[ale] Stupid smart phone

Alex Carver agcarver+ale at acarver.net
Mon Dec 13 15:28:02 EST 2021 

Well that's what I do now.  I have a small Ubiquiti EdgeRouter inline 
with the TV that rewrites the NTP packets to redirect them to my NTP 
server but it blocks all other outgoing packets.  The clock works fine 
this way, but I can't use any other network feature of the TV like 
Miracast.  I'd have to do much finer surgery and MITM work to see if I 
can get that working while still blocking the phone-home packets.

They hardcoded the NTP servers, too, so it ignores what my DHCP server 
supplies hence the need to rewrite packets with the EdgeRouter.

On 2021-12-13 12:18, Bob Toxen wrote:
> Or just block everything but time requests and see if it still works (less
> trouble but less fun than a MITM attack that, if they're really smart
> they can detect) or even call customer support, the latter a longshot.
> 
> On Mon, Dec 13, 2021 at 10:38:14AM -0800, Alex Carver wrote:
>> You'd think so but it uses TLS so I can't see inside the packets easily
>> (wow, an appliance manufacturer thought to use security, too bad it was to
>> hide what they were doing).
>>
>> If I was able to gain access to the OS I could probably do a lot more
>> detective work.  From my initial outside sniffing it looks like it tries to
>> grab a token which I would surmise is used to identify itself in further
>> exchanges.
>>
>> I'll have to read up more on setting up a MITM proxy that can decode TLS.
>> I've got a laptop with Linux, I'd just need a USB Ethernet adapter  so I
>> could have two interfaces that I could drop in line with the TV and listen
>> in.
>>
>> On 2021-12-13 05:16, Jim Kinney wrote:
>>> Heh, heh. It would be way fun to proxy the phone home data stream and manipulate it in fun and random ways.
>>>
>>> On December 12, 2021 6:49:01 PM EST, Alex Carver <agcarver+ale at acarver.net> wrote:
>>>> I haven't gone poking around too much but I do know there are some open
>>>>
>>>> ports according to a couple quick scans.  Maybe during vacation I'll
>>>> poke around with it, possibly toss Kali against it.
>>>>
>>>> If that were the case and I got in then I could at least turn off some
>>>> of the phone-home stuff.  I won't let it on the network directly
>>>> because
>>>> of that so I can't use the casting features.
>>>>
>>>> On 2021-12-12 05:20, Jim Kinney wrote:
>>>>> But, but, but, it was only done that way to provide the the best
>>>> possible user experience </snark>
>>>>>
>>>>> If they have hard coded network addresses, I'll bet they also have
>>>> hard coded root/admin passwords. Might even have an open port. That
>>>> would be sad. <sniff><sniff>
>>>>>
>>>>> On December 12, 2021 4:37:34 AM EST, Alex Carver via Ale
>>>> <ale at ale.org> wrote:
>>>>>> Oh they're very clever about it, too.  Despite DHCP giving it DNS
>>>>>> servers that I control and despite the manual network configuration
>>>>>> exposing only two DNS server entries it actually has Google's DNS
>>>>>> servers hardcoded as a third server.  So if I tried to blacklist
>>>>>> anything at my own DNS server, it would get around that by querying
>>>>>> Google directly.
>>>>>>
>>>>>> I spotted that when I first got the TV and put a sniffer on it
>>>> before I
>>>>>>
>>>>>> let it out into the wild.  It was querying 8.8.8.8 and 8.8.4.4 even
>>>>>> though I had manually configured it for my local DNS. When I let the
>>>>>> sniffer pass the DNS queries through it still used Google servers to
>>>>>> handle Vizio lookups to the mothership.  Evidently the user
>>>> configured
>>>>>> DNS is only for the extra applications like Netflix, Hulu, etc.
>>>> while
>>>>>> the core spyware uses only Google for DNS.
>>>>>>
>>>>>> On 2021-12-11 22:42, Bob Toxen wrote:
