Infolink https protocol

Ideas and dreaming will go this forum
dec0ding
Posts: 26
Joined: Sun Jan 06, 2013 2:23 pm

Infolink https protocol

Post by dec0ding » Wed Jan 09, 2013 10:41 am

Smarthub is heavily bound to communication with https://infolink.pavv.co.kr
On first widget launch smarthub registers itself with samsung and sends there your TV ModelID, firmware code, Lang/Country code, unique id (DUID), mac address, appkey
and gets authentication token required for some further queries.

Code: Select all

GET /openapi/device/auth/seedkey?timestamp=373965 HTTP/1.1
Host: infolink.pavv.co.kr
macaddr: 010203040506
ModelId: 12_X10PLUS_2D
CountryCode: RU
Connection: close
Firmcode: T-INFOLINK2012-1012
User-Agent: Mozilla/5.0 (SmartHub; SMART-TV; U; Linux/SmartTV; Maple2012) AppleWebKit/534.7 (KHTML, like Gecko) SmartTV Safari/534.7
Content-Type: text/xml
cache-control: no-cache
duid: SHCL6XXXXXXX
AppKey: 00000000-1111-2222-3333-444444444444-55555555-6666-7777-8888-999999999999
Cookie: WMONID=zcHWkuzLqMs
Accept: */*
Accept-Encoding: gzip
Content-Length: 0

Response :

<?xml version="1.0" encoding="UTF-8"?>
<rsp stat="ok">
  <session id="aa311344">
    <user confirmed="yes" id="_12_X10PLUS_2D_c4731edd42f1" protected="no"/>
    <seedkey>04e69f7c-a80a-41c4-ac49-9d1c05f96929-b7949d14-d3f1-41f3-95b1-166db9fb545b</seedkey>
    <expired>2013-01-10T16:15:15+0900</expired>
    <country code="RU" supported="yes"/>
    <isp code="OPN" name="OPN" supported="yes"/>
  </session>
</rsp>

On any non-user (signed) widget launch including EMP smarthub queries widget information from infolink.
Infolink may enforce updates and user cannot deny them.

Code: Select all

GET /openapi/service/widget/signed/20121000004?timestamp=1357715723486 HTTP/1.1
Host: infolink.pavv.co.kr
Connection: close
User-Agent: Mozilla/5.0 (SmartHub; SMART-TV; U; Linux/SmartTV; Maple2012) AppleWebKit/534.7 (KHTML, like Gecko) SmartTV Safari/534.7
Content-Type: text/xml
cache-control: no-cache
AppKey: 00000000-1111-2222-3333-444444444444-55555555-6666-7777-8888-999999999999
Token: aa311344+_12_X10PLUS_2D_010203040506+db4b14dd6dbdb9c2fb75bee213edeae04105f458
Cookie: WMONID=zcHWkuzLqMs
Accept: */*
Accept-Encoding: gzip
Content-Length: 0

Response:

<?xml version="1.0" encoding="UTF-8"?>
<rsp stat="ok">
  <list>
    <widget id="20121000004" size="7560504" url="http://dly2224qfzjce.cloudfront.net/files/widget/201211/20121000004/1.233/widget/WebBrowser_720p_dri.zip?Expires=1357716757&Signature=FBXibtDXHcUKdZNfJNzJWU1IvjbtJqCJ0kBIf~KCX~3G3uJPccG5EyGy7R5CBWhjY1i6gQ2Gshv2dOQqBEurtlo1ww7sTVMwT4l2zOYwBR1rrn-EaO1TqY6WW9KBvKJQFmiBiLWHDs0iAsyHgj4aJvkluB0qvmPae8bGTpbabno_&Key-Pair-Id=APKAIUMJLMRVBKS7VM4A" version="1.233">
      <compression size="5892071" type="zip"/>
      <updateforced stat="yes"/>
      <encryption seedkey="" type=""/>
      <emplist stat="yes">
        <emp id="empBrowserCommonPlugin"/>
        <emp id="empWebBrowserDRI"/>
      </emplist>
    </widget>
  </list>
</rsp>

Without successful model bind its impossible to lauch most of widgets.
So, user get tracked with their TV and widget usage :)
Fortunately communication goes through secure channel with cert check and nobody can sniff it on the wire.
But infolink does not enforce https, all services available over http.
To capture web protocol I did little modification to manager widget.
Thats how infolink URLS are constructed :

