Millions of smart TVs and remote control apps vulnerable

Who has the remote control now?
Who has the remote control now?

A staggering 6.1 million devices are at risk of remote code execution attacks due to a three-year-old vulnerability. Trend Micro published a report this week, authored by mobile threats analyst Veo Zhang, which showed that though a patch was issued for these devices in 2012, many did not update.

The vulnerabilities reside in devices that use libupnp, used to implement media playback and NAT traversal, commonly use by both smart TVs and remote control apps. 

But what could this do for the wily cyber-criminal and the unsuspecting victim? 

Bharat Mistry, a cyber-security consultant at Trend Micro told SCMagazineUK.com, “The vulnerability could be exploited to ultimately take over control of the smart TV – this could range anywhere from causing nuisance such as changing channels to more malicious activities such as spying on the victims by switching on the built-in camera to see if anyone is in the room.”

Remote code execution attacks, or arbitrary code execution, essentially describes the hijack of a computer by a hacker who has gained control of the user's computer, enabling him to send it commands without the user's consent or knowledge. 

Zhang wrote in his report that this kind of attack has been seen in the wild, and with more research “an exploit could be used not just to cause a crash, but to run arbitrary code on an affected device. The ability to run arbitrary code would give the attacker the ability to take control of the device, as on a PC.”

Trend Micro found that nearly 550 apps have this vulnerability and that over 300 of those are available on the Google Play store. Zhang went on to name some of the vulnerable apps including AirSmartPlayer, an app that turns your phone into a remote control. 

SC spoke to the developer Jack Wan who said, “We are fixing this problem at the moment and a new fixed version will be released on Google Play store shortly. We recommend customers to upgrade to the new version as soon as possible when it is released.”

SC also spoke to the developer of another app singled out in the report. The Hexlink-Smart TV remote control smartphones to be used as remote controls, and the developer, Zeng Xi, said that “As a responsible company, security and user's privacy are always our concern.”

Xi added that the vulnerability was fixed in a recent update:  “Our latest version, 1.7.1 on Google Play store, does not use libupnp any more. Customers are highly recommended to update their apps.”

Trend Micro also reported the vulnerabilities to other app developers who promptly released updates or new versions.

A spokesperson at the Google Play store told SC that apps on the store are reviewed and can be reported.

Smart TVs were also labelled as subject to the same vulnerability as those apps were. 

Mistry told SC that it's hard to tell exactly which smart TVs might use libupnp. That said, “Most manufacturers of Smart TVs will generally have a modular building block approach to the construction of the TV – so that modules will be used in multiple models. To make matters worse where manufacturers have collaborated, then the vulnerable versions of the SDK will not only exist in multiple models from one manufacturer but also across multiple manufacturers.”