Parent: Samsung SpyTV - part 1
You're whatching TV. Tv is watching you. Damn.
Yesterday I made some other tests to analyze the traffic generated from my TV. I put the TV on another VLAN, behind a pfSense VM, with transparent proxy enabled.
Then horror started.
Every time you switch on the TV, it sends countless requests to samsung domains and IP address all around the world. I knew this was bad for filtering but my initial strategy was to block everything except some domains used by netflix. In fact, the only traffic supposed to be generated by this TV is 97% netflix, 2% rai.tv (an italian television) and 1% youtube. So I was pretty confident that this will be a valid way to implement filtering for this machine.
Netflix wasn't thinking that way.
Let's ignore the fact that every time you open an app on the TV this evil thing tells Samsung (and maybe others) about it.
Let's concentrate on netflix. After a lot of tinkering I faced the fact that even netflix is contacting its servers via DNS and via direct IP connections. And there's a LOT of IPs. You can whitelist DNS domains, and you can whitelist IPs, but in the current Fritz!OS you can't whitelist IP ranges (or subnets), making IP whitelisting simply unfeasible.
After 2 hours, I had a squid whitelist measuring about 40 lines (regular expressions involved, to correctly manage IP subnets) and a blacklist of about 15 domains (no IPs here because on the Fritz!OS you can enter only domains). So I lowered my goals: I would be happy to accept blacklisting of the unwanted traffic at this point, with a big question mark on samsung (or its partners) IPs directly accessed.
Then another slap on the face came in. In Fritz!OS you can choose between these options for web filtering:
- no filtering
- block everything except whitelist - but no IPs in whitelist and no regular expression support
- allow everything except blacklist - same here, no IPs in blacklist and no regular expressions - and IP filtering is enabled here
IP filtering means that by default direct IP connections are not allowed and you have to unblock every single IP address.This was rendering blacklisting useless.
So, after some hours invested in this analysis, the best tradeoff is to allow only HTTPS? traffic and put this thing on the guest's network; I'm still ignoring the fact that this evil machine has a microphone on it and it's reporting to someone every time I switch it on/off and which app I'm using.
- have a talk to netflix guys about it
- have a talk with AVM guys (the maker of my router) - in fact, I'm a reseller/partner
side note on netflix
Video streaming should be fast, right? Netflix knows that and is partnering with almost all ISPs to have dedicated machines inside the ISP network, so that the latency is very low. I suppose that there's some traffic shaping involved, at least in my IPS's case.