Supra smart TVs can be hijacked to play false Emergency Alert (or anything else)

Smart things are having a hard time living up to their name, especially in the security department. The latest proof comes from a bug-hunter who discovered a flaw that lets bad actors hijack the video stream in Supra Smart Cloud TVs.

Imagine sitting comfortably in your couch, watching the latest John Wick movie, when your TV starts flashing an emergency alert. That’s exactly what Dhiraj Mishra does in his proof of concept (video embedded below), only instead of a Keanu Reeves blockbuster, he chose a Steve Jobs keynote speech.

https://youtu.be/2babA1KVpdw

The vulnerability in question (CVE-2019-12477) resides in the openLiveURL function, which allows a local attacker to broadcast fake video without authentication, Mishra explains on his blog.

He initially found the flaw by source code review and decided to try different ways to exploit it. By crawling the application and reading every request, he was able to trigger the vulnerability.

“A legit user is watching some action movie and attackers trigger the remote file inclusion vulnerability at the same time, so the attacker would have full control over the TV and he can broadcast anything,” the bug-hunter tells The Register. “The attacker can broadcast any fake emergency message, or the worst case could be broadcasting a purge message.”

Mishra said he couldn’t find a way to contact the vendor, so the flaw remains unpatched.