Cast Away: On the Security of DLNA Deployments in the SmartTV Ecosystem

Guangwei Tian, Jiongyi Chen, Kailun Yan, S. Yang, Wenrui Diao
{"title":"Cast Away: On the Security of DLNA Deployments in the SmartTV Ecosystem","authors":"Guangwei Tian, Jiongyi Chen, Kailun Yan, S. Yang, Wenrui Diao","doi":"10.1109/QRS57517.2022.00021","DOIUrl":null,"url":null,"abstract":"The casting service on SmartTV has been increasingly used for home entertainment and business, given the convenience offered in media broadcast and screen sharing. Among the underlying protocols that support TV cast, DLNA (Digital Living Networking Alliance) – established by a group of tech giants – has become a prevailing standard in the consumer market. Although DLNA has launched the market for years, concerns may arise about whether its real-world deployment has been clearly understood.In this work, we systematically evaluate the security of DLNA deployments in the SmartTV ecosystem. Specifically, we identify a series of critical security issues in the interactions between SmartTVs and casting apps on the smartphone, ranging from non-mandatory encryption to unauthorized file access. The identified security risks can be exploited by a malicious app on the victim’s phone, without requesting sensitive permissions, to launch multiple attacks, including arbitrary command execution, data theft, MITM (man-in-the-middle) attack, and DoS (denial-of-service) attack. To measure the impact of the identified security issues, we designed semi-automated analysis solutions to facilitate the measurements and conducted real-world experiments on 10 on-shelf TV boxes. The results show that most DLNA implementations of products and apps in the wild are insecure. In the end, we provide immediate improvement solutions to mitigate the identified security issues.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/QRS57517.2022.00021","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

The casting service on SmartTV has been increasingly used for home entertainment and business, given the convenience offered in media broadcast and screen sharing. Among the underlying protocols that support TV cast, DLNA (Digital Living Networking Alliance) – established by a group of tech giants – has become a prevailing standard in the consumer market. Although DLNA has launched the market for years, concerns may arise about whether its real-world deployment has been clearly understood.In this work, we systematically evaluate the security of DLNA deployments in the SmartTV ecosystem. Specifically, we identify a series of critical security issues in the interactions between SmartTVs and casting apps on the smartphone, ranging from non-mandatory encryption to unauthorized file access. The identified security risks can be exploited by a malicious app on the victim’s phone, without requesting sensitive permissions, to launch multiple attacks, including arbitrary command execution, data theft, MITM (man-in-the-middle) attack, and DoS (denial-of-service) attack. To measure the impact of the identified security issues, we designed semi-automated analysis solutions to facilitate the measurements and conducted real-world experiments on 10 on-shelf TV boxes. The results show that most DLNA implementations of products and apps in the wild are insecure. In the end, we provide immediate improvement solutions to mitigate the identified security issues.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
抛弃:关于智能电视生态系统中DLNA部署的安全性
由于媒体播放和屏幕共享的便利性,智能电视的直播服务越来越多地用于家庭娱乐和商业。在支持电视直播的底层协议中,由一群科技巨头建立的DLNA(数字生活网络联盟)已经成为消费市场的主流标准。尽管DLNA推出市场已有多年,但人们可能会担心其在现实世界中的部署是否得到了清晰的理解。在这项工作中,我们系统地评估了智能电视生态系统中DLNA部署的安全性。具体来说,我们在智能手机上的智能电视和铸造应用程序之间的交互中发现了一系列关键的安全问题,从非强制性加密到未经授权的文件访问。识别出的安全风险可以被受害者手机上的恶意应用程序利用,无需请求敏感权限,即可发起多种攻击,包括任意命令执行、数据窃取、MITM(中间人)攻击和DoS(拒绝服务)攻击。为了测量已确定的安全问题的影响,我们设计了半自动分析解决方案来促进测量,并在10个现成的电视盒上进行了实际实验。结果表明,大多数产品和应用的DLNA实现都是不安全的。最后,我们提供即时改进解决方案,以减轻已确定的安全问题。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Continuous Usability Requirements Evaluation based on Runtime User Behavior Mining Fine-Tuning Pre-Trained Model to Extract Undesired Behaviors from App Reviews An Empirical Study on Source Code Feature Extraction in Preprocessing of IR-Based Requirements Traceability Predictive Mutation Analysis of Test Case Prioritization for Deep Neural Networks Conceptualizing the Secure Machine Learning Operations (SecMLOps) Paradigm
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1