A)Over 85% Of Smart TVs Can Be Hacked Remotely Using Broadcasting Signals
The Internet-connected devices are growing at an exponential rate, and so are threats to them.
Due to the insecure implementation, a majority of Internet-connected embedded devices, including Smart TVs, Refrigerators, Microwaves, Security Cameras, and printers, are routinely being hacked and used as weapons in cyber attacks.
We have seen IoT botnets like Mirai – possibly the biggest IoT-based malware threat that emerged late last year and caused vast internet outage by launching massive DDoS attacks against DynDNS provider – which proves how easy it is to hack these connected devices.
Now, a security researcher is warning of another IoT threat involving Smart TVs that could allow hackers to take complete control of a wide range of Smart TVs at once without having any physical access to any of them.
Researcher Shows Live Hacking Demonstration
The proof-of-concept exploit for the attack, developed by Rafael Scheel of cyber security firm Oneconsult, uses a low-cost transmitter for embedding malicious commands into a rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals.
Those rogue signals are then broadcast to nearby devices, allowing attackers to gain root access on the Smart TVs, and using those devices for nasty actions, such as launching DDoS attacks and spying on end users.
Scheel provided a live hacking demonstration of the attack during a presentation at the European Broadcasting Union (EBU) Media Cyber Security Seminar, saying about 90 percent of the Smart TVs sold in the last years are potential victims of similar attacks.
Scheel’s exploit relies on a transmitter based on DVB-T — a transmission standard that’s built into TVs that are connected to the Internet.
The attack exploits two known privilege escalation vulnerabilities in the web browsers running in the background and once compromised, attackers could remotely connect to the TV over the Internet using interfaces, allowing them to take complete control of the device.
Once compromised, the TV would be infected in a way that neither device reboots nor factory resets would help the victims get rid of the infection.
Previous Smart TV hacks, including Weeping Angel (described in the CIA leaked documents), required physical access to the targeted device or relied on social engineering, which exposes hackers to the risk of being caught as well as limits the number of devices that can be hacked.
However, Scheel’s exploit eliminates the need for hackers to gain physical control of the device and can work against a vast majority of TV sets at once.
The hack once again underlines the risks of “Internet of Things” devices. Since the IoT devices are rapidly growing and changing the way we use technology, it drastically expands the attack surface, and when viewed from the vantage point of information security, IoT can be frightening.
B)Millions Of Smartphones Using Broadcom Wi-Fi Chip Can Be Hacked Over-the-Air
Millions of smartphones and smart gadgets, including Apple iOS and many Android handsets from various manufacturers, equipped with Broadcom Wifi chips are vulnerable to over-the-air hijacking without any user interaction.
Just yesterday, Apple rushed out an emergency iOS 10.3.1 patch update to address a serious bug that could allow an attacker within same Wifi network to remotely execute malicious code on the Broadcom WiFi SoC (Software-on-Chip) used in iPhones, iPads, and iPods.
The vulnerability was described as the stack buffer overflow issue and was discovered by Google’s Project Zero staffer Gal Beniamini, who today detailed his research on a lengthy blog post, saying the flaw affects not only Apple but all those devices using Broadcom’s Wi-Fi stack.
Beniamini says this stack buffer overflow issue in the Broadcom firmware code could lead to remote code execution vulnerability, allowing an attacker in the smartphone’s WiFi range to send and execute code on the device.
Attackers with high skills can also deploy malicious code to take full control over the victim’s device and install malicious apps, like banking Trojans, ransomware, and adware, without the victim’s knowledge.
In his next blog post that’s already on its way, Beniamini will explain how attackers can use their assumed control of the Wi-Fi SoC in order to further escalate their privileges into the application processor, taking over the host’s operating system.
Over-the-Air Broadcom Wi-Fi SoC Hack
According to the researcher, the firmware running on Broadcom WiFi SoC can be tricked into overrunning its stack buffers, which allowed him to send carefully crafted WiFi frames, with abnormal values, to the Wi-Fi controller in order to overflow the firmware’s stack.
Beniamini then combined this value with the frequent timer firings of the chipset to gradually overwrite specific chunks of device’s memory (RAM) until his malicious code is executed.
So, to exploit the flaw, an attacker needs to be within the WiFi range of the affected device to silently take over it.
“While the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security,” Beniamini explains. “Specifically, it lacks all basic exploit mitigations – including stack cookies, safe unlinking and access permission protection.”
The researcher also detailed a proof-of-concept Wi-Fi remote code execution exploit in the blog post and successfully performed it on a then-fully updated (now fixed) Nexus 6P, running Android 7.1.1 version NUF26K – the latest available Nexus device at the time of testing in February.
The flaw is one of the several vulnerabilities discovered by Beniamini in the firmware version 220.127.116.11 of Broadcom Wi-Fi chips.
Security Patch for Nexus & iOS Released; Others Have to Wait!
Google Project Zero team reported the issue to Broadcom in December. Since the flaw is in Broadcom’s code, smartphone makers had to wait for a patch from the chip vendor before testing the patch and pushing it out to their own user base.
Both Apple and Google addressed the vulnerability with security updates released on Monday, with Google delivering updates via its Android April 2017 Security Bulletin and Apple releasing the iOS 10.3.1 update.
The flaw still affects most Samsung flagship devices, including Galaxy S7 (G930F, G930V), Galaxy S7 Edge (G935F, G9350), Galaxy S6 Edge (G925V), Galaxy S5 (G900F), and Galaxy Note 4 (N910F), the researcher says.
For more technical details head on to the blog post published by Google Project Zero team today.