exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sony BRAVIA Smart TV Denial Of Service

Sony BRAVIA Smart TV Denial Of Service
Posted Jul 8, 2019
Authored by xen1thLabs

Sony BRAVIA Smart TVs suffer from multiple denial of service vulnerabilities.

tags | exploit, denial of service, vulnerability
advisories | CVE-2019-11889, CVE-2019-11890
SHA-256 | fbc4f49cf917451119e1ccf1c0315f0acf3592defffddafa87db9297f8bc2e4a

Sony BRAVIA Smart TV Denial Of Service

Change Mirror Download
## ADVISORY INFORMATION

TITLE: Two vulnerabilities found in Sony BRAVIA Smart TVs
ADVISORY URL:
CVE-2019-11889
https://www.darkmatter.ae/xen1thlabs/sony-remote-denial-of-service-triggered-over-vulnerability-hbbtv-xl-19-014/
CVE-2019-11890
https://www.darkmatter.ae/xen1thlabs/sony-remote-denial-of-service-over-wifi-lan-internet-vulnerability-xl-19-013/

DATE PUBLISHED: 02/07/2019
AFFECTED VENDORS: Sony
RELEASE MODE: Coordinated release
CVE: CVE-2019-11889, CVE-2019-11890
CVSSv3 for CVE-2019-11889: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSSv3 for CVE-2019-11890: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

## PRODUCT DESCRIPTION
BRAVIA is a brand of Sony Visual Products known as Smart TVs.
These Smart TVs are known to be high standard products.


## DETAILS OF VULNERABILITIES
xen1thLabs has found two vulnerabilities in Sony products and coordinated
the disclosure of these security flaws with Sony. The vulnerabilities have
been found in the Sony Bravia Smart TV by xen1thLabs while auditing the
security of Smart TVs. The list of affected models has not been shared by Sony.
xen1thLabs tested several Sony Bravia Smart TVs.

The summary of the vulnerabilities is:

- CVE-2019-11889 Sony Remote Denial-of-Service Triggered Over HbbTV
Vulnerability:
This vulnerability allows an attacker to remotely crash the HbbTV rendering
engine and block the TV

- CVE-2019-11890 Sony Remote Denial-of-Service Over Wifi / LAN / Internet
Vulnerability:
This vulnerability allows an attacker to remotely crash the Smart TV using
TCP packets.

### 1. CVE-2019-11889 Sony Remote Denial-of-Service Triggered Over HbbTV
Vulnerability
By sending a specifically crafted webpage over HbbTV it is possible to freeze the
television remotely. (please see the presentation at HiTB Dubai 2018 for HbbTV description
https://conference.hitb.org/hitbsecconf2018dxb/sessions/hacking-into-broadband-and-broadcast-tv-systems/),

The remote control does not appear to work except the PROG+ and PROG- buttons.
Only changing channels allows to 'un-freeze' the television. Android is supposed
to kill blocked applications.

In order to reproduce the behavior, start by generating a webpage using:

```
dd if=/dev/zero of=index.html bs=1M count=2048
````

Using the software-defined radio, send a DVB-T signal containing a HbbTV application that force
the targeted Smart TV to load a file from a controlled server. By forcing the Smart TV to load
the generated file, it can be observed from the logs, only between 180KB and 250KB are served
before the HbbTV application freezes:

```
vaccess.log:127.0.1.1:80 192.168.1.191 - - [01/Apr/2019:06:40:54 -0400] "GET /hbbtvtest/test3/ HTTP/1.1"
200 178647 "http://x.test/hbbtvtest/index.php" "Mozilla/5.0 (Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/42.0.2311.152 Safari/537.36 OPR/29.0.1803.0 OMI/4.5.23.37.ALSAN5.131 HbbTV/1.2.1 (; Sony; KD-65X7500D; v1.000000000; 2016;)
sony.hbbtv.tv.2016HE"
````

```
vaccess.log.1:127.0.1.1:80 192.168.1.191 - - [01/Apr/2019:02:36:16 -0400] "GET /hbbtvtest/test3/ HTTP/1.1"
200 170543 "http://x.test/hbbtvtest/index.php" "Mozilla/5.0 (Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/42.0.2311.152 Safari/537.36 OPR/29.0.1803.0 OMI/4.5.23.37.ALSAN5.131 HbbTV/1.2.1 (; Sony; KD-65X7500D; v1.000000000; 2016;)
sony.hbbtv.tv.2016HE"
````
Sony investigated the issue and shared the following analysis:
"MITM attack by http connection is caused by the specification of the HbbTV service".

### 2. CVE-2019-11890 Sony Remote Denial-of-Service Over Wifi / LAN / Internet Vulnerability

An unauthenticated remote attacker can synflood the Smart TV over LAN and Wi-Fi, the smart
television freezes and becomes irresponsive, some programs crash and the television reboots
randomly. No PoC is released due to low complexity level of exploitation as Sony is not
planning to release a security patch.

Sony investigated the issue and shared the following analysis:
"The Sony Product teams have conducted additional research regarding the submission and
identified the following: CVE-2019-1189: DoS over WiFi /LAN - This is due to the performance
of the interrupt operation in the Linux driver".

## SOLUTION
Sony provided the following recommendation:
"Sony's manual instructs users to: Make sure to connect to the Internet or home network
via a router, which will minimize this risk. In addition, these two symptoms can be
recovered by unplugging the power supply cable. The TV cannot be broken and there is no
internal data that can be stolen by these actions." (May 30th, 2019).

And informed xen1thLabs that:
"we will not be releasing any notifications." (June 19th, 2019).

## DISCLOSURE TIMELINE
01/04/2019 - Vulnerabilities have been found by xen1thLabs
28/04/2019 - xen1thLabs send the report to Sony through their HackerOne Bug bounty program
02/05/2019 - Updates requested from xen1thLabs through HackerOne
10/05/2019 - Vulnerabilities have been confirmed by Sony through HackerOne
14/05/2019 - xen1thLabs requests a CVE from MITRE
30/05/2019 - Sony inform xen1thLabs of the solutions recommended for users through HackerOne
30/05/2019 - xen1thLabs request the confirmation from Sony that no security patches will be provided through HackerOne
07/06/2019 - Sony informs the following "Due to the evaluation conducted by our product team we will be closing out this ticket" through HackerOne
26/06/2019 - Public disclosure

## CREDITS
xen1thLabs - Telecom Lab

## REFERENCES

CVE-2019-11889
https://www.darkmatter.ae/xen1thlabs/sony-remote-denial-of-service-triggered-over-vulnerability-hbbtv-xl-19-014/

CVE-2019-11890
https://www.darkmatter.ae/xen1thlabs/sony-remote-denial-of-service-over-wifi-lan-internet-vulnerability-xl-19-013/

Sony will not publish any security advisory nor release any security patch.

## ABOUT xen1thLabs
xen1thLabs conducts vulnerability research, which feeds in the testing and
validation activities it conducts across software, hardware and
telecommunication.

xen1thLabs houses a team of world-class experts dedicated to providing
high impact capabilities in cyber security.

At xen1thLabs we are committed to uncovering new vulnerabilities that combat
tomorrow's threats today.

More information about xen1thLabs can be found at:
https://www.darkmatter.ae/xen1thlabs/


## WORKING AT xen1thLabs
xen1thLabs is looking for several security researchers across multiple disciplines.
Join a great team of likeminded specialists and enjoy all that UAE has to offer!

If you are interested please visit:
https://www.darkmatter.ae/xen1thlabs/

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close