Man-in-the-middle attack on Vizio TVs coughs up owners’ viewing habits

Man-in-the-middle attack on Vizio TVs coughs up owners’ viewing habits

Hack underscores amateur goofs routinely made by Internet-of-Things developers.

The cautionary tales just keep coming for Internet-connected TVs, thermostats, and other so-called “Internet-of-Things” devices. Today’s lesson comes courtesy of a smart TV from Vizio that was subjected to a man-in-the-middle attack because it couldn’t be bothered to validate the HTTPS certificates of servers it connected to.

Researchers from security firm Avast found that the Vizio model in their lab broadcasted fingerprints of users’ viewing habits, even when owners hadn’t consented to a privacy policy displayed during set up. What’s more, the researchers uncovered a vulnerability in the smart TV that could act as a potential attack vector for a hacker attempting to access a user’s home network.

Specifically, the TV accepted a self-signed forged certificate when connecting to tvinteractive.tv, a site the TV accessed about once per second. After studying the data sent to and from the server, the researchers discovered that commands the server sent the TV came embedded with a token. Rather than checking the validity of the HTTPS certificate, the TV inspected a checksum at the end of the data before it would accept the data. The checksum was the MD5 hash of the command combined with a secret cryptographic salt.

The researchers were unable to use traditional cracking methods to figure out what the salt was. So they instead used some reverse-engineering creativity to enumerate the entire file-system on the TV. They soon found a plain-text file that contained the salt (which they declined to name). They were then able to use their man-in-the-middle attack both to read data the TV sent to the server and to impersonate the server and send commands back to the TV. With that, they were able to decrypt the entire binary stream that traveled between the TV and tvinteractive.tv, which is operated by a company called Cognitive Networks.