In our latest video, we demonstrate an attack scenario that can occur within any organization – hacking a smart TV. The video shows an insider plugging a USB Rubber Ducky into a smart TV in a company meeting room. Within less than a minute, a payload is executed to set up a Wi-Fi network for data exfiltration (called kitty3) and instructs the TV to connect to it. The payload then uploads a utility that captures the screen before the insider removes the rogue device.
Later that day, a company meeting takes place in that same meeting room, and the smart TV displays a presentation containing confidential data. The screen capture utility screen records the whole presentation and saves the recording as a file on the TV. Through the pre-established Wi-Fi network (kitty3), the attacker remotely connects to the TV and views and downloads the saved screen recording. Now, the bad actor has full access to all the data.
“Someone” Like You
In this scenario, the type of attack on the smart TV was a hardware-based attack. These attacks require physical access as someone must physically insert the rogue device, and in this case, that “someone” was an insider; more specifically, an outsourced worker. According to the 2020 Insider Threat Report, contractors, service providers, and temporary workers pose the greatest risk to 50% of organizations. As an outsourced worker, the cleaner has insider access yet less loyalty to the organization than a direct employee. Such characteristics mean outsourced staff are ideal targets for attackers. The cleaner’s insider access takes care of the physical access challenge, while detachment to the organization makes the individual more susceptible to social engineering. There is an abundance of social engineering techniques, of which many are sinister, such as blackmail. In this case, however, the social engineering technique was bribery in the form of a financial payout.
The Faceless Man
Other than a global healthcare crisis, COVID-19 brought new opportunities to bad actors. Before the pandemic, wearing a surgical mask would raise suspicion unless you were a surgeon or healthcare worker. However, as wearing a mask is now not only second nature, but in most countries, mandatory, attackers are using this to their advantage to hide their identity and gain physical access to secure locations. The use of masks to assist in criminal activity is of such value that face masks sell on the black market at premiums of up to 1,500%. So, while this attack demonstrated manipulating an insider, as long as face masks are a norm, that “insider” could have been anyone.
Rubber Ducky, You’re the One
The USB Rubber Ducky is a Rogue Device that spoofs a legitimate HID. Gaps in device visibility mean the Rogue Device is not detected, but rather the legitimate device it is impersonating is. As a result, the Rogue Device raises no security alarms and, in seconds, covertly hacks the smart TV to provide the attacker with remote access to the company’s sensitive information, even after removing the attack tool. So, while you may not see them, they see you; all it takes is a duck, a Wi-Fi connection, and a smart TV that is smarter than you think.
About the author: Jessica Amado, Head of Cyber Research at Sepio Systems
(SecurityAffairs – hacking, Smart TV)