smart tv hack

6 Articles

Mockup of an LG SmartTV, showing the webOS logo, saying "debug status: DEBUG, SIGN Key: PRODKEY, Access USB Status: 0/100(C)", and showing a console prompt on the bottom.

What’s That AccessUSB Menu In My LG SmartTV?

March 30, 2022 by 22 Comments

One boring evening, [XenRE] was looking through service menus on their LG Smart TV (Russian, Google Translate), such menus accessible through use of undocumented IR remote codes. In other words, a fairly regular evening. They noticed an “Access USB Status” entry and thought the “Access USB” part looked peculiar. A few service manuals hinted that there’s a service mode you could access with an adapter made out of two back-to-back PL2303 USB-UART adapters – a few female-female jumper wires later, serial prompt greeted our hacker, and entering ‘debug’ into the prompt responded with some text, among it, “Access USB is NOT opened!!!”.

[XenRE] found the WebOS firmware for the TV online, encrypted and compressed into a proprietary LG .epk format, but liberated with an open-source tool. A few modules referred to AccessUSB there, and one detour into investigating and explaining WebOS USB vendor lock-in implementation later, they programmed an STM32 with the same VID and PID as the mythical AccessUSB device found in relevant WebOS modules decompiled with IDA. By this point, AccessUSB could safely be assumed to be a service mode dongle. The TV didn’t quite start beeping in a different pattern as we’d expect in a sci-fi movie, but it did notify about a “new USB device” – and started asking for a 6-symbol service menu password instead of a 4-symbol one. Continue reading “What’s That AccessUSB Menu In My LG SmartTV?”

Hack Your Own Samsung TV With The CIA’s Weeping Angel Exploit

April 26, 2017 by 57 Comments

[Wikileaks] has just published the CIA’s engineering notes for Weeping Angel Samsung TV Exploit. This dump includes information for field agents on how to exploit the Samsung’s F-series TVs, turning them into remotely controlled spy microphones that can send audio back to their HQ.

An attacker needs physical access to exploit the Smart TV, because they need to insert a USB drive and press keys on the remote to update the firmware, so this isn’t something that you’re likely to suffer personally. The exploit works by pretending to turn off the TV when the user puts the TV into standby. In reality, it’s sitting there recording all the audio it can, and then sending it back to the attacker once it comes out of “fake off mode”.

It is still unclear if this type of vulnerability could be fully patched without a product recall, although firmware version 1118+ eliminates the USB installation method.

The hack comes along with a few bugs that most people probably wouldn’t notice, but we are willing to bet that your average Hackaday reader would. For instance, a blue LED stays on during “fake off mode” and the Samsung and SmartHub logos don’t appear when you turn the TV back on. The leaked document is from 2014, though, so maybe they’ve “fixed” them by now.

Do you own a Samsung F-series TV? If you do, we wouldn’t worry too much about it unless you are tailed by spies on a regular basis. Don’t trust the TV repairman!

Remotely Get Root On Most Smart TVs With Radio Signals

April 6, 2017 by 59 Comments

[Rafael Scheel] a security consultant has found that hacking smart TVs takes nothing much more than an inexpensive DVB-T transmitter, The transmitter has to be in range of the target TV and some malicious signals. The hack works by exploiting hybrid broadcast broadband TV signals and widely known about bugs in web browsers commonly run on smart TVs, which seem run in the background almost all the time.

Scheel was commissioned by Cyber security company Oneconsult, to create the exploit which once deployed, gave full root privileges enabling the attacker to setup and SSH into the TV taking complete control of the device from anywhere in the world. Once exploited the rogue code is even unaffected by device reboots and factory resets.

Once a hacker has control over the TV of an end user, he can harm the user in a variety of ways, Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV’s camera and microphone. – Rafael Scheel

Smart TV’s seem to be suffering from  IoT security problems. Turning your TV into an all-seeing, all-hearing surveillance device reporting back to it’s master is straight out of 1984.

A video of a talk about the exploit along with all the details is embedded below.
Continue reading “Remotely Get Root On Most Smart TVs With Radio Signals”

Better TV Via Hacking

September 4, 2015 by 19 Comments

Smart TVs are just dumb TVs with a computer and a network connection, right? In a variation of rule 34, if it has a computer in it, someone will hack it. When [smarttvhacker] bought a Sony 48 inch smart TV, he noticed all the software licenses listed in the manual and realized that was a big leg up into hacking the TV.

We don’t have a comparable Sony model, but [smarttvhacker’s] post is a veritable travel log of his journey from TV viewer to TV ruler. By analyzing everything from network port scans to a dump of a firmware upgrade, he wound up being able to install a telnet server.

Continue reading “Better TV Via Hacking”

Sniffing Out LG Smart TV Tracking Protocol

November 23, 2013 by 68 Comments

[DoctorBeet] noticed the advertisements on the landing screen of his new LG smart television and started wondering about tracking. His curiosity got the better of him when he came across a promotional video aimed at advertisers that boasts about the information gathered from people who use these TVs. He decided to sniff the web traffic. If what he discovered is accurate, there is an invasive amount of data being collect by this hardware. To make matters worse, his testing showed that even if the user switches the “Collection of watching info” menu item to off it doesn’t stop the data from being phoned home.

The findings start off rather innocuous, with the channel name and a unique ID being transmitted every time you change the station. Based on when the server receives the packets a description of your schedule and preferred content can be put together. This appears to be sent as plain data without any type of encryption or obfuscation.

Things get a lot more interesting when he discovers that filenames from a USB drive connected to the television are being broadcast as well. The server address they’re being sent to is a dead link — which makes us think this is some type of debugging step that was left in the production firmware — but it is still a rather sizable blunder when it comes to personal privacy. If you have one of these televisions [DoctorBeet] has a preliminary list of URLs to block with your router in order to help safeguard your privacy.

[Thanks Radcom]

Raspberry Pi Smart TV

November 20, 2013 by 25 Comments

[Tony] decided his “smart” LED TV wasn’t quite smart enough. So he stuffed a Raspberry Pi in it.

Upon opening the case of his 40″ Hisense Smart LED TV, he discovered that the logic board actually had two unused USB pads — what luck! He tapped off of them to get 5V @ 500mA to power the Pi… Later on he realized this wasn’t the ideal solution — when the TV turned off, it cut the Pi’s power too. So he pulled out his multimeter and probed the board, this time finding a 5V source that remained on while the unit was plugged in.

Next up was the placement of the Raspberry Pi. The included speakers on this particular TV weren’t that good, and since [Tony] uses a surround sound system anyway, he decided to make use of their space better. Cutting out the grill and removing the whole assembly left him with more than enough room to store the Pi and mount a 3D printed LAN and USB port cover!

He’s running Raspbmc which lends the TV tons of functionality. If you don’t mind voiding your warranty, this is a great hack!