Vulnerability in Philips smart TVs allows Gmail and file access

Philips TV
Miracast feature entices consumers and hackers

A security researcher has identified a vulnerability in Philips smart TVs which could be used by hackers.

The bug, identified by researcher Luigi Auriemma, affects Philips-branded TVs with the Miracast feature, which allows nearby devices to connect to the TV.

A firmware update in December opened a new vulnerability allowing hackers to connect to the TV so long as they are in range and know the default Miracast password, which is, you guessed it, "Miracast."

The newly connected device does not require a PIN number and there is no notice that a new device has connected, letting hackers operate stealthily.

Easy access

One of the most serious repercussions of this vulnerability is that it allows Gmail authentication cookies to be stolen, granting hackers access to a user's email account.

It also allows hackers to access data stored on a USB drive connected to the TV.

If that's not bad enough, it also means hackers will have full control of the smart TV and can play any content they want, resulting in some potentially very embarrassing moments.

The bug that created this vulnerability has apparently been known for six months. While Philips takes its time to develop a patch, a simple workaround is to disable the Miracast feature completely.

Random characters

In a statement, the Wi-Fi alliance said that the security issue is not widespread and is instead "limited to a single vendor's implementation".

"Wi-Fi Alliance takes security very seriously. All of our specifications and certifications include requirements to support the latest generation of security protections. In the case of Miracast™, the underlying specification requires device-generated passphrases to consist of characters randomly selected from upper case letters, lower case letters, and numbers," the statement said.

"The recent report of a non-compliant passphrase implementation appears to be limited to a single vendor's implementation. We enforce the requirements of our certification programs and have been in contact with the company in question to ensure that any device bearing the Miracast mark meets our requirements."

Via ArsTechnica