Idle Network Activity of a Samsung TV
After 11 years, I finally got rid of my ancient TV and upgraded to a newer model, a Samsung LED. Of course, it features WiFi and a LAN port in order to enable it's smart functionality such that built-in applications like YouTube and NetFlix will work. So is your TV only using the network when you want it to? Hardly.
Power On Activity
For this analysis, I simply loaded the capture file into Wireshark and looked at the sequential contents.
- Routine DHCP acquisition of an IP address
- 1 DNS request for the A record on ns11.whois.co.kr from the defined DNS
- Received a single response for ns11.whois.co.kr as 218.232.110.171
- NOTE: No traffic was ever sent to or from this IP address
- 1 DNS request for the A record on cdn.samsungcloudsolution.com from the defined DNS
- Received 8 IPs for the CNAME d179kwmlpc4o47.cloudfront.net
- 54.192.55.20
- 54.192.55.31
- 54.192.55.38
- 54.192.55.43
- 54.192.55.55
- 54.192.55.117
- 54.192.55.121
- 54.192.55.225
- HTTP request through 54.192.55.38 for http://cdn.samsungcloudsolution.com/Public/network/files/check.xml
- Receives only
<rsp>ok</rsp>
in return - Repeat DNS request and response for the A record on ns11.whois.co.kr
- Repeat DNS request and response for the A record on cdn.samsungcloudsolution.com
- 1 DNS request for the A record on fkp.samsungcloudsolution.com from the defined DNS
- Received a single response for fkp.samsungcloudsolution.com as 175.41.134.166
- The TV negotiates a secure SSLv3 session with fkp.samsungcloudsolution.com and receives 28KB of encrypted data
- Repeat DNS request and response for the A record on cdn.samsungcloudsolution.com
- HTTP request through 54.192.55.32 for http://cdn.samsungcloudsolution.com/Public/network/files/check.xml
- Receives only
<rsp>ok</rsp>
in return - 1 DNS request for the A record on www.samsungrm.net from the defined DNS
- Received 6 IPs for the CNAME prd-rm-main-api-1948433873.us-east-1.elb.amazonaws.com
- 52.1.51.54
- 52.4.8.109
- 52.5.51.241
- 52.6.19.98
- 54.85.52.189
- 54.164.76.169
- The TV negotiates a secure SSLv2 session and then a TLSv1 session with www.samsungrm.net through 52.4.8.109 and receives 2296 bytes of encrypted data
- 1 DNS request for the A record on oempprd.samsungcloudsolution.com from the defined DNS
- Received 1 IP for the CNAME d16ooiozhdn93t.cloudfront.net
- 54.230.52.63
- HTTP request through 54.230.52.63 for http://oempprd.samsungcloudsolution.com/emp/empinfo_X10P_0.970.xml
- Receives an XML index of available apps for potential upgrade
- 1 DNS request for the A record on infolink.pavv.co.kr from the defined DNS
- Received a single response for infolink.pavv.co.kr as 207.36.95.10
- The TV negotiates a secure SSLv2 session followed by a TLSv1 session with infolink.pavv.co.kr where it sends 1302 bytes and receives 2230 bytes of encrypted data
- NOTE: The TV performs the DNS request and encrypted data exchange with infolink.pavv.co.kr 2 more times.
- The TV begins negotiating IGMPv2 membership with multicast address 239.255.255.250
- Sends SSDP NOTIFY* for a upnp 1st root device
- Sends SSDP NOTIFY* for a upnp advertisement of its 1st root device UUID
- Sends SSDP NOTIFY* for a upnp samsung.com:device:RemoteControlReceiver
- Sends SSDP NOTIFY* for a upnp samsung.com:device:MultiScreenService
- Sends SSDP NOTIFY* for a upnp 2nd root device
- Sends SSDP NOTIFY* for a upnp advertisement of its 2nd root device UUID
- Sends SSDP NOTIFY* for a upnp dial-multiscreen-org:device:dialreceiver:1
- Sends SSDP NOTIFY* for a upnp dial-multiscreen-org:device:dial
- Sends SSDP NOTIFY* for a upnp 3rd root device
- Sends SSDP NOTIFY* for a upnp advertisement of its 3rd root device UUID
- Sends SSDP NOTIFY* for a upnp samsung.com:device:MainTVServer2:1
- Sends SSDP NOTIFY* for a upnp samsung.com:service:MainTVAgent2
- Sends SSDP NOTIFY* for a upnp 4th root device
- Sends SSDP NOTIFY* for a upnp advertisement of its 4th root device UUID
- Sends SSDP NOTIFY* for a upnp schemas-upnp-org:device:MediaRenderer:1
- Sends SSDP NOTIFY* for a upnp schemas-upnp-org:service:RenderingControl
- Sends SSDP NOTIFY* for a upnp schemas-upnp-org:service:ConnectionManger
- Sends SSDP NOTIFY* for a upnp schemas-upnp-org:service:AVTransport
- Sends SSDP NOTIFY* that 1st root device API available at http://192.168.1.32:7676/smp_2
- Sends SSDP NOTIFY* that 2nd root device API available at http://192.168.1.32:7676/smp_6
- Sends SSDP NOTIFY* that 3rd root device API available at http://192.168.1.32:7676/smp_10
- Sends SSDP NOTIFY* that 4th root device API available at http://192.168.1.32:7676/smp_18
- Sends SSDP M-SEARCH* discovery queries for schemas-upnp-org:device:MediaServer:1
