick

(or ____ forbid their debit card)

And?

Unless you have a very terrible bank and/or don't bother checking your account ever, this isn't exactly a big deal. I just went through this a few weeks ago, when yonder random payment processor got owned hardcore.

Checked my account - like I do regularly, and found a weird charge. Called up my bank, said, "What is this I don't even?" Bam. Charge killed, money returned, new card in the mail, before I could even say, "Wow, you guys aren't nearly as evil as the Internet led me to believe."

Of course, I suppose the fact that I actually bother checking my account activity regularly makes me some sort of Fiscal Wizard compared to your average person. :p

Re:TV

[higuita]

hey, you already created my username and setup my personal password?! ! how did you know then!?

I will teach you a lesson, i'm doing pipe the /dev/zero to your HD right now!!

Re:Great trick

[UnknowingFool]

Some banks have very good fraud detection systems and it is in their interest to have them. The sooner they detect it, the less headache they have to deal with. One of my banks froze my card after I made several unexpected large purchases in one day. Another one called me when they noticed suspicious charges to confirm that I did make them. Someone got my card number, but I still had my card so I would not have reported it stolen or lost.