Not so Smart: On Smart TV Apps

Mar­cus Nie­mietz, Juraj So­mo­rovs­ky, Chris­ti­an Main­ka, Jörg Schwenk

In­ter­na­tio­nal Work­shop on Se­cu­re In­ter­net of Things (SIoT 2015, Vi­en­na, Aus­tria)


Ab­stract

One of the main cha­rac­te­ris­tics of Smart TVs are apps. Apps ex­tend the Smart TV be­ha­vi­or with va­rious func­tio­na­li­ties, ran­ging from usage of so­ci­al net­works or payed strea­ming ser­vices, to buy­ing ar­ti­cles on Ebay. These ac­tions de­mand usage of cri­ti­cal data like au­then­ti­ca­ti­on to­kens and pass­words, and thus raise a ques­ti­on on new at­tack sce­na­ri­os and ge­ne­ral se­cu­ri­ty of Smart TV apps.

In this paper, we in­ves­ti­ga­te at­tack mo­dels for Smart TVs and their apps, and sys­te­ma­ti­cal­ly ana­ly­ze se­cu­ri­ty of Smart TV de­vices. We point out that some po­pu­lar apps, in­clu­ding Face­book, Ebay or Wat­che­ver, send login data over un­en­cryp­ted chan­nels. Even worse, we show that an ar­bi­tra­ry app in­stal­led on de­vices of the mar­ket share lea­der Samsung can gain ac­cess to the creden­ti­als of a Samsung Sin­gle Sign-On ac­count. The­re­fo­re, such an app can hi­jack a com­ple­te user ac­count in­clu­ding all his de­vices like smart­pho­nes and ta­blets con­nec­ted with it. Based on our fin­dings, we pro­vi­de re­com­men­da­ti­ons that are of ge­ne­ral im­port­an­ce and ap­p­lica­ble to areas bey­ond Smart TVs.

The di­stri­bu­ted do­cu­ment has been pro­vi­ded by the cont­ri­bu­ting aut­hors as a means to en­su­re ti­me­ly dis­se­mi­na­ti­on of scho­lar­ly and tech­ni­cal work on a non­com­mer­ci­al basis. Co­py­right and all rights the­r­ein are main­tained by the aut­hors or by other co­py­right hol­ders, not­wi­th­stan­ding that they have of­fe­red their works here elec­tro­ni­cal­ly. It is un­ders­tood that all per­sons co­py­ing this in­for­ma­ti­on will ad­he­re to the terms and cons­traints in­vo­ked by each aut­hor's co­py­right. These works may not be re­pos­ted wi­thout the ex­pli­cit per­mis­si­on of the co­py­right hol­der.

[pdf]

Tags: In­ter­net of Things, OAuth, Samsung, Sin­gle Sign-On, smart-tv, TLS, XHR, XXE