- Sends SSDP M-SEARCH* discovery queries for schemas-ce-org:device:RemoteUIServerDevice:1
- Sends SSDP M-SEARCH* discovery queries for schemas-upnp-org:device:RemoteUIServerDevice:1
- Sends SSDP M-SEARCH* discovery queries for rvualliance-org:device:RVUServer:1
- 1 DNS request for the A record on 0.north-america.pool.ntp.org from the defined DNS
- Received 4 IPs
- 69.167.160.102
- 597.107.129.217
- 198.58.110.84
- 207.192.69.118
- Sent and Received NTP packets to 198.58.110.84
- Repeat DNS request and response for the A record on ns11.whois.co.kr
- The TV negotiates several sequential secure TLSv1.2 sessions with infolink.pavv.co.kr
- 1 DNS request for the A record on www.samsungrm.net from the defined DNS
- Recieved CNAME rmfix.samsungcloudsolution.net
- Received 6 IPs for the CNAME prd-rm-main-api-1948433873.us-east-1.elb.amazonaws.com
- 52.1.51.54
- 52.4.8.109
- 52.5.51.241
- 52.6.19.98
- 54.85.52.189
- 54.164.76.169
- HTTP request through 52.1.51.54 for http://www.samsungrm.net/openapi/device/auth/query with body content DUID: EXCB3EXSLYROW, MACAddr: 1c5a3e000000, ModelId: 12_X10PLUS_2D, Category: EMP, Param: X10P,0.970, CountryCode: US, Host: www.samsung.net, Connection: close
- Receives an XML file including a seed key and two URLs for looking at application updates
- Repeat HTTP request through 54.230.52.63 for http://oempprd.samsungcloudsolution.com/emp/empinfo_X10P_0.970.xml
- Receives an XML index of available apps for potential upgrade
- Repeat DNS request and response for the A record on ns11.whois.co.kr
- Repeat DNS request and response for the A record on cdn.samsungcloudsolution.com
- HTTP request through 54.192.55.20 for http://cdn.samsungcloudsolution.com/Public/network/files/check.xml
- Receives only
<rsp>ok</rsp>
in return - Repeat DNS request and response for the A record on ns11.whois.co.kr
- Repeat DNS request and response for the A record on cdn.samsungcloudsolution.com
- HTTP request through 54.192.55.117 for http://cdn.samsungcloudsolution.com/Public/network/files/check.xml
- Receives only
<rsp>ok</rsp>
in return - Repeat DNS request and response for the A record on ns11.whois.co.kr
- The TV negotiates several sequential secure TLSv1.2 sessions with infolink.pavv.co.kr
- 1 DNS request for the A record on syncplusconfig.s3.amazonaws.com from the defined DNS
- Received 1 IP from the CNAME s3-1-w.amazonaws.com
- 52.216.65.0
- The TV negotiates a secure TLSv1.2 session with syncplusconfig.s3.amazonaws.com where it sends 15KB and receives 13KB of encrypted data
- 1 DNS request for the A record on targeted-config-test.samsungacr.com from the defined DNS
- Received "no such name" from the MNAME ns-558.awsdns-05.net
- 2 DNS requests for the A record on log-1.samsungacr.com from the defined DNS
- Received 8 IPs
- 52.7.28.156
- 52.70.180.143
- 52.86.143.152
- 52.86.191.135
- 52.7.28.156
- 54.209.6.77
- 54.236.223.234
- 54.236.224.208
- Repeat DNS request and response for the A record on ns11.whois.co.kr
- 2 DNS requests for the A record on log-2.samsungacr.com from the defined DNS
- Received 8 IPs
- 52.4.132.187
- 52.4.163.0
- 52.7.28.156
- 52.7.167.36
- 52.45.51.155
- 52.70.180.143
- 52.86.143.152
- 52.86.191.135
- 2 DNS requests for the A record on api.twitter.com from the defined DNS
- Received 4 IPs
- 104.244.42.2
- 104.244.42.66
- 104.244.42.130
- 104.244.42.194
- The TV negotiates a secure TLSv1.2 session with log-2.samsungacr.com where it sends 7004 bytes and receives 9741 bytes of encrypted data
<emplist> <file id="empT9" version="2.302" name="X10P_0.970_empT9_VER_2.302.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empT9_VER_2.302.zip" size="2879078" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empTalk" version="2.420" name="X10P_0.970_empTalk_VER_2.420.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empTalk_VER_2.420.zip" size="668454" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empWLibPlugin" version="0.001" name="X10P_0.970_empWLibPlugin_VER_0.001.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empWLibPlugin_VER_0.001.zip" size="390804" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empXT9" version="2.700" name="X10P_0.970_empXT9_VER_2.700.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empXT9_VER_2.700.zip" size="8137804" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empQs" version="1.007" name="X10P_0.970_empQs_VER_1.007.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empQs_VER_1.007.zip" size="1554293" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empAuthSMG" version="0.200" name="X10P_0.970_empAuthSMG_VER_0.200.