08 February 2010

Device exploitation: Panasonic VIERA HDTV*

A cursory wireless scan of the lobby area of a well-known Washington, DC hotel would detect an ad hoc network entitled "Panasonic Display1". A short walk around the lobby would find only one likely Panasonic device, a large (~60 inch) HDTV situated in the lobby bar above the entrance to the hotel restaurant. A little bit of research finds that the Panasonic VIERA series of HDTVs are in fact wirelessly enabled, and this seems to confirm the find.

The TV's amber light was on, meaning it was in standby; power was applied but the device itself was off. When the bartender was asked if he could put some sports on the TV, he replied that it was "broken", perhaps eluding to the fact that its usual content was probably web-based, but no longer has proper connectivity (and thus the ad hoc nature of the network). In fact, connecting to the device assigns oneself a 169.254.*.* address which confirms that the device has accomplished some sort of zeroconf/APIPA configuration.

A further port scan found the IP of the TV, and ports 21, 23 and 80 open. Browsing to port 80 finds the login page to a probable web interface, and it doesn't take long to find that a null password logs one right into the interface.

The interface itself is more or less the same control capabilities that you would have with a remote control: sources, channels, volumes, brightness, contrast, etc. A quick check of the On/Off button changes the amber light to green, fires up the backlit display and confirms that the interface is in fact of the device in question!

When on, the TV simply displayed a static graphic for the restaurant (which seems to be an awful waste for such a nice, expensive HDTV), but the web interface didn't seem to have any method for viewing, changing or otherwise modifying the image (other than changing the source).

Port 21 allowed FTP connections, but then immediately disconnected.

Port 23 also allowed telnet connections, but did not appear to be using any well-known default passwords.

*No configuration settings were changed and no TVs were harmed during this device exploitation! Also, credit to others who may wish to remain unnamed at this point. :-)
Post a Comment