Android SmartTVs Vulnerability Discovery via Log-Guided Fuzzing

The recent rise of Smart IoT devices has opened new doors for cyber criminals to achieve damages unique to the ecosystem. SmartTVs, the most widely adopted home-based IoT devices, are no exception. Albeit their popularity, little has been done to evaluate their security and associated risks. To proactively address the problem, we propose a systematic evaluation of Android SmartTVs security. We overcome a number of prominent challenges such as most of the added TV related functionalities are (partially) implemented in the native layer and many security problems only manifest themselves on the physical aspect without causing any misbehaviors inside the OS. We develop a novel dynamic fuzzing approach, which features an on-the-fly log-based input specification derivation and feedback collection. Our solution further introduces a novel external observer that monitors the TV-related physical symptoms (i.e., visual and auditory) to detect potential physical anomalies. We leverage our technique to analyze 11 Android TV Boxes. Our analysis reveals 37 unique vulnerabilities, leading to high-impact cyber threats (e.g., corrupting critical boot environment settings and accessing highlysensitive data), memory corruptions, and even visual and auditory disturbances (e.g., persistent display content corruption and audio muting).

[1]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[2]  Somesh Jha,et al.  FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution , 2013, USENIX Security Symposium.

[3]  Chengyu Song,et al.  Be Sensitive and Collaborative: Analyzing Impact of Coverage Metrics in Greybox Fuzzing , 2019, RAID.

[4]  Nan Zhang,et al.  Leave Me Alone: App-Level Protection against Runtime Information Gathering on Android , 2015, 2015 IEEE Symposium on Security and Privacy.

[5]  Thorsten Holz,et al.  REDQUEEN: Fuzzing with Input-to-State Correspondence , 2019, NDSS.

[6]  Tao Xie,et al.  REINAM: reinforcement learning for input-grammar inference , 2019, ESEC/SIGSOFT FSE.

[7]  Alexander Aiken,et al.  Synthesizing program input grammars , 2016, PLDI.

[8]  Li Bo,et al.  A fuzzing method based on dual variation strategy for Cisco IOS , 2017, 2017 3rd IEEE International Conference on Computer and Communications (ICCC).

[9]  Yann Bachy,et al.  Smart-TV security: risk analysis and experiments on Smart-TV communication channels , 2018, Journal of Computer Virology and Hacking Techniques.

[10]  Stefan Mangard,et al.  ProcHarvester: Fully Automated Analysis of Procfs Side-Channel Leaks on Android , 2018, AsiaCCS.

[11]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[12]  Xiangyu Zhang,et al.  SLF: Fuzzing without Valid Seed Inputs , 2019, 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).

[13]  Yuqing Zhang,et al.  RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing , 2013, KSII Trans. Internet Inf. Syst..

[14]  Andreas Zeller,et al.  Mining input grammars from dynamic taints , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[15]  Peiyuan Zong,et al.  Understanding IoT Security Through the Data Crystal Ball: Where We Are Now and Where We Are Going to Be , 2017, ArXiv.

[16]  Angelos D. Keromytis,et al.  From the Aether to the Ethernet - Attacking the Internet using Broadcast Digital Television , 2014, USENIX Security Symposium.

[17]  Brad Lehman,et al.  LED lighting flicker and potential health concerns: IEEE standard PAR1789 update , 2010, 2010 IEEE Energy Conversion Congress and Exposition.

[18]  Jörg Schwenk,et al.  Not so Smart: On Smart TV Apps , 2015, 2015 International Workshop on Secure Internet of Things (SIoT).

[19]  Xiangyu Zhang,et al.  ProFuzzer: On-the-fly Input Type Probing for Better Zero-Day Vulnerability Discovery , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[20]  Shwetak N. Patel,et al.  Televisions, video privacy, and powerline electromagnetic interference , 2011, CCS '11.

[21]  Thorsten Holz,et al.  GRIMOIRE: Synthesizing Structure while Fuzzing , 2019, USENIX Security Symposium.