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empAuthSMG_VER_0.200.zip" size="730741" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empNaver" version="1.007" name="X10P_0.970_empNaver_VER_1.007.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empNaver_VER_1.007.zip" size="39075" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empPsaApp" version="1.006" name="X10P_0.970_empPsaApp_VER_1.006.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empPsaApp_VER_1.006.zip" size="16558" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empWebBrowser" version="2.25" name="X10P_0.970_empWebBrowser_VER_2.25.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empWebBrowser_VER_2.25.zip" size="6235297" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empSignature" version="1.000" name="X10P_0.970_empSignature_VER_1.000.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empSignature_VER_1.000.zip" size="312193" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empGamepad" version="1.30" name="X10P_0.970_empGamepad_VER_1.30.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empGamepad_VER_1.30.zip" size="85370" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empAppAnalyzer" version="1.23" name="X10P_0.970_empAppAnalyzer_VER_1.23.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empAppAnalyzer_VER_1.23.zip" size="1036602" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empSpotify" version="0.332" name="X10P_0.970_empSpotify_VER_0.332.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empSpotify_VER_0.332.zip" size="2361693" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empNRDP32" version="1.017" name="X10P_0.970_empNRDP32_VER_1.017.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empNRDP32_VER_1.017.zip" size="3623249" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empNRDP40" version="1.055" name="X10P_0.970_empNRDP40_VER_1.055.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empNRDP40_VER_1.055.zip" size="6280286" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empDownload" version="2.750" name="X10P_0.970_empDownload_VER_2.750.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empDownload_VER_2.750.zip" size="646964" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empSkype" version="1.140301" name="X10P_0.970_empSkype_VER_1.140301.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empSkype_VER_1.140301.zip" size="3668056" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empCamera" version="1.140419" name="X10P_0.970_empCamera_VER_1.140419.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empCamera_VER_1.140419.zip" size="2008395" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empBrowserCommonPlugin" version="2.87" name="X10P_0.970_empBrowserCommonPlugin_VER_2.87.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empBrowserCommonPlugin_VER_2.87.zip" size="3664208" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empBlockbuster" version="1.090" name="X10P_0.970_empBlockbuster_VER_1.090.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empBlockbuster_VER_1.090.zip" size="4704444" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empWebBrowserDRI" version="2.42" name="X10P_0.970_empWebBrowserDRI_VER_2.42.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empWebBrowserDRI_VER_2.42.zip" size="6423951" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empNService" version="0.904" name="X10P_0.970_empNService_VER_0.904.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empNService_VER_0.904.zip" size="2845" type="zip" protocol="https" boot="yes"> <signature/> </file> <file id="empUPLUS" version="1.034" name="X10P_0.970_empUPLUS_VER_1.034.zip" url="http://oempprd.samsungcloudsolution.com/emp/emp/X10P_0.970_empUPLUS_VER_1.034.zip" size="711768" type="zip" protocol="https" boot="no"> <signature/> </file> </emplist>
Not long after the first DNS call for the api.twitter.com
IP address, the system begins communicating fairly regularly via encrypted TLSv1.2 channels to log-1.samsungacr.com
and log-2.samsungacr.com
. The Samsung TV seemed very needy for validation when it kept calling for the /Public/network/files/check.xml file just to receive an "OK" response over and over. Additionally, the TV validates the DNS records of nearly everything it does prior to any network activity, clearly not relying on any local caching.
ICMP
Using the basic tshark
command from the Wireshark package, it's a simple action to quickly parse the capture file and identify all the ICMP activity.
tshark -nr samsung.cap -Y "icmp" -T fields -e icmp.type | sort | uniq -c
Rather unexpectedly, the Samsung TV never sent or received a single ICMP packet during the entire analysis period. Not one ping.
