Update
We have received the following statement through email from the Wi-Fi Alliance:
“Wi-Fi Alliance takes security very seriously. All of our specifications and certifications include requirements to support the latest generation of security protections. In the case of Miracast™, the underlying specification requires device-generated passphrases to consist of characters randomly selected from upper case letters, lower case letters, and numbers.
“The recent report of a non-compliant passphrase implementation appears to be limited to a single vendor’s implementation. We enforce the requirements of our certification programs and have been in contact with the company in question to ensure that any device bearing the Miracast mark meets our requirements.”
Original Story
Philips Smart TVs are vulnerable to a range of attacks including screen hijacks, browser cookie theft, unauthorised file access among others, a security company has revealed.
According to a video published by security research and solutions company ReVuln, Philips Smart TVs running the latest firmware could allow use of legitimate functions for malicious purposes. Features such as controlling the TV from another device, and transmitting video and audio to the TV could be exploited by unauthorised users.
The security company notes that the vulnerability is present because of Miracast – a Bluetooth-like feature that allows Smart TVs to establish Wi-Fi connection to other devices without requiring a Wi-Fi router.
The issue is with the Miracast implementation on the latest firmware in Philips Smart TVs. “The main problem is that Miracast uses a fixed password, doesn’t show a PIN number to insert and, moreover, doesn’t ask permission to allow the incoming connection,” Luigi Auriemma, CEO and security researcher at ReVuln, told SCMagazine.com in an email correspondence on Friday.
“So basically you just connect directly to the TV via Wi-Fi, without restrictions. Miracast is enabled by default and the password cannot be changed.”
By exploiting this vulnerability potential attackers can
- Control the TV via a remote control application;
- Replace image on screen with videos or images of their choice;
- Access configuration files of the TV;
- Access files stored on USB devices attached to the TV; and
- Steal browser cookies.
[Editor’s Note: The story was updated on April 2, 2014 at 02:45 with the statement from the Wi-Fi Alliance]
