Samsung SpyTV - part 1
It all started because I wanted to take a deeper look at my Samsung Smart TV features… A quick nmap, gave me this:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-03 20:48 CET
Nmap scan report for [redacted]
Host is up (0.011s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
7676/tcp open imqbrokerd
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8080/tcp open http-proxy
8443/tcp open https-alt
9080/tcp open glrpc
Nmap done: 1 IP address (1 host up) scanned in 1.30 secondsSo i tried to access some ports via HTTP. Port 8000 is saying (in text-only):
Server is running...And then port 8001, a 404 message (in html+css+bootstrap):
These are not the droids your looking for....This is how you make things interesting. A quick googling told me that another url returns a JSON full of info, like this:
{
"DUID": "[redacted]",
"Model": "[redacted]",
"ModelName": "UE48H6400",
"ModelDescription": "Samsung TV RCR",
"NetworkType": "wired",
"SSID": "",
"IP": "[redacted]",
"FirmwareVersion": "Unknown",
"DeviceName": "[TV]Samsung LED48",
"DeviceID": "[redacted]",
"UDN": "[redacted]",
"Resolution": "1920x1080",
"CountryCode": "IT",
"SmartHubAgreement": "true",
"ServiceURI": "http://[redacted]:8001/ms/1.0/",
"DialURI": "http://[redacted]:8001/ws/apps/",
"Capabilities": [
{
"name": "samsung:multiscreen:1",
"port": "8001",
"location": "/ms/1.0/"
}
]
}Ok, now I’m upset. In my network, UPNP is disabled, so I can be sure that no external port are mapped to my TV, but this is not so true for every residential user. In fact UPNP is enabled by default on most residential router. So if the TV asks for a port-mapping, it’s possible to have this port (8001) exposed to the internet. And anybody can ask your TV this data. It’s not a joke: you can have a list of valid Wireless SSIDs just with a nmap+curl.
I decided to block internet access from this device (except Netflix), so I started with my router filtering. I set this by blocking everything except some domains. It turned out not really well: while the domain list was working with my laptop, it wasn’t working with the SmartTV.
That’s very strange: looks like Netflix (or at least Samsung’s version of Netflix) is not working the same way as the classic desktop web version.
So I installed a DNS server on my NAS and I told the TV to use that as DNS server. And then I started a Netflix show.
This resulted in an intresting list:
### this is ok
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org
ntp.ubuntu.com
pool.ntp.org
### netflix
secure.netflix.com
api-global.netflix.com
appboot.netflix.com
cdn-0.nflximg.com
codex.nflxext.com
dnm.nflximg.net
ichnaea.netflix.com
nrdp.nccp.netflix.com
occ-0-322-778.1.nflxso.net
occ-1-322-778.1.nflxso.net
occ-2-322-778.1.nflxso.net
### samsung - I'm gonna blacklist these
ads.samsungads.com
cdn.samsungcloudsolution.com
devicelog.samsungcloudsolution.net
lcprd2.samsungcloudsolution.net
xpu.samsungelectronics.com
upu.samsungelectronics.com
v2-creative.s3.amazonaws.com
### samsung's friend - maybe I need this to be in whitelist
stun1.giraffic.com
stun3.giraffic.com
stun5.giraffic.com
stun7.giraffic.com
stun9.giraffic.com
test.giraffic.com
### I really wasn't expecting these
facebook.com
go.microsoft.com
google.com
secureclock.playready.microsoft.com
yahoo.comMy wife is asking for TV access, so no more tests for tonight. See you in part 2