Browser automation script.
Owners of Supra Smart Cloud TVs are in danger of getting some unwanted programming: it’s possible for miscreants or malware on your Wi-Fi network to switch whatever you’re watching for video of their or its choosing.
Bug-hunter Dhiraj Mishra laid claim to CVE-2019-12477, a remote file inclusion zero-day vulnerability that allows anyone with local network access to specify their own video to display on the TV, overriding whatever is being shown, with no password necessary. As such it’s more likely to be used my mischievous family members than hackers.
Mishra told The Register the issue is due to a complete lack of any authentication or session management in the software controlling the Wi-Fi-connected telly. By crafting a malicious HTTP GET request, and sending it to the set over the network, an attacker would be able to provide whatever video URL they desired to the target, and have the stream played on the TV without any sort of security check.
In practice, this bug would be exploited by someone who was on the local network, either by already knowing the wireless password or taking advantage of an unsecured network, who would then send the request to the TV with a link to their own video. if the television is somehow facing the public internet, it could be commandeered from afar, of course.
While this would usually just be a harmless prank, Mishra noted that a particularly malicious user could try to stir up panic by displaying a phony emergency alert.
“A legit user is watching some action movie and attackers trigger the remote file inclusion vulnerability at the same time, so the attacker would have full control over the TV and he can broadcast anything,” Mishra told El Reg.
“The attacker can broadcast any fake emergency message, or the worst case could be broadcasting a purge message.”
Here’s a video demonstrating how the telly could be compromised:
Mishra said he tried to get in touch Supra, which is listed as a Japanese business, but was unable to find any contact information. The Register was similarly unable to get hold of the manufacturer. As such, the flaw remains unpatched. The security researcher said he has not found any other brands to be vulnerable thus far.
Those of a certain age will no doubt be reminded of the infamous Max Headroom Incident. Back in 1987, hackers in the Chicago area of the United States were able to hijack the signal of two local television stations and, for a brief period of time, serve viewers a bizarre clip of an unknown person ranting in a rubber mask of the animated Coke spokesdroid.
Owners of Supra TVs worried of experiencing their own Max Headroom moment would be well-advised to make sure their Wi-Fi networks are secured, and only trusted users have local access. ®