>>>>>>> GOOD FOR YOU to block it from spying on you and tattling!
>>>>>>>
>>>>>>> Bob
>>>>>>>
>>>>>>> On Sat, Dec 11, 2021 at 10:44:30AM -0800, Alex Carver via Ale
>>>> wrote:
>>>>>>>> I've got a two year old Vizio that has RCA L/R audio outputs on
>>>> the
>>>>>> back.
>>>>>>>>
>>>>>>>> Of course the TV does *NOT* have a built-in battery-backed RTC.
>>>> It
>>>>>> wants to
>>>>>>>> set its time every time you hit the power button via NTP and
>>>> there's
>>>>>> no
>>>>>>>> manual way to set the time either.  So the firewall rewrites its
>>>> NTP
>>>>>>>> requests to point to my internal NTP server and blocks all other
>>>>>> traffic so
>>>>>>>> it can't call home like every other TV does.
>>>>>>>>
>>>>>>>> On 2021-12-11 02:19, Steve Litt via Ale wrote:
>>>>>>>>> Jim Kinney via Ale said on Fri, 10 Dec 2021 18:22:04 -0500
>>>>>>>>>
>>>>>>>>>> Other days it's more like the vcr clock always
>>>>>>>>>> blinking "12:00" for lack of a $0.10 rc circuit to keep the
>>>> clock
>>>>>>>>>> alive during a power blink.
>>>>>>>>>
>>>>>>>>> Speaking of for lack of, how many have noticed that oh-so-modern
>>>>>> TVs
>>>>>>>>> no longer have headphone jacks. You remember headphone jacks ---
>>>>>> you
>>>>>>>>> just patch the headphone jack to the line-in of any amplifier and
>>>>>> bang,
>>>>>>>>> you've got sound, and the sound is controllable by your TVs
>>>> volume
>>>>>>>>> control.
>>>>>>>>>
>>>>>>>>> But noooooo. That's just soooo *legacy*. Instead of a 30 cent
>>>>>>>>> headphone jack, my Samsung TV has one of those silly "toslink"
>>>>>> infrared
>>>>>>>>> fiberoptics. So you have to buy a fiberoptic cable for about
>>>>>> $15.00,
>>>>>>>>> and then a $40 fiberoptic to line level converter, from which I
>>>> can
>>>>>> use
>>>>>>>>> patch cords to go into my amp's line in. Because I don't have a
>>>>>> $500.00
>>>>>>>>> "home theater" system --- but rather have a $30.00 20 watt amp
>>>>>> that's
>>>>>>>>> tiny and works just great for TV sound.
>>>>>>>>>
>>>>>>>>> Well, after trying for days to get the toslink plus adapter to
>>>>>> work, I
>>>>>>>>> read that many Samsungs just don't work with those adapters. For
>>>>>> lack
>>>>>>>>> of a 30 cent headphone jack. Oh, and of course, the Samsung's
>>>>>> built-in
>>>>>>>>> speakers are guaranteed to be indecipherable, with various
>>>>>> oscillations
>>>>>>>>> at frequencies guaranteed to obscure speech.
>>>>>>>>>
>>>>>>>>> A couple weeks ago we went out and bought about the cheapest TV
>>>> on
>>>>>> the
>>>>>>>>> market. Picture's not all that great but it had what we really
>>>>>> wanted,
>>>>>>>>> a headphone jack. Now we hear great sound that we can raise and
>>>>>> lower
>>>>>>>>> with the TV remote. Life is good.
>>>>>>>>>
>>>>>>>>> SteveT
>>>>>>>>>
>>>>>>>>> Steve Litt
>>>>>>>>> Spring 2021 featured book: Troubleshooting Techniques of the
>>>>>> Successful
>>>>>>>>> Technologist http://www.troubleshooters.com/techniques
>>>>>>>>> _______________________________________________
>>>>>>>>> Ale mailing list
>>>>>>>>> Ale at ale.org
>>>>>>>>> https://mail.ale.org/mailman/listinfo/ale
>>>>>>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>>>>>>> http://mail.ale.org/mailman/listinfo
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Ale mailing list
>>>>>>>> Ale at ale.org
>>>>>>>> https://mail.ale.org/mailman/listinfo/ale
>>>>>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>>>>>> http://mail.ale.org/mailman/listinfo
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ale mailing list
>>>>>> Ale at ale.org
>>>>>> https://mail.ale.org/mailman/listinfo/ale
>>>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>>>> http://mail.ale.org/mailman/listinfo
>>>>>
>>>

More information about the Ale mailing list