Contents

Samsung SpyTV - part 1

Contents

It all started because I wanted to take a deeper look at my Samsung Smart TV features… A quick nmap, gave me this:

 1Starting Nmap 7.01 ( https://nmap.org ) at 2017-12-03 20:48 CET
 2Nmap scan report for [redacted]
 3Host is up (0.011s latency).
 4Not shown: 994 closed ports
 5PORT     STATE SERVICE
 67676/tcp open  imqbrokerd
 78000/tcp open  http-alt
 88001/tcp open  vcom-tunnel
 98080/tcp open  http-proxy
108443/tcp open  https-alt
119080/tcp open  glrpc
12
13Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds

So i tried to access some ports via HTTP. Port 8000 is saying (in text-only):

1Server is running...

And then port 8001, a 404 message (in html+css+bootstrap):

1These are not the droids your looking for....

This is how you make things interesting. A quick googling told me that another url returns a JSON full of info, like this:

 1{
 2  "DUID": "[redacted]",
 3  "Model": "[redacted]",
 4  "ModelName": "UE48H6400",
 5  "ModelDescription": "Samsung TV RCR",
 6  "NetworkType": "wired",
 7  "SSID": "",
 8  "IP": "[redacted]",
 9  "FirmwareVersion": "Unknown",
10  "DeviceName": "[TV]Samsung LED48",
11  "DeviceID": "[redacted]",
12  "UDN": "[redacted]",
13  "Resolution": "1920x1080",
14  "CountryCode": "IT",
15  "SmartHubAgreement": "true",
16  "ServiceURI": "http://[redacted]:8001/ms/1.0/",
17  "DialURI": "http://[redacted]:8001/ws/apps/",
18  "Capabilities": [
19    {
20      "name": "samsung:multiscreen:1",
21      "port": "8001",
22      "location": "/ms/1.0/"
23    }
24  ]
25}

Ok, now I’m upset. In my network, UPNP is disabled, so I can be sure that no external port are mapped to my TV, but this is not so true for every residential user. In fact UPNP is enabled by default on most residential router. So if the TV asks for a port-mapping, it’s possible to have this port (8001) exposed to the internet. And anybody can ask your TV this data. It’s not a joke: you can have a list of valid Wireless SSIDs just with a nmap+curl.

I decided to block internet access from this device (except Netflix), so I started with my router filtering. I set this by blocking everything except some domains. It turned out not really well: while the domain list was working with my laptop, it wasn’t working with the SmartTV.

That’s very strange: looks like Netflix (or at least Samsung’s version of Netflix) is not working the same way as the classic desktop web version.

So I installed a DNS server on my NAS and I told the TV to use that as DNS server. And then I started a Netflix show.

This resulted in an intresting list:

 1### this is ok
 20.pool.ntp.org
 31.pool.ntp.org
 42.pool.ntp.org
 53.pool.ntp.org
 6ntp.ubuntu.com
 7pool.ntp.org
 8
 9### netflix
10secure.netflix.com
11api-global.netflix.com
12appboot.netflix.com
13cdn-0.nflximg.com
14codex.nflxext.com
15dnm.nflximg.net
16ichnaea.netflix.com
17nrdp.nccp.netflix.com
18occ-0-322-778.1.nflxso.net
19occ-1-322-778.1.nflxso.net
20occ-2-322-778.1.nflxso.net
21
22### samsung - I'm gonna blacklist these
23ads.samsungads.com
24cdn.samsungcloudsolution.com
25devicelog.samsungcloudsolution.net
26lcprd2.samsungcloudsolution.net
27xpu.samsungelectronics.com
28upu.samsungelectronics.com
29v2-creative.s3.amazonaws.com
30
31### samsung's friend - maybe I need this to be in whitelist
32stun1.giraffic.com
33stun3.giraffic.com
34stun5.giraffic.com
35stun7.giraffic.com
36stun9.giraffic.com
37test.giraffic.com
38
39### I really wasn't expecting these
40facebook.com
41go.microsoft.com
42google.com
43secureclock.playready.microsoft.com
44yahoo.com

My wife is asking for TV access, so no more tests for tonight. See you in part 2