Security researcher Dhiraj Mishra just discovered a security vulnerability, CVE-2019-12477, in the SUPRA smart TV brand.
Apparently, Supra Smart Cloud TV allows remote file inclusion in the openLiveURL function, which could enable a local attacker to broadcast fake video without any authentication using /remote/media_control?action=setUri&uri=URI.
More about CVE-2019-12477
SUPRA is a Russian company that manufactures audio-video equipment, household appliances and car electronics. Most of the technology is being distributed through e-commerce websites based in Russia, China, and UAE.
In his report, the researcher shared that he successfully exploited `openLiveURL()` which allows a local attacker to broadcast video on supra smart cloud TV. “I found this vulnerability initially by source code review and then by crawling the application and reading every request helped me to trigger this vulnerability,” Mishra said.
To trigger the vulnerability, an attacker would only have to send a specially crafted request to the following URL:
Although the above mention URL takes (.m3u8) format based video. We can use `curl -v -X GET` to send such request, typically this is an unauth remote file inclusion. An attacker could broadcast any video without any authentication, the worst case attacker could leverage this vulnerability to broadcast a fake emergency message (Scary right?).
The problem here is that the vulnerability remains unpatched and it is highly likely it will stay this way. The researcher didn’t find any way to contact the vendor to report his findings. There’s also a proof-of-concept video revealing the successful exploitation. The video shows how a speech of Steve Jobs is suddenly replaced with an attacker’s fake “Emergency Alert Message”.
The vulnerability has been assigned a CVE ID, CVE-2019-12477 but there is no information if it will ever be addresses. So, what can owners of SUPRA Smart Cloud TVs do? The short answer is keeping the wireless network as secure as possible by using a strong password and a firewall for all smart devices. Because, as we’re proven every day, smart homes are not that smart at all.
A great example of how easy it is to hack a smart home comes from Avast researchers. Last August, they warned about the MQTT protocol (Message Queuing Telemetry Transport) which, if misconfigured, could give hackers complete access to a smart home. As a result of this security loophole, the home could be manipulated in many ways including its entertaining and voice systems, various household devices, and smart doors.