Code: Select all

manager/10120000000/SmartHome/SmartHomeDefine.js

var WM_BASIC_PROTOCOL = "http://";
var WM_SECURE_PROTOCOL = "https://";

manager/10120000000/WMCommon/OpenAPI/HAHubSiteAPI.js

url = WM_SECURE_PROTOCOL+DTVInfo.Value.ServerURI +  "/device/lookup?timestamp=" + tTimestamp;
its easy to make it use http insted of https by replacing WM_SECURE_PROTOCOL
But its undesired to make changes to main manager code or you may cut itself from smarthub and get brick or semi-brick.
Its safe to modify leaf functionality. I modified about box code

Code: Select all

manager/10120000000/Settings/Properties_SmartSettingTemplates.js

Properties_SmartSetting.SetDetailInfoDiv720 = function (isNetflix)
{
	TRACE("Properties_SmartSetting.SetDetailInfoDiv720() Start");
	
	WM_SECURE_PROTOCOL = "http://";
...........
After startup nothing is changed. If you call tools->Settings->About smart hub, https is replaced with http and then its easy to sniff.

I uploaded my protocol dumps so you can study it yourself.
http://www.sendspace.com/file/jj4ub0

User avatar
arris69
SamyGO Moderator
Posts: 1700
Joined: Fri Oct 02, 2009 8:52 am
Location: Austria/Vienna (no Kangaroos here)
Contact:

Re: Infolink https protocol

Post by arris69 » Wed Jan 09, 2013 2:00 pm

nice idea, shows once again that noone in korea knows anything about networts and security...

btw. we have a search function too ;-)
viewtopic.php?f=25&t=3646#p28107
http://pastebin.com/gzuBxq0g
http://pastebin.com/5YEq3wzR
http://pastebin.com/f1RdFECL

regards arris (dec0ded) :-D

User avatar
nobody
Posts: 182
Joined: Sat Nov 12, 2011 1:45 am

Re: Infolink https protocol

Post by nobody » Mon Jan 14, 2013 3:52 pm

this is known but not useful. And this would expose only smarthub traffic, but having already smarthub decrypted there is no need to have http traffic when we can just read the code :)

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Infolink https protocol

Post by E3V3A » Thu Jan 31, 2013 11:50 pm

dec0ding wrote:So, user get tracked with their TV and widget usage :)
So what does all this mean? What exactly are they tracking?
(Anything else?)
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

dec0ding
Posts: 26
Joined: Sun Jan 06, 2013 2:23 pm

Re: Infolink https protocol

Post by dec0ding » Sat Feb 02, 2013 4:15 pm

E3V3A wrote:
dec0ding wrote:So, user get tracked with their TV and widget usage :)
So what does all this mean? What exactly are they tracking?
(Anything else?)
TV unique ID - mac address - IP address
every time TV is on and online - sams has the record
If user has entered his sams account information they have link to user's profile.
sams have list of installed widgets per "TV unique ID" and can force install or uninstall any widget at will
For example, if they were evil guys, they could brick all TVs connected to internet by mass installing evil widget capable of erasing MMC flash.
In fact they use this functionality to install partners widget (small icons on top) and rotate them every 1-2 weeks.
User cannot refuse

samsung smart tv is very unsafe platform.
Everbody know how much vulnerabilities found in browsers. If a vulnerability is exploited on the TV while browsing the web
exploit has complete root access. Legitimate user has no access to TV os. Any bad code can run without user even knowing about it.
Also, any installed widget has root unrestricted access and can run OS commands with simple javascript exploit code => can brick or install malware
The only real measure of protection is SSL to infolink and download locations on cloudfront.net, with certificate check.
Sams supposed to verify all apps before they appear in sams store.
But if someone discover a way to mass install malicious widgets not checked by sams - they own all the TVs

Sams firmware has many old components such as old flash player with well known vulnerabilities.

E3V3A
Posts: 247
Joined: Wed Oct 31, 2012 2:31 am
Location: /dev/zero

Re: Infolink https protocol

Post by E3V3A » Sun Feb 03, 2013 1:26 pm

^^ This information leakage seem quite worrisome, to say the least! So what could we do to protect ourselves from all this?

For example, would it be feasible/possible to create a App that would selectively block some of this and implement a firewall?
HW: UE40ES5700SXXH
FW: T-MST10PDEUC-1029.0 Onboot: 1003

User avatar
arris69
SamyGO Moderator
Posts: 1700
Joined: Fri Oct 02, 2009 8:52 am
Location: Austria/Vienna (no Kangaroos here)
Contact:

Re: Infolink https protocol

Post by arris69 » Sun Feb 03, 2013 6:18 pm

E3V3A wrote:^^ This information leakage seem quite worrisome, to say the least! So what could we do to protect ourselves from all this?

