Auditing Samsung Smart-TV Apps

Posted: October 10, 2014 in HbbTV, security, Smart TV, trifinite.org

auditing_smarttvIn a recent assignment, I was asked to do an IT security audit of a Samsung Smart-TV app. It took me some time to find the (for me) ideal solution to do the audit with my usual setup of tools. Since Smart-TV apps are based on javascript, they run on a fancy browser in the Smart-TV device. Consequently, using the same auditing techniques for Smart-TV apps as for web applications makes sense.  So the goal was to get all the requests and responses from the emulator through a proxy – in my case BurpSuite. I hope to help fellow IT security auditors to save some time with this little write-up.

When auditing HbbTV apps, where only a limited set of additional features has to be provided by the browser, there is at least one freely available browser extension for Firefox called FireHbbTV, which works perfectly for most cases. When it comes to propriatary solutions, the browser for the application that has to be audited has to provide access to many more vendor-specific APIs that are usually not available as a free browser plugin. In the case of Samsung, there is a VirtualBox-image that – when powered up – emulates a Smart-TV that implements all APIs that developers need in order to develop a Smart-TV App for a Samsung device.

The app I had to do a security assessment for was developed using the Samsung SDK 4.5. The emulator image is based on Ubuntu 12.04. Unfortunately, there is no publicly communicated password for neither the smarttv user nor any other user that might log onto the virtual emulator. Different approaches to have a router that transparently redirects the traffic from the emulator VM to my BurpSuite proxy turned out to either not work as desired or were simply too complicated and time-consuming to setup.

The Solution

In order to redirect web traffic through an attack proxy, the emulator itself has to be modified. You could try to mount the compressed vmdk file with the vmware-tools under linux, but it is easier to mount the virtual machine disk (.vmdk) file within another virtual linux installation. There is a lot of ready-made linux images available on thoughtpolice.co.uk and many other places on the Internet that you could use for this purpose. When the emulator’s virtual disk is mounted within the other linux host you can explore it with root permission and modify all the files on it.

Start xterm as root in the emulator

As you can see in /home/smarttv/.xinitrc the emulator is started by calling the launchEmulator.sh shell script in /home/smarttv/CSEmulator/Bin as root! All you have to do is to add a line saying

/usr/bin/xterm &

right below the export-section in /home/smarttv/CSEmulator/Bin/launchEmulator.sh

emulator_shell

When the emulator starts up the next time, you have a root shell available behind the actual emulator screen. You can switch focus by using the well-known ALT-Tab key combination. Now you can go ahead and tweak configuration files and do things that you like. In Version 4.5 of the Samsung Smart-TV SDK, It is not neccessary to import any SSL cerificates, since the emulator does not check the authenticity of HTTPS URLs.. but you could of course.

Redirecting traffic through BurpSuite-Proxy

In order for this to work, you should make sure your VirtualBox (with the pimped filesystem) uses a Bridged Network Adapter. This way, your Smart-TV emulator uses the same infrastructure as your host system and gets – if the network uses DHCP – an address out of the same network as your host. This way you do not have to try to configure your host as a router – which is not that easy under Windows.

Once this is done, you can use the root-xterm in your emulator in order to add the following rules for your local firewall:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination your.host.ip:8080
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination your.host.ip:8080

Make sure to replace ‘your.host.ip’ by your host’s actual IP address.

What this does is to redirect all TCP requests on the ports 443 and 80 to your host’s proxy server on port 8080. If you are using BurpSuite, you have to make sure that your proxy options inlude ‘Support invisible proxying’ and that the proxy service runs on ‘all interfaces’. You could also make the local firewall rules persistent by adding the two lines to the /etc/rc.local file (before the exit command).

Now you can start up the Smart-TV widget in the emulator and you will see all the requests in your proxy log. Of course, you could use any other proxy that supports ‘invisible proxying’.

Happy Testing!

If this was helpful to you, please let me know by donating the equivalent of some beer in the support section to your left. Cheers!

Advertisements
Comments
  1. […] статью как раз по моей теме (кажется, единственная) — mherfurt.wordpress.com/2014/10/10/auditing-samsung-smart-tv-apps, но он […]