Supra smart TVs can be hijacked to play false Emergency Alert (or anything else)

Filip TRUȚĂ

June 05, 2019

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Supra smart TVs can be hijacked to play false Emergency Alert (or anything else)

Smart things are having a hard time living up to their name, especially in the security department. The latest proof comes from a bug-hunter who discovered a flaw that lets bad actors hijack the video stream in Supra Smart Cloud TVs.

Imagine sitting comfortably in your couch, watching the latest John Wick movie, when your TV starts flashing an emergency alert. That’s exactly what Dhiraj Mishra does in his proof of concept (video embedded below), only instead of a Keanu Reeves blockbuster, he chose a Steve Jobs keynote speech.

https://youtu.be/2babA1KVpdw

The vulnerability in question (CVE-2019-12477) resides in the openLiveURL function, which allows a local attacker to broadcast fake video without authentication, Mishra explains on his blog.

He initially found the flaw by source code review and decided to try different ways to exploit it. By crawling the application and reading every request, he was able to trigger the vulnerability.

“A legit user is watching some action movie and attackers trigger the remote file inclusion vulnerability at the same time, so the attacker would have full control over the TV and he can broadcast anything,” the bug-hunter tells The Register. “The attacker can broadcast any fake emergency message, or the worst case could be broadcasting a purge message.”

Mishra said he couldn’t find a way to contact the vendor, so the flaw remains unpatched.

tags


Author


Filip TRUȚĂ

Filip has 15 years of experience in technology journalism. In recent years, he has turned his focus to cybersecurity in his role as Information Security Analyst at Bitdefender.

View all posts

You might also like

Bookmarks


loader