Samsung SpyTV - part 1
It all started because I wanted to take a deeper look at my Samsung Smart TV features… A quick nmap, gave me this:
1Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-03 20:48 CET
2Nmap scan report for [redacted]
3Host is up (0.011s latency).
4Not shown: 994 closed ports
5PORT STATE SERVICE
67676/tcp open imqbrokerd
78000/tcp open http-alt
88001/tcp open vcom-tunnel
98080/tcp open http-proxy
108443/tcp open https-alt
119080/tcp open glrpc
12
13Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds
So i tried to access some ports via HTTP. Port 8000 is saying (in text-only):
1Server is running...
And then port 8001, a 404 message (in html+css+bootstrap):
1These are not the droids your looking for....
This is how you make things interesting. A quick googling told me that another url returns a JSON full of info, like this:
1{
2 "DUID": "[redacted]",
3 "Model": "[redacted]",
4 "ModelName": "UE48H6400",
5 "ModelDescription": "Samsung TV RCR",
6 "NetworkType": "wired",
7 "SSID": "",
8 "IP": "[redacted]",
9 "FirmwareVersion": "Unknown",
10 "DeviceName": "[TV]Samsung LED48",
11 "DeviceID": "[redacted]",
12 "UDN": "[redacted]",
13 "Resolution": "1920x1080",
14 "CountryCode": "IT",
15 "SmartHubAgreement": "true",
16 "ServiceURI": "http://[redacted]:8001/ms/1.0/",
17 "DialURI": "http://[redacted]:8001/ws/apps/",
18 "Capabilities": [
19 {
20 "name": "samsung:multiscreen:1",
21 "port": "8001",
22 "location": "/ms/1.0/"
23 }
24 ]
25}
Ok, now I’m upset. In my network, UPNP is disabled, so I can be sure that no external port are mapped to my TV, but this is not so true for every residential user. In fact UPNP is enabled by default on most residential router. So if the TV asks for a port-mapping, it’s possible to have this port (8001) exposed to the internet. And anybody can ask your TV this data. It’s not a joke: you can have a list of valid Wireless SSIDs just with a nmap+curl.
I decided to block internet access from this device (except Netflix), so I started with my router filtering. I set this by blocking everything except some domains. It turned out not really well: while the domain list was working with my laptop, it wasn’t working with the SmartTV.
That’s very strange: looks like Netflix (or at least Samsung’s version of Netflix) is not working the same way as the classic desktop web version.
So I installed a DNS server on my NAS and I told the TV to use that as DNS server. And then I started a Netflix show.
This resulted in an intresting list:
1### this is ok
20.pool.ntp.org
31.pool.ntp.org
42.pool.ntp.org
53.pool.ntp.org
6ntp.ubuntu.com
7pool.ntp.org
8
9### netflix
10secure.netflix.com
11api-global.netflix.com
12appboot.netflix.com
13cdn-0.nflximg.com
14codex.nflxext.com
15dnm.nflximg.net
16ichnaea.netflix.com
17nrdp.nccp.netflix.com
18occ-0-322-778.1.nflxso.net
19occ-1-322-778.1.nflxso.net
20occ-2-322-778.1.nflxso.net
21
22### samsung - I'm gonna blacklist these
23ads.samsungads.com
24cdn.samsungcloudsolution.com
25devicelog.samsungcloudsolution.net
26lcprd2.samsungcloudsolution.net
27xpu.samsungelectronics.com
28upu.samsungelectronics.com
29v2-creative.s3.amazonaws.com
30
31### samsung's friend - maybe I need this to be in whitelist
32stun1.giraffic.com
33stun3.giraffic.com
34stun5.giraffic.com
35stun7.giraffic.com
36stun9.giraffic.com
37test.giraffic.com
38
39### I really wasn't expecting these
40facebook.com
41go.microsoft.com
42google.com
43secureclock.playready.microsoft.com
44yahoo.com
My wife is asking for TV access, so no more tests for tonight. See you in part 2