For example, would it be feasible/possible to create a App that would selectively block some of this and implement a firewall?
if you get an app installed (without user interaction) what destroys your tv or let someone watch what you do with you girlfriend/wife during commercials,
the your problem is not the security of the tv but maybe brain-1.0 needs an update...

yes, sometimes newspaper/"tech forums" needs to write some "news".

security on samsung tv's is at same level as on android or ios based devices, problem is alway the user/owner :-)

dec0ding
Posts: 26
Joined: Sun Jan 06, 2013 2:23 pm

Re: Infolink https protocol

Post by dec0ding » Mon Feb 04, 2013 9:18 am

arris69 wrote:
E3V3A wrote: security on samsung tv's is at same level as on android or ios based devices, problem is alway the user/owner :-)
What about jailbreaking on iOS ? Why community constantly searches for complex ways to get root there ?
On all known mobile OSes apps run in very strict and isolated environment and if they want some more access
they will have to ask OS which will prompt the user.
On win8/RT apps must declare their intentions of what they do. Acesss files, internet or home connection, etc.
Security enforced on OS kernel level by appcontainer model.
Apps cannot get administrative privileges.
On sams every widget has in fact unrestricted control of the entire TV. If something bad somehow was run - you already lost your tv.
No prompts. Just bad uncontrolled code execution with root privileges.
Linux can be configured for strict environment. Use well grained access policy, SELinux at last.
Sams completely ignore OS level security mechanisms.

The only step of protection is samsung app store verification.

About app tracking - I agree this is modern tendention in embedded devices.
But in samsing case TV notifies vendor about its presence every time it is powered on and connected to network and every time when any app is launched.
User cannot decline updates. TV will constantly prompt - you must update smart hub.
Sooner or later you will have to press OK because of annoyance.
On other platforms you can stop the OS from contacting vendor every time its online and can disable updates.
So, when apps are installed, you need vendor no more. You can be on your own.
On samsung almost all of the apps cannot be run without first binding to infolink and applying smart hub update.

dajojo
Posts: 46
Joined: Thu Jun 21, 2012 12:43 am

Re: Infolink https protocol

Post by dajojo » Wed Feb 06, 2013 2:35 am

since when does samsung widget have root of the tv ?
only flash has direct control over graphics hardware and that even is going through a controlled state.
sams completely ignore OS level security coz its uses its own complete OS security which encrypts the whole OS instead of some parts.
u can turn off updates.
point is that decoding the https stream is pointless.

dec0ding
Posts: 26
Joined: Sun Jan 06, 2013 2:23 pm

Re: Infolink https protocol

Post by dec0ding » Wed Feb 06, 2013 9:22 am

dajojo wrote:since when does samsung widget have root of the tv ?
I guess since the very first release of smartTV.
Javascript API has always included file operations capable of accessing the whole filesystem under the privileges
of widget manager = root. Latest samsung's API analyzer that claims to disable restricted APIs offer no real protection and can be easily bypassed.
JS is very flexible scripting language capable of dynamic construction of executable code.
Also analyzer works only on widget installation. After widget is installed code can be edited in any way with no API restrictions.
Having root is as simple as
eval("r=FilePlugin.Copy(\"/proc/self/cmdline\", \"$(sh /mtd_rwcommon/widgets/user/mywidget/myscript.sh >/dev/null 2>/dev/null)/tmp/cmdline.txt\")");
dajojo wrote: only flash has direct control over graphics hardware and that even is going through a controlled state.
CPU native code has direct control. We can easily execute it. Not because of ordinary security holes like in any other platforms
but because of fundamental design error. Samsung patches seem to patch initially sinking boat.
System was not designed with fundamental security in mind. It relies only on keeping us from the TV os and limiting the
ways how widgets can be installed on TV. That's why samsung read this forum and constanly release "patches" to "holes" found here.
Hole is not what we find, hole is the system design.
dajojo wrote: sams completely ignore OS level security coz its uses its own complete OS security which encrypts the whole OS instead of some parts.
What you mean by OS encryption ? Encryption must be applied to something with some purpose. "Encryption" is not a magic word.
When we have root our abilities are only limited by our platform knowledge and reversing. this is the key factor.
dajojo wrote: u can turn off updates.
How do I turn off smarthub updates on E-series TV ?
point is that decoding the https stream is pointless.
Decoding of http stream gives understanding of smart tv design and some important implications.
May be I'm paranoid but I prefer my smarthub not performing as samsung designed. Thats the reason I created my own infolink emulator.

Post Reply

Return to “[E] Brainstorm”