«
»
 

Level: Technical

Abstract:
During our internal network scan we have discovered conference room TVs that have ADB (Android Debug Bridge) and HTTP port open. The ADB port required “”authentication”” to access (a confirmation on the TV screen to allow the connection), but the HTTP port allows requests that emulate TV remote control key presses which we’ve used to emulate a sequence of keys to confirm the ADB debug prompt showing on the TV at the moment when the ADB connection is happening. After connecting to the ADB port and obtaining a shell we have investigated different scenarios:
– ways to control the TV (HTTP and ADB)
– capturing TV screen and audio (natively and external tooling)
– installing own APKs to perform an action (i.e. move laterally)
– accessing attached mic to record audio
– accessing attached cam to record video

The analysis shows that all of these are possible but depend on different circumstances of the TV (Android version, integrated microphone/camera, attached external microphone/camera, …). Most of the focus was spent on capturing audio and video with attached mic and cam for which we have created our own small Android application that samples 5 seconds and stores it to a file in order to demonstrate the capabilities. We will demonstrate parts of a complete chain where we can automatically:
– request access to the ADB port
– emulate TV remote via HTTP and confirm the ADB auth prompt
– push our Android listener application via ADB
– start the Android listener application
– confirm the recording permissions on its first run (HTTP or ADB, whichever preferred)
– pull the recording file from filesystem when done”

Bio:
Tomislav Turek is an Application security lead at Infobip working with a team that analyzes and performs security reviews of application systems, integrations and code. While mostly focused in application security and software engineering, he likes to tinker with all things related to security. He invests a lot of his free time in computers and loves to participate in Capture the flag competitions.

Video/recordings:

[Slides (PDF)] [Recording (MP4)]

Posted on Monday, May 15th, 2023 at 9:36 pm in talks | rss feed for comments| Both comments and pings are currently closed.

Comments are closed.