Skip to main content
SpringerLink
Log in

Media Playback System

  • Chapter
  • First Online:
Smart TV Security

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

  • 616 Accesses

Abstract

Media playback functionality is essential to any Smart TV (STV). Common features such as the built-in media player, video-on-demand apps, or the web browser build upon this functionality, which is often implemented in the form of a central media playback system. The processing of media files is a complex task, however, and without appropriate protection measures, vulnerabilities in this component can lead to the complete compromise of the STV. This chapter presents two vulnerabilities and corresponding PoC exploits that are able to fully compromise all previous STV generations from a major vendor.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The update was released in late June.

References

  1. Adobe. Real-time messaging protocol (RTMP) specification. http://www.adobe.com/devnet/rtmp.html.

  2. ARM. ELF for the ARM architecture, Nov. 2012. http://infocenter.arm.com/help/topic/com.arm.doc.ihi0044e/IHI0044E_aaelf.pdf.

  3. F. Bellard et al. QEMU open source processor emulator. http://www.qemu.org.

  4. A. Blanda. Fuzzing the media framework in Android. Presented at the Android Builders Summit, San Jose, USA, Mar. 2015. http://events.linuxfoundation.org/sites/events/files/slides/ABS2015.pdf.

  5. J. Bramley. Caches and self-modifying code. Blog post, ARM Connected Community, Feb. 2010. http://community.arm.com/groups/processors/blog/2010/02/17/caches-and-self-modifying-code.

  6. S. Checkoway, L. Davi, A. Dmitrienko, A.-R. Sadeghi, H. Shacham, and M. Winandy. Return-oriented programming without returns. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pages 559–572, NY, USA, 2010. ACM.

    Google Scholar 

  7. DLNA organization. Digital Living Network Alliance (DLNA). http://www.dlna.org.

  8. ETSI. Hybrid Broadcast Broadband TV (TS 102 796 V1.2.1). European Telecommunications Standards Institute, Nov. 2012.

    Google Scholar 

  9. FFmpeg. FFmpeg releases. http://ffmpeg.org/releases/.

  10. FFmpeg. The libavformat library. http://www.ffmpeg.org/libavformat.html.

  11. Google. Android media: Stagefright. http://source.android.com/devices/media.html.

  12. Google. Android TV, 2015. http://www.android.com/tv/.

  13. HbbTV Association. Hbbtv 2.0 specification. Feb. 2015. https://www.hbbtv.org/pages/about_hbbtv/specification-2.php.

  14. T. Klein. A Bug Hunter’s Diary. A Guided Tour Through the Wilds of Software Security. No Starch Press, 1st edition, Nov. 2011.

    Google Scholar 

  15. N. Klopfenstein. Linux/ARM – connect back /bin/sh. http://shell-storm.org/shellcode/files/shellcode-754.php.

  16. S. Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique, 2005. http://users.suse.com/~krahmer/no-nx.pdf.

  17. LG. Opensource code distribution. http://opensource.lge.com/osSch/list?types=ALL&search=8609.

  18. Linux kernel documentation. SECure COMPuting with filters. https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt.

  19. Linux Programmer’s Manual. backtrace – support for application self-debugging (BACKTRACE(3)). http://man7.org/linux/man-pages/man3/backtrace.3.html.

  20. H. Ma and G. Qiuying. Design of functions in Smart TV: A survey study of user acceptance on Smart TV functions, 2014. http://www.diva-portal.org/smash/get/diva2:743729/FULLTEXT01.pdf.

  21. M. Melanson. 4xm format. MultimediaWiki, Dec. 2003. http://wiki.multimedia.cx/index.php?title=4xm_Format.

  22. B. Michéle and A. Karpow. Watch and be watched: Compromising all Smart TV generations. In Proceedings of the 11th Consumer Communications and Networking Conference (CCNC), pages 351–356. IEEE, Jan. 2014.

    Google Scholar 

  23. Microsoft. Microsoft media server (MMS) protocol. https://msdn.microsoft.com/en-us/library/cc234711.aspx.

  24. H. Schmundt. Smart-TV. Glotze glotzt zurück. Der Spiegel, 8/2014. http://www.spiegel.de/spiegel/print/d-125080841.html.

  25. H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson. RTP: A transport protocol for real-time applications, July 2003. RFC3550.

    Google Scholar 

  26. Sony. Source code distribution service, R4 series. http://oss.sony.net/Products/Linux/TV/KDL-40R483B.html.

  27. Sony. Source code distribution service, W series. http://oss.sony.net/Products/Linux/TV/KDL-32W705B.html.

Download references

Author information

Authors and Affiliations

  1. Security in Telecommunications, Technische Universität Berlin, Berlin, Germany

    Benjamin Michéle

Authors
  1. Benjamin Michéle
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Benjamin Michéle .

Appendix

Appendix

The exploits presented in this chapter are tailored for Samsung STVs, most of which are powered by ARM CPUs. The Linux OS on these devices executes binaries conforming to the common Executable and Linkable Format (ELF) for ARM [2]. An ELF file consists of a header and various sections containing instructions, data, a symbol table, etc.

TEXT The TEXT section contains the executable instructions of the program or library. It is usually mapped to memory with read and execute—but not write—permissions. The entire section can be relocated if the contained code is position-independent.

GOT Shared libraries can be loaded to (almost) arbitrary addresses in the virtual address space of a process at runtime. Access to functions and data from other shared libraries (imported symbols) therefore cannot rely on absolute addresses. Instead, the corresponding addresses are resolved and stored in the Global Offset Table (GOT).

PLT A function calls an imported function by jumping into the corresponding function stub in the Procedure Linkage Table (PLT). This function stub loads the resolved absolute address from the GOT to the program counter, i.e., jumps to the imported function. If the address hadn’t been resolved previously, the GOT entry contains the address of a resolver function.

BSS The BSS section is typically used for statically allocated variables that are initialized with zero and filled with data during runtime.

Rights and permissions

Reprints and permissions

Copyright information

© 2015 The Author(s)

About this chapter

Cite this chapter

Michéle, B. (2015). Media Playback System. In: Smart TV Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-20994-4_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-20994-4_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-20993-7

  • Online ISBN: 978-3-319-20994-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation