Threat Research

The Sony Smart TV Exploit: An Inside View of Hijacking Your Living Room

By Tony Loi | October 04, 2018

More and more Smart TVs are connected to the Internet than ever before, with an estimated 760 million of them now connected globally. As new threats increasingly target IoT devices, such as Smart TVs, that include always-on connectivity and high-performance GPUs that can be hijacked for malicious purposes, FortiGuard Labs took the opportunity to look at the current security status of these devices.

Security researchers have been raising concerns about vulnerability issues found in Smart TVs. For quite some time The good news is that most TV vendors are listening to these concerns and have been taking action to fix them (especially when compared to random IoT devices). While the security posture of these kinds of devices are definitely getting better, we here at FortiGuard Labs decided to take some time to look at some popular brands, and as a result, we worked closely with vendors to fix some remaining issues, such as the example below.

A few weeks ago, Sony released an advisory for multiple vulnerabilities for their Bravia Smart TV devices that had been found and reported directly to Sony’s PSIRT team by Fortinet’s FortiGuard Labs team. These vulnerabilities reside specifically in one of Sony’s proprietary applications called Photo Sharing Plus. Since they can be exploited remotely without authentication by attackers who are connected to the same local Network, customers should upgrade their TVs as soon as possible.

Following are some of the more critical details of the vulnerabilities we discovered:

Stack Buffer Overflow - CVE-2018-16595 (high severity):
This is a memory corruption vulnerability that results from insufficient size checking of user input. With a long enough HTTP POST request sent to the corresponding URL, the application will crash.
Fortinet previously released IPS signature Sony.SmartTV.Stack.Buffer.Overflow for this specific vulnerability to proactively protect our customers.

Directory Traversal - CVE-2018-16594 (high severity):
The application handles file names incorrectly when receiving a user’s input file via uploading a URL. A anttacker can upload an arbitrary file with a crafted file name (e.g.: ../../) that can then traverse the whole filesystem.
Fortinet previously released IPS signature Sony.SmartTV.Directory.Traversal for this specific vulnerability to proactively protect our customers.

Command Injection - CVE-2018-16593 (critical severity):
This application handles file names incorrectly when the user uploads a media file. An attacker can abuse such filename mishandling to run arbitrary commands on the system, which can result in complete remote code execution with root privilege.
Fortinet previously released IPS signature Sony.SmartTV.Remote.Code.Execution for this specific vulnerability to proactively protect our customers.

Fortinet’s FortiGuard Labs responsibly coordinated with Sony in disclosing all of these discovered issues, and we also waited to release our advisory until after Sony has published the fixes accordingly.

Lastly, we would like to thank Sony PSIRT team for their quick and responsible cooperation in fixing these vulnerabilities.

Timeline:

  • 27 Mar, 2018: Notification sent to Sony PSIRT team and Sony acknowledges in the same day.
  • 03 Apr, 2018: Sony confirms the vulnerabilities and begins working on the patches.
  • 01 Jun, 2018: Sony begins shipping the patch via Over-The-Air (OTA) update.
  • 03 Aug, 2018: Sony completes the OTA worldwide delivery.
                Note: OTA update needs user's approval and a network connection
  • 30 Aug, 2018: Sony publishes an advisory about the patch.

Side Note About Privacy:

One concerning observation is the fact that while the security posture of Smart TVs is getting better, there are still privacy challenges. It’s no longer rare for user agreements to be regularly updated and even hear cases reported of data being collected without the consumer’s knowledge nor consent. To address this issue, “Two US senators have asked the Federal Trade Commission (FTC) to investigate smart TV makers amid fears and evidence that companies might be using devices to collect data and track users without their knowledge.”

If you are planning on purchasing a new Smart TV, or are already the owner of one, we suggest you double check its privacy settings concerning the collection of data. At the least, you should be aware of what personal data your TV is sharing, and with whom it is being shared.

-= FortiGuard Lion Team =-

Download our latest Fortinet Global Threat Landscape Report to find out more detail about recent threat landscape trends.

Sign up for our weekly FortiGuard Threat Brief.

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.