My Samsung TV and the internet

Wan­ted to see what my Sam­sung TV does when con­nec­ted to the inter­net (while wat­ching TV, no HBBTV, no brow­sing, just wat­ching cable TV)
It explo­res its Upnp neigh­bor­hood and tells some­thing about itself:
http://ip.of.TV:52235/dmr/SamsungMRDesc.xml
returns among­st others:

urn:schemas-upnp-org:device:MediaRenderer:1
MS_DigitalMediaDeviceClass_DMR_V001
Display.TV.LCD Multimedia.DMR
DMR-1.50
Wohnzimmer
Samsung Electronics
http://www.samsung.com/sec
Samsung TV DMR
UE40D6200
AllShare1.0
http://www.samsung.com/sec

Now I know which par­ti­cu­lar model I own 😉
Even­tual­ly it pulls http://vd.emp.prd.s3.amazonaws.com/emp/empinfo_GENOAS_0.970.xml The ans­wer (only the inte­res­t­ing part)

http://oempprd.samsungcloudsolution.net/emp/emp/GENOAS_0.970_empAuthSMG_VER_0.006.zip
http://oempprd.samsungcloudsolution.net/emp/emp/GENOAS_0.970_empDownload_VER_2.700.zip
http://oempprd.samsungcloudsolution.net/emp/emp/GENOAS_0.970_empNaver_VER_1.000.zip
http://oempprd.samsungcloudsolution.net/emp/emp/GENOAS_0.970_empSignature_VER_1.000.zip
http://oempprd.samsungcloudsolution.net/emp/emp/GENOAS_0.970_empT9_VER_2.301.zip
http://oempprd.samsungcloudsolution.net/emp/emp/GENOAS_0.970_empXT9_VER_4.102.zip

I only down­loa­ded the last file: http://oempprd.samsungcloudsolution.net/emp/emp/GENOAS_0.970_empXT9_VER_4.102.zip.
This file contains

Archive:  GENOAS_0.970_empAuthSMG_VER_0.006.zip
  Length     Date   Time    Name
 --------    ----   ----    ----
  1539312  06-20-11 11:10   empAuthSMG
     1012  06-20-11 17:13   empAuthSMG.xml
     1282  06-20-11 11:10   EmpSchema.xsd
 --------                   -------
  1541606                   3 files

empAuthSMG is an 32 bit ARM exe­cu­ta­ble for GNU/Linux 2.6.16, strip­ped. Using good old strings for this file, we learn that it tri­es to fetch (via libcurl) http://aaa.bbtv.cn/tv/Service/Open (which throws a 500, BTW)

Ano­ther request goes to http://www.samsung.com/global/products/tv/infolink/us.xml, which seems to be for pre-fet­ching US wea­ther fore­casts — for wha­te­ver reason, I’m not in the US. Any­way, not­hing spectacular.
But this one is more inte­res­t­ing: An https request to 207.36.95.10. Sin­ce it is https, I can­not see into the packets, but the ser­ver cer­ti­fi­ca­te is weird:

        Issuer: CN=Samsung Hubsite CA, O=Samsung Electronics, C=KR, ST=Kyong-gi, L=Suwon
        Validity
            Not Before: Oct  4 04:16:39 2013 GMT
            Not After : Sep 27 04:16:39 2043 GMT
        Subject: CN=infolink.pavv.co.kr, O=Samsung Electronics, C=KR, ST=Kyong-gi, L=Suwon

Inte­res­t­ing becau­se obvious­ly Sam­sung runs its own CA. And also see the “Not befo­re” date: Oct 4 04:16:39 2013 GMT. I am 100% sure that I did not updated the TV’s firm­ware for the last few months (if ever) — so the ques­ti­on is: Why my TV con­nects to a web­site with a cer­ti­fi­ca­te that is only 6 weeks old? The ans­wer: becau­se the TV down­loads all the time data from the inter­net, not only data, but exe­cu­ta­bles too, and they got exe­cu­ted. And the­se exe­cu­ta­bles are down­loa­ded via http, easi­ly to spoof.
Think of an exe­cu­ta­ble that opens a tun­nel to some atta­cker in the inter­net. Then he is in your TV and from the­re he can attack all your inter­nal devices, and no router/firewall will pro­tect you.
I think I will recon­fi­gu­re my DHCP ser­ver so that this TV does­n’t get a default gate­way assi­gned (we do not use HBBTV and the like)

1 Comment

Add a Comment
  1. Nice artic­le. I found this post sear­ching after “SamsungMRDesc.xml”. My solu­ti­on sin­ce ever is to block all embedded hard­ware com­plet­ly so dont past my IPFire. 

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert