Not so Smart: On Smart TV Apps

Presented at DeepSec 2015 „DeepSec No. 9“, Nov. 20, 2015, 4 p.m. (50 minutes).

One of the main characteristics of Smart TVs are apps. Apps extend the Smart TVs menu with various functionalities, ranging from usage of social networks or payed streaming services, to buying articles on Ebay. These actions demand usage of critical data like authentication tokens and passwords, and thus raise the question of new attack scenarios and the general security of Smart TV apps. We investigate attack models for Smart TVs and their apps, and systematically analyze the security of Smart TV devices. We point out that some popular apps, including Facebook, Ebay or Watchever, send login data over unencrypted channels. Even worse, we show that an arbitrary app installed on devices of the market share leader Samsung can gain access to the credentials of a Samsung Single Sign-On account. Therefore, such an app can hijack a complete user account including all his devices, like smartphones and tablets, connected with it. Based on our findings, we provide recommendations of general importance and applicable to areas beyond Smart TVs.

Presenters:

  • Marcus Niemietz - 3curity GmbH
    Marcus Niemietz is a co-founder of 3curity and security researcher at the Ruhr-University Bochum in Germany. He is focusing on web security related stuff like HTML5 and especially UI redressing. Marcus has published a book about UI redressing and clickjacking for security experts and web developers in 2012. Besides that he works as a security consultant and gives security trainings for well-known companies. Marcus has spoken on a large variety of international conferences.

Links:

Similar Presentations: