Casa > cibernético Notícias > CVE-2019-12477: Vulnerabilidade no Supra Smart TV Nuvem
CYBER NEWS

CVE-2019-12477: Vulnerabilidade no Supra Smart TV Nuvem

O pesquisador de segurança Dhiraj Mishra apenas descobriu uma vulnerabilidade de segurança, CVE-2019-12477, na marca SUPRA inteligente TV.

Pelo visto, Supra inteligente Nuvem TV permite a inclusão de arquivo remoto na função openLiveURL, which could enable a local attacker to broadcast fake video without any authentication using /remote/media_control?action=setUri&uri=URI.




More about CVE-2019-12477

SUPRA is a Russian company that manufactures audio-video equipment, household appliances and car electronics. Most of the technology is being distributed through e-commerce websites based in Russia, China, and UAE.

In his report, o pesquisador compartilhada that he successfully exploited `openLiveURL()` which allows a local attacker to broadcast video on supra smart cloud TV. “I found this vulnerability initially by source code review and then by crawling the application and reading every request helped me to trigger this vulnerability,” Mishra said.

relacionado: [wplinkpreview url =”https://sensorstechforum.com/smart-homes-at-risk-to-hackers/”] 40% de casas inteligentes Atualmente Vulnerável a Hacking.

To trigger the vulnerability, an attacker would only have to send a specially crafted request to the following URL:

https://192.168.1.155/remote/media_control?action=setUri&uri=https://attacker.com/fake_broadcast_message.m3u8.

Although the above mention URL takes (.M3U8) format based video. We can use `curl -v -X GET` to send such request, typically this is an unauth remote file inclusion. An attacker could broadcast any video without any authentication, the worst case attacker could leverage this vulnerability to broadcast a fake emergency message (Scary right?).

The problem here is that the vulnerability remains unpatched and it is highly likely it will stay this way. The researcher didn’t find any way to contact the vendor to report his findings. There’s also a proof-of-concept video revealing the successful exploitation. The video shows how a speech of Steve Jobs is suddenly replaced with an attacker’s fakeEmergency Alert Message”.

The vulnerability has been assigned a CVE ID, CVE-2019-12477 but there is no information if it will ever be addresses. assim, what can owners of SUPRA Smart Cloud TVs do? The short answer is keeping the wireless network as secure as possible by using a strong password and a firewall for all smart devices. Porque, as we’re proven every day, smart homes are not that smart at all.

relacionado: [wplinkpreview url =”https://sensorstechforum.com/misconfigured-mqtt-protocol-risks-smart-homes/”] Protocolo MQTT mal configurado coloca milhares de casas inteligentes em risco.

A great example of how easy it is to hack a smart home comes from Avast researchers. Last August, they warned about the MQTT protocol (Message Queuing Telemetry Transport) qual, if misconfigured, could give hackers complete access to a smart home. As a result of this security loophole, the home could be manipulated in many ways including its entertaining and voice systems, various household devices, and smart doors.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...