VnutZ Domain
Copyright © 1996 - 2024 [Matthew Vea] - All Rights Reserved

2017-02-14
Featured Article

Idle Network Activity of a Samsung TV

[index] [8,803 page views]
Tagged As: Analysis, Hacking, Samsung, and Security

After 11 years, I finally got rid of my ancient TV and upgraded to a newer model, a Samsung LED. Of course, it features WiFi and a LAN port in order to enable it's smart functionality such that built-in applications like YouTube and NetFlix will work. So is your TV only using the network when you want it to? Hardly.

Power On Activity

For this analysis, I simply loaded the capture file into Wireshark and looked at the sequential contents.

  1. Routine DHCP acquisition of an IP address
  2. 1 DNS request for the A record on ns11.whois.co.kr from the defined DNS
    • Received a single response for ns11.whois.co.kr as 218.232.110.171
    • NOTE: No traffic was ever sent to or from this IP address
  3. 1 DNS request for the A record on cdn.samsungcloudsolution.com from the defined DNS
  4. HTTP request through 54.192.55.38 for http://cdn.samsungcloudsolution.com/Public/network/files/check.xml
    • Receives only <rsp>ok</rsp> in return
  5. Repeat DNS request and response for the A record on ns11.whois.co.kr
  6. Repeat DNS request and response for the A record on cdn.samsungcloudsolution.com
  7. 1 DNS request for the A record on fkp.samsungcloudsolution.com from the defined DNS
    • Received a single response for fkp.samsungcloudsolution.com as 175.41.134.166
  8. The TV negotiates a secure SSLv3 session with fkp.samsungcloudsolution.com and receives 28KB of encrypted data
  9. Repeat DNS request and response for the A record on cdn.samsungcloudsolution.com
  10. HTTP request through 54.192.55.32 for http://cdn.samsungcloudsolution.com/Public/network/files/check.xml
    • Receives only <rsp>ok</rsp> in return
  11. 1 DNS request for the A record on www.samsungrm.net from the defined DNS
  12. The TV negotiates a secure SSLv2 session and then a TLSv1 session with www.samsungrm.net through 52.4.8.109 and receives 2296 bytes of encrypted data
  13. 1 DNS request for the A record on oempprd.samsungcloudsolution.com from the defined DNS
    • Received 1 IP for the CNAME d16ooiozhdn93t.cloudfront.net
    • 54.230.52.63
  14. HTTP request through 54.230.52.63 for http://oempprd.samsungcloudsolution.com/emp/empinfo_X10P_0.970.xml
    • Receives an XML index of available apps for potential upgrade
    • <emplist>
      <file id="empT9" version="2.302" 
        name="X10P_0.970_empT9_VER_2.302.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empT9_VER_2.302.zip" 
        size="2879078" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empTalk" version="2.420" 
        name="X10P_0.970_empTalk_VER_2.420.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empTalk_VER_2.420.zip" 
        size="668454" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empWLibPlugin" version="0.001" 
        name="X10P_0.970_empWLibPlugin_VER_0.001.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empWLibPlugin_VER_0.001.zip" 
        size="390804" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empXT9" version="2.700" 
        name="X10P_0.970_empXT9_VER_2.700.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empXT9_VER_2.700.zip" 
        size="8137804" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empQs" version="1.007" 
        name="X10P_0.970_empQs_VER_1.007.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empQs_VER_1.007.zip" 
        size="1554293" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empAuthSMG" version="0.200" 
        name="X10P_0.970_empAuthSMG_VER_0.200.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empAuthSMG_VER_0.200.zip" 
        size="730741" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empNaver" version="1.007" 
        name="X10P_0.970_empNaver_VER_1.007.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empNaver_VER_1.007.zip" 
        size="39075" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empPsaApp" version="1.006" 
        name="X10P_0.970_empPsaApp_VER_1.006.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empPsaApp_VER_1.006.zip" 
        size="16558" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empWebBrowser" version="2.25" 
        name="X10P_0.970_empWebBrowser_VER_2.25.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empWebBrowser_VER_2.25.zip" 
        size="6235297" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empSignature" version="1.000" 
        name="X10P_0.970_empSignature_VER_1.000.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empSignature_VER_1.000.zip" 
        size="312193" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empGamepad" version="1.30" 
        name="X10P_0.970_empGamepad_VER_1.30.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empGamepad_VER_1.30.zip" 
        size="85370" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empAppAnalyzer" version="1.23" 
        name="X10P_0.970_empAppAnalyzer_VER_1.23.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empAppAnalyzer_VER_1.23.zip"
        size="1036602" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empSpotify" version="0.332" 
        name="X10P_0.970_empSpotify_VER_0.332.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empSpotify_VER_0.332.zip" 
        size="2361693" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empNRDP32" version="1.017" 
        name="X10P_0.970_empNRDP32_VER_1.017.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empNRDP32_VER_1.017.zip" 
        size="3623249" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empNRDP40" version="1.055" 
        name="X10P_0.970_empNRDP40_VER_1.055.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empNRDP40_VER_1.055.zip" 
        size="6280286" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empDownload" version="2.750" 
        name="X10P_0.970_empDownload_VER_2.750.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empDownload_VER_2.750.zip" 
        size="646964" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empSkype" version="1.140301" 
        name="X10P_0.970_empSkype_VER_1.140301.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empSkype_VER_1.140301.zip" 
        size="3668056" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empCamera" version="1.140419" 
        name="X10P_0.970_empCamera_VER_1.140419.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empCamera_VER_1.140419.zip" 
        size="2008395" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empBrowserCommonPlugin" version="2.87" 
        name="X10P_0.970_empBrowserCommonPlugin_VER_2.87.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empBrowserCommonPlugin_VER_2.87.zip" 
        size="3664208" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empBlockbuster" version="1.090" 
        name="X10P_0.970_empBlockbuster_VER_1.090.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empBlockbuster_VER_1.090.zip" 
        size="4704444" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empWebBrowserDRI" version="2.42" 
        name="X10P_0.970_empWebBrowserDRI_VER_2.42.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empWebBrowserDRI_VER_2.42.zip" 
        size="6423951" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empNService" version="0.904" 
        name="X10P_0.970_empNService_VER_0.904.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empNService_VER_0.904.zip" 
        size="2845" type="zip" protocol="https" boot="yes">
      <signature/>
      </file>
      <file id="empUPLUS" version="1.034" 
        name="X10P_0.970_empUPLUS_VER_1.034.zip" 
        url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empUPLUS_VER_1.034.zip" 
        size="711768" type="zip" protocol="https" boot="no">
      <signature/>
      </file>
      </emplist>
      
  15. 1 DNS request for the A record on infolink.pavv.co.kr from the defined DNS
    • Received a single response for infolink.pavv.co.kr as 207.36.95.10
  16. The TV negotiates a secure SSLv2 session followed by a TLSv1 session with infolink.pavv.co.kr where it sends 1302 bytes and receives 2230 bytes of encrypted data
  17. NOTE: The TV performs the DNS request and encrypted data exchange with infolink.pavv.co.kr 2 more times.
  18. The TV begins negotiating IGMPv2 membership with multicast address 239.255.255.250
    • Sends SSDP NOTIFY* for a upnp 1st root device
    • Sends SSDP NOTIFY* for a upnp advertisement of its 1st root device UUID
    • Sends SSDP NOTIFY* for a upnp samsung.com:device:RemoteControlReceiver
    • Sends SSDP NOTIFY* for a upnp samsung.com:device:MultiScreenService
    • Sends SSDP NOTIFY* for a upnp 2nd root device
    • Sends SSDP NOTIFY* for a upnp advertisement of its 2nd root device UUID
    • Sends SSDP NOTIFY* for a upnp dial-multiscreen-org:device:dialreceiver:1
    • Sends SSDP NOTIFY* for a upnp dial-multiscreen-org:device:dial
    • Sends SSDP NOTIFY* for a upnp 3rd root device
    • Sends SSDP NOTIFY* for a upnp advertisement of its 3rd root device UUID
    • Sends SSDP NOTIFY* for a upnp samsung.com:device:MainTVServer2:1
    • Sends SSDP NOTIFY* for a upnp samsung.com:service:MainTVAgent2
    • Sends SSDP NOTIFY* for a upnp 4th root device
    • Sends SSDP NOTIFY* for a upnp advertisement of its 4th root device UUID
    • Sends SSDP NOTIFY* for a upnp schemas-upnp-org:device:MediaRenderer:1
    • Sends SSDP NOTIFY* for a upnp schemas-upnp-org:service:RenderingControl
    • Sends SSDP NOTIFY* for a upnp schemas-upnp-org:service:ConnectionManger
    • Sends SSDP NOTIFY* for a upnp schemas-upnp-org:service:AVTransport
    • Sends SSDP NOTIFY* that 1st root device API available at http://192.168.1.32:7676/smp_2
    • Sends SSDP NOTIFY* that 2nd root device API available at http://192.168.1.32:7676/smp_6
    • Sends SSDP NOTIFY* that 3rd root device API available at http://192.168.1.32:7676/smp_10
    • Sends SSDP NOTIFY* that 4th root device API available at http://192.168.1.32:7676/smp_18
    • Sends SSDP M-SEARCH* discovery queries for schemas-upnp-org:device:MediaServer:1
    • Sends SSDP M-SEARCH* discovery queries for schemas-ce-org:device:RemoteUIServerDevice:1
    • Sends SSDP M-SEARCH* discovery queries for schemas-upnp-org:device:RemoteUIServerDevice:1
    • Sends SSDP M-SEARCH* discovery queries for rvualliance-org:device:RVUServer:1
  19. 1 DNS request for the A record on 0.north-america.pool.ntp.org from the defined DNS
  20. Sent and Received NTP packets to 198.58.110.84
  21. Repeat DNS request and response for the A record on ns11.whois.co.kr
  22. The TV negotiates several sequential secure TLSv1.2 sessions with infolink.pavv.co.kr
  23. 1 DNS request for the A record on www.samsungrm.net from the defined DNS
  24. HTTP request through 52.1.51.54 for http://www.samsungrm.net/openapi/device/auth/query with body content DUID: EXCB3EXSLYROW, MACAddr: 1c5a3e000000, ModelId: 12_X10PLUS_2D, Category: EMP, Param: X10P,0.970, CountryCode: US, Host: www.samsung.net, Connection: close
    • Receives an XML file including a seed key and two URLs for looking at application updates
  25. Repeat HTTP request through 54.230.52.63 for http://oempprd.samsungcloudsolution.com/emp/empinfo_X10P_0.970.xml
    • Receives an XML index of available apps for potential upgrade
  26. Repeat DNS request and response for the A record on ns11.whois.co.kr
  27. Repeat DNS request and response for the A record on cdn.samsungcloudsolution.com
  28. HTTP request through 54.192.55.20 for http://cdn.samsungcloudsolution.com/Public/network/files/check.xml
    • Receives only <rsp>ok</rsp> in return
  29. Repeat DNS request and response for the A record on ns11.whois.co.kr
  30. Repeat DNS request and response for the A record on cdn.samsungcloudsolution.com
  31. HTTP request through 54.192.55.117 for http://cdn.samsungcloudsolution.com/Public/network/files/check.xml
    • Receives only <rsp>ok</rsp> in return
  32. Repeat DNS request and response for the A record on ns11.whois.co.kr
  33. The TV negotiates several sequential secure TLSv1.2 sessions with infolink.pavv.co.kr
  34. 1 DNS request for the A record on syncplusconfig.s3.amazonaws.com from the defined DNS
    • Received 1 IP from the CNAME s3-1-w.amazonaws.com
    • 52.216.65.0
  35. The TV negotiates a secure TLSv1.2 session with syncplusconfig.s3.amazonaws.com where it sends 15KB and receives 13KB of encrypted data
  36. 1 DNS request for the A record on targeted-config-test.samsungacr.com from the defined DNS
    • Received "no such name" from the MNAME ns-558.awsdns-05.net
  37. 2 DNS requests for the A record on log-1.samsungacr.com from the defined DNS
  38. Repeat DNS request and response for the A record on ns11.whois.co.kr
  39. 2 DNS requests for the A record on log-2.samsungacr.com from the defined DNS
  40. 2 DNS requests for the A record on api.twitter.com from the defined DNS
  41. The TV negotiates a secure TLSv1.2 session with log-2.samsungacr.com where it sends 7004 bytes and receives 9741 bytes of encrypted data

Not long after the first DNS call for the api.twitter.com IP address, the system begins communicating fairly regularly via encrypted TLSv1.2 channels to log-1.samsungacr.com and log-2.samsungacr.com. The Samsung TV seemed very needy for validation when it kept calling for the /Public/network/files/check.xml file just to receive an "OK" response over and over. Additionally, the TV validates the DNS records of nearly everything it does prior to any network activity, clearly not relying on any local caching.

ICMP

Using the basic tshark command from the Wireshark package, it's a simple action to quickly parse the capture file and identify all the ICMP activity.

tshark -nr samsung.cap -Y "icmp" -T fields -e icmp.type | sort | uniq -c

Rather unexpectedly, the Samsung TV never sent or received a single ICMP packet during the entire analysis period. Not one ping.

NTP

Using the basic tshark command from the Wireshark package, it's a simple action to quickly parse the capture file and identify all the NTP activity.

tshark -nr samsung.cap -Y "ntp" -T fields -e ip.dst | sort | uniq -c

The Samsung TV reached out to 4 NTP servers a mere 4 times:

DNS

Using the basic tshark command from the Wireshark package, it's a simple action to quickly parse the capture file and identify all the DNS hosts it resolved.

tshark -nr samsung.cap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | sort | uniq -c

The TV reached out to resolve fifteen separate domains:

  • 0.north-america.pool.ntp.org - 4 hits
  • acr0.samsungcloudsolution.com - 12 hits
  • api.twitter.com - 11 hit
  • fkp.samsungcloudsolution.com - 4 hits
  • gallery.tv.widgets.yahoo.com - 4 hits
  • infolink.pavv.co.kr - 36 hits
  • log-1.samsungacr.com - 64 hits
  • log-2.samsungacr.com - 349 hits
  • log.internetat.tv - 8 hits
  • ns11.whois.co.kr - 37 hits
  • oempprd.samsungcloudsolution.com - 8 hits
  • syncplusconfig.s3.amazonaws.com - 24 hits
  • targeted-config-test.samsungacr.com - 48 hits
  • www.samsungrm.net - 8 hits

The Samsung TV relied entirely on the DHCP provided DNS server.

TCP Connections

Using the basic tshark command from the Wireshark package, it's a simple action to quickly parse the capture file and identify all the TCP activity.

tshark -nr samsung.cap -Y "tcp" -T fields -e ip.dst | sort | uniq -c
tshark -nr samsung.cap -Y "ssl" -T fields -e ip.dst -e ssl.handshake.version | sort | uniq
tshark -nr samsung.cap -Y "dns" -T fields -e dns.a -e dns.resp.name| sort | uniq

The Samsung TV reached out to 8 hosts over TCP:

  • cdn.samsungcloudsolution.com
    • 5 IP addresses
    • 7878 bytes received and 5154 bytes sent
    • Traffic predominantly plaintext HTTP
  • fkp.samsungcloudsolution.com
    • 1 IP address
    • 116KB received and 16KB sent
    • Traffic predominantly encrypted SSLv3
  • infolink.pavv.co.kr
    • 1 IP address
    • 123KB received and 53KB sent
    • Traffic predominantly encrypted SSLv2 and TLSv1
  • log-1.samsungacr.com
    • 7 IP addresses
    • 444KB received and 152KB send
    • Traffic predominantly encrypted TLSv1.2
  • log-2.samsungacr.com
    • 7 IP addresses
    • 553KB received and 196KB send
    • Traffic predominantly encrypted TLSv1.2
  • oempprd.samsungcloudsolution.com
    • 1 IP address
    • 16KB received and 1506 bytes sent
    • Traffic predominantly plaintext HTTP
  • syncplusconfig.s3.amazonaws.com
    • 1 IP address
    • 13KB received and 2001 bytes sent
    • Traffic predominantly encrypted TLSv1.2
  • www.samsungrm.net
    • 5 IP addresses
    • 13KB received and 7634 bytes sent
    • Traffic a mix of plaintext HTTP and encrypted SSLv2 and TLSv1

UDP Connections

Using the basic tshark command from the Wireshark package, it's a simple action to quickly parse the capture file and identify all the UDP activity.

tshark -nr samsung.cap -Y "udp" -T fields -e ip.dst | sort | uniq -c

49% of the Echo's UDP packets were related to the aforementioned NTP and DNS traffic. However, one multicast IP address continued to standout from the crowd and represented all of the remaining UDP traffic which consisted of IGMP and SSDP packets:

  • 239.255.255.250 to port 1900
    • 710 hits
    • 0 downloaded / 217K uploaded

    NOTIFY * HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): NOTIFY * HTTP/1.1\r\n]
        Request Method: NOTIFY
        Request URI: *
        Request Version: HTTP/1.1
    HOST: 239.255.255.250:1900\r\n
    CACHE-CONTROL: max-age= 1800\r\n
    LOCATION: http://192.168.1.32:7676/smp_18_\r\n
    NT: urn:schemas-upnp-org:device:MediaRenderer:1\r\n
    NTS: ssdp:alive\r\n
    SERVER: SHP, UPnP/1.0, Samsung UPnP SDK/1.0\r\n
    USN: uuid:0c845880-00d2-1000-acf7-1c5a3eca9955::urn:schemas-upnp-org:device:MediaRenderer:1\r\n
    \r\n
    [Full request URI: http://239.255.255.250:1900*]


More site content that might interest you:

I should commit crimes while I still can, right?


Try your hand at fate and use the site's continuously updating statistical analysis of the MegaMillions and PowerBall lotteries to choose "smarter" number. Remember, you don't have to win the jackpot to win money from the lottery!


Tired of social media sites mining all your data? Try a private, auto-deleting message bulletin board.


paypal coinbase marcus