SUPRA Smart TV Flaw Lets Attackers Hijack Screens With Any Video

I have said it before, and I will say it again — Smart devices are one of the dumbest technologies, so far, when it comes to protecting users’ privacy and security.

As more and more smart devices are being sold worldwide, consumers should be aware of security and privacy risks associated with the so-called intelligent devices.

When it comes to internet-connected devices, smart TVs are the ones that have highly-evolved, giving consumers a lot of options to enjoy streaming, browsing the Internet, gaming, and saving files on the Cloud—technically allowing you to do everything on it as a full-fledged PC.

Apparently, in the past few years we have reported how Smart TVs can be used to spy on end users without their explicit consent, how remote hackers can even take full control over a majority of Smart TVs without having any physical access to them, and how flaws in Smart TVs allowed hackers to hijack TV screen.

Now most recently, Smart TVs selling under SUPRA brand-name have been found vulnerable to an unpatched remote file inclusion vulnerability that could allow WiFi attackers to broadcast fake videos to the television screen without any authentication with the television.

SUPRA is a lesser-known Russia electronics brand on the Internet that manufactures several affordable audio-video equipments, household appliances and car electronics, most of which are being distributed through Russian, Chinese, Russian and UAE-based e-commerce websites.

Discovered by Dhiraj Mishra and shared with The Hacker News, the vulnerability (CVE-2019-12477) resides in the “openLiveURL” function of the Supra Smart Cloud TV due to lack of authentication or session management.

As shown in the PoC URL, the vulnerability could allow a local attacker to inject a remote file in the broadcast and display fake videos without any authentication.

> “A legit user is watching some action movie, and attackers trigger the remote file inclusion vulnerability at the same time, so the attacker would have full control over the TV, and he can broadcast anything,” the researcher explains.

As demonstrated by Dhiraj, the exploit allowed him to broadcast a fake “Emergency Alert” while the TV was playing a speech of Steve Jobs—by simply injecting the video file through the PoC URL using his web browser.

Though the requirement of having attackers’ access to victim’s WiFi network by default limits the threat to a great extent, a growing number of router and IoT vulnerabilities still makes it a potential attack scenario for remote attackers.

Though the vulnerability has been given a CVE ID, it is unlikely to be patched. So, users who own a Supra Smart Cloud TV can’t do more than keeping their WiFi network secure—like setting a strong password, avoid sharing WiFi password with untrusted people and keeping other so-called smart devices behind a firewall or off the Internet that are connected to the same network.