NTP
Using the basic tshark
command from the Wireshark package, it's a simple action to quickly parse the capture file and identify all the NTP activity.
tshark -nr samsung.cap -Y "ntp" -T fields -e ip.dst | sort | uniq -c
The Samsung TV reached out to 4 NTP servers a mere 4 times:
- 132.163.4.102 - 1 hit
- 198.58.110.84 - 1 hit
- 204.9.54.119 - 1 hit
- 206.108.0.132 - 1 hit
DNS
Using the basic tshark
command from the Wireshark package, it's a simple action to quickly parse the capture file and identify all the DNS hosts it resolved.
tshark -nr samsung.cap -Y "dns.flags.response == 0" -T fields -e dns.qry.name | sort | uniq -c
The TV reached out to resolve fifteen separate domains:
- 0.north-america.pool.ntp.org - 4 hits
- acr0.samsungcloudsolution.com - 12 hits
- api.twitter.com - 11 hit
- fkp.samsungcloudsolution.com - 4 hits
- gallery.tv.widgets.yahoo.com - 4 hits
- infolink.pavv.co.kr - 36 hits
- log-1.samsungacr.com - 64 hits
- log-2.samsungacr.com - 349 hits
- log.internetat.tv - 8 hits
- ns11.whois.co.kr - 37 hits
- oempprd.samsungcloudsolution.com - 8 hits
- syncplusconfig.s3.amazonaws.com - 24 hits
- targeted-config-test.samsungacr.com - 48 hits
- www.samsungrm.net - 8 hits
The Samsung TV relied entirely on the DHCP provided DNS server.
TCP Connections
Using the basic tshark
command from the Wireshark package, it's a simple action to quickly parse the capture file and identify all the TCP activity.
tshark -nr samsung.cap -Y "tcp" -T fields -e ip.dst | sort | uniq -c
tshark -nr samsung.cap -Y "ssl" -T fields -e ip.dst -e ssl.handshake.version | sort | uniq
tshark -nr samsung.cap -Y "dns" -T fields -e dns.a -e dns.resp.name| sort | uniq
The Samsung TV reached out to 8 hosts over TCP:
- cdn.samsungcloudsolution.com
- 5 IP addresses
- 7878 bytes received and 5154 bytes sent
- Traffic predominantly plaintext HTTP
- fkp.samsungcloudsolution.com
- 1 IP address
- 116KB received and 16KB sent
- Traffic predominantly encrypted SSLv3
- infolink.pavv.co.kr
- 1 IP address
- 123KB received and 53KB sent
- Traffic predominantly encrypted SSLv2 and TLSv1
- log-1.samsungacr.com
- 7 IP addresses
- 444KB received and 152KB send
- Traffic predominantly encrypted TLSv1.2
- log-2.samsungacr.com
- 7 IP addresses
- 553KB received and 196KB send
- Traffic predominantly encrypted TLSv1.2
- oempprd.samsungcloudsolution.com
- 1 IP address
- 16KB received and 1506 bytes sent
- Traffic predominantly plaintext HTTP
- syncplusconfig.s3.amazonaws.com
- 1 IP address
- 13KB received and 2001 bytes sent
- Traffic predominantly encrypted TLSv1.2
- www.samsungrm.net
- 5 IP addresses
- 13KB received and 7634 bytes sent
- Traffic a mix of plaintext HTTP and encrypted SSLv2 and TLSv1
UDP Connections
Using the basic tshark
command from the Wireshark package, it's a simple action to quickly parse the capture file and identify all the UDP activity.
tshark -nr samsung.cap -Y "udp" -T fields -e ip.dst | sort | uniq -c
49% of the Echo's UDP packets were related to the aforementioned NTP and DNS traffic. However, one multicast IP address continued to standout from the crowd and represented all of the remaining UDP traffic which consisted of IGMP and SSDP packets:
-
239.255.255.250 to port 1900
- 710 hits
- 0 downloaded / 217K uploaded
NOTIFY * HTTP/1.1\r\n
[Expert Info (Chat/Sequence): NOTIFY * HTTP/1.1\r\n]
Request Method: NOTIFY
Request URI: *
Request Version: HTTP/1.1
HOST: 239.255.255.250:1900\r\n
CACHE-CONTROL: max-age= 1800\r\n
LOCATION: http://192.168.1.32:7676/smp_18_\r\n
NT: urn:schemas-upnp-org:device:MediaRenderer:1\r\n
NTS: ssdp:alive\r\n
SERVER: SHP, UPnP/1.0, Samsung UPnP SDK/1.0\r\n
USN: uuid:0c845880-00d2-1000-acf7-1c5a3eca9955::urn:schemas-upnp-org:device:MediaRenderer:1\r\n
\r\n
[Full request URI: http://239.255.255.250:1900*]