Philips smart TVs open to remote attacks via default wireless connection, researchers say

The latest firmware for some Philips smart TVs opens an insecure Miracast wireless network by default, security researchers from ReVuln said

The latest firmware in some Philips smart TV models opens an insecure Miracast wireless network, allowing potential attackers located in the signal range to control the TV remotely and perform unauthorized actions.

Researchers from Malta-based vulnerability research firm ReVuln recently published a video demonstration of what attackers can do after they connect to the insecure wireless networks of the affected Philips TVs. The potential attacks include: accessing the TV's configuration files; accessing files stored on USB devices attached to the TV; broadcasting video, audio and images to the TV; controlling the TVs via an external remote control application and stealing website authentication cookies from the TV's browser.

The insecure network is opened by Miracast, a feature that enables the wireless delivery of audio and video content to the TV screen from desktops, tablets, phones, and other devices.

The Philips TVs running vulnerable firmware versions open a wireless network connection with an identifier that starts with DIRECT-xy and can be accessed with a hard-coded password, the ReVuln security researchers said Friday via email.

"So basically you just connect directly to the TV via WiFi without restrictions," the researchers said. "Miracast is enabled by default and the password cannot be changed. We tried all the possible ways to reset the TV included those methods suggested in the Philips manual [...] but the TV just allows anyone to connect."

The TV doesn't use any additional security measures like generating a unique PIN for each wireless client asking for manual confirmation before authorizing incoming connections.

The problem was likely introduced a few months ago and only exists in newer firmware versions, the ReVuln researchers said. Some models tested in a shop didn't have this issue, but they were running older firmware, they said.

The researchers tested a Philips 55PFL6008S TV, but believe many 2013 models are also affected because they share the same firmware. For example, the 47PFL6158, 55PFL8008 and 84PFL9708 models use all the same firmware although they have different screen sizes, they said.

The insecure wireless access combined with a directory traversal vulnerability in the JointSpace service, which allows external programs to remotely control the TV, allows attackers to extract TV configuration files, media files located on the attached USB devices or authentication cookies for Gmail and other sites from the TV browser.

"The cookies of the Opera browser integrated in the TV and used for all the websites (including the TV apps) are all stored in one file with a fixed path and name, so it's easy to get all of them with one download," the researchers said.

With these cookies, attackers can potentially gain access to the online accounts of the TV owners. However, the success of such attempts depends on the additional security measures of each website.

The directory traversal vulnerability in JointSpace was publicly disclosed in September by researchers from a Berlin-based security consultancy firm called Schobert IT-Security Consulting. The flaw doesn't appear to have been fixed by Philips and still exists in the latest firmware version -- 173.46, according to the ReVuln researchers.

However, even if this vulnerability is patched, the insecure Miracast wireless network still enables other attacks, like transmitting attacker-controlled video and audio content to the TV or remotely controlling the TV through an external application.

"We recognize the security issue as reported by ReVuln linked to Miracast on the high-end 2013 Philips Smart TVs," said Eva Heller, head of global communications at TP Vision, a joint venture between Philips and TPV Technology that manufactures and sells Philips-branded TVs, in an emailed statement. "Our experts are looking into this and are working on a fix."

TP recommends that, in the meantime, consumers switch off the Wi-Fi Miracast function of the TV. To do this, they need to press the HOME button, navigate to Setup, select Network Settings, navigate to Wi-Fi Miracast and set that to OFF.

Join the CSO newsletter!

Error: Please check your email address.

Tags philipsintrusionconsumer electronicsReVulnsecurityTVsAccess control and authenticationprivacy

More about PhilipsSmartTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts