Recently, various IoT devices such as Smart Appliance, Smart Grid and Smart Car have been developed. IoT devices collects users information to provide better personalized services and conveniences. The need for IoT devices forensics has also increased.
Smart TV is the most popular and pervasive IoT devices in the our home. Originally data collected through computer forensics, but Smart TVs have a lot of data that can track the behavior of users in the home. As a result, you can use Smart TV data as legal proof. In reality, according to the US Forbes in 2015, the Global Media company used the video search records of Samsung Smart TV as legal proof to prosecute child sex offenders.
An experimental study of the first Smart TV forensics was conducted about Samsung Smart TV(model:UN46ES8000) in 2014. This study, conducted by KIISC(Korea Institute of Information Security & Cryptology), obtained storage data through vulnerabilities in web browsers and identified various data that can trace user's actions. After that, in 2015, research for Smart TV forensics analyzing different version of Samsung Smart TV was done through same analysis procedure. However, each Smart TV manufacturers have different operating systems and default applications, It is necessary to conduct forensics study for Smart TV of other manufacturers. Though two forensic study for their LG webOS 2.0 Smart TV is conducted, studies have difficulties in obtaining forensics data. So, We conducted forensic research on LG webOS 3.0 Smart TV and identified key data that could be collected on the TV. We will also announce comparison result of forensics study for LG with Samsung Smart TV.
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...
LG vs. Samsung Smart TV: Which Is Better for Tracking You? by Sangmin Lee
1. Sangmin Lee, Minsu Park, Seungjoo Kim
SANE(Security Analysis aNd Evaluation) Lab
Korea University(高麗大學校)
LG vs. Samsung Smart TV:
Which Is Better for Tracking You?
2. Contents
• Who are we?
• The History of Digital Forensics on Smart TV
• LG webOS 3.0 Smart TV Forensics
• Data Acquisition
• File System & Data Analysis
• Collect LG Smart TV’s digital evidences
• Compare LG with Samsung Smart TV’s Digital Evidences
• Conclusion
• Acknowledgement
• Q&A
• Reference
2 / 56
3. Who are we?
Sangmin Lee (李相旼)
Sangmin Lee is a master student of SANE(Security Analysis aNd Evaluation) Lab on CIST(Center
for Information Security Technologies) at Korea University. He is most interested in offensive
security about system vulnerabilities and is interested in fields such as digital forensics, security
assessment, and software testing. Also, he participated in projects such as "Security Testing for
External Interfaces of Vehicular Wireless Systems", "Cyber Fast Track related to IoT devices
vulnerabilities analysis" and "WebOS smart TV international security CC(Common Criteria)
certification acquisition." In 2015, he participated as a mentee at BoB(Best of the Best), an
information security leader training program hosted by KITRI(Korea Information Technology
Research Institute). He, in BoB, conducted a project to analyze vulnerabilities in embedded
devices such as routers, IP cameras, Smart home, and SCADA. Also, he presented the project
results at POC(Power Of Community) 2015 on the subject of "What if Fire Sale occurs in
Korea?"
3 / 56
E-mail : leesangmin@korea.ac.kr
Facebook : @leesangmin144
4. Who are we?
4 / 56
Seungjoo Gabriel Kim* (金昇柱)
E-mail: skim71@korea.ac.kr
Homepage : www.kimlab.net
Facebook, Twitter : @skim71
Prof. Seungjoo Gabriel Kim is a full professor of Undergraduate Department of Cyber Defense /
Graduate School of Information Security in Korea University, a member of CIST(Center for
Information Security Technologies) of Korea University, a vice-director of CW-TEC(Cyber Weapon
Test and Evaluation Center) of Korea University, a head of SANE(Security Analysis aNd Evaluation)
Lab, an advisor of 'CyKor'(Cyber security club at Korea university), a founder/advisory director of a
hacker group, 'HARU' and an international security & hacking conference,' SECUINSIDE'. Prior to
joining a tenure-track faculty member at Korea University in 2011, he was previously an Assistant
& Associate Professor of School of Information and Communication Engineering in
Sungkyunkwan University for 7 years ('04~'11). Before that, he worked as a Team Leader of
Cryptographic Technology Team and (CC-based) IT Security Evaluation Team of KISA(Korea Internet
& Security Agency) for 5 years ('98~'04). He received his B.S. ('94), M.S. ('96), and Ph.D. ('99) in
Information Engineering from Sungkyunkwan University, Korea.
E-mail : minsoon2@korea.ac.kr
Facebook : @bucktae
Minsu Park received his B.S degree in Computer Network from Silla University of Korea, in 2010
and also received his M.S degree in Information Security from Korea University of Korea, in 2013.
He is currently working toward the Ph.D. degree in Information Security, Korea University, Korea.
His research interests include Information Assurance, IoT Security, Digital Forensics and Usable
Security.
Minsu Park (朴珉洙)
*Corresponding Author
5. 5 / 56
Ref : Deloitte
The History of Digital Forensics on Smart TV
6. 6 / 56
▲ it appears to be the first ever published warrant for a smart TV
“That Time Cops Searched A Samsung Smart TV For Evidence Of Child Abuse”
- US Forbes magazine in 2017.
The History of Digital Forensics on Smart TV
7. 7 / 56
[5] “A Review of Smart TV Forensics: Present state & Future Challenges,”
Al Falayleh, Mousa. DIPECC 2013
2013.10.
[3] “Study on Smart TV Forensics,”
Kang, Heesoo, et al., KIISC*
2014.10.
[4] "Forensic analysis of smart TV: A current issue and call to arms,”
Sutherland, Iain, et al., Digital Investigation
2014.06.
[2] "A forensic overview of the LG Smart TV,”
Sutherland, Iain, et al. Australian Digital Forensics Conference
2014.12.
[1] "Smart TV forensics: Digital traces on televisions,”
Boztas, Abdul, et al. Digital Investigation
2015.03.
Related works on Smart TV Forensics
”Further Analysis on Smart TV Forensics,”
Park, Minsu, et al. the Journal of Internet Technology (Accepted for
publication
2016.11.)
*KIISC : Korea Institute of Information Security & Cryptology
The History of Digital Forensics on Smart TV
8. 8 / 56
2013.10.
2014.10.
2014.06.
2014.12.
2015.03.
Related works on Smart TV Forensics
Smart TV Forensics
Concepts
(Accepted for
publication
2016.11.)
[5] “A Review of Smart TV Forensics: Present state & Future Challenges,”
Al Falayleh, Mousa. DIPECC 2013
[3] “Study on Smart TV Forensics,”
Kang, Heesoo, et al., KIISC*
[4] "Forensic analysis of smart TV: A current issue and call to arms,”
Sutherland, Iain, et al., Digital Investigation
[2] "A forensic overview of the LG Smart TV,”
Sutherland, Iain, et al. Australian Digital Forensics Conference
[1] "Smart TV forensics: Digital traces on televisions,”
Boztas, Abdul, et al. Digital Investigation
”Further Analysis on Smart TV Forensics,”
Park, Minsu, et al. the Journal of Internet Technology
*KIISC : Korea Institute of Information Security & Cryptology
The First Experimental Study
on Smart TV Forensics
The History of Digital Forensics on Smart TV
9. 9 / 56
2013. 10.
[5] M. AI. Falayleh
2014. 10.
[3] H.S. Kang
2014. 06.
[4] I. Sutherland
2015. 03.
[1] A. Boztas
2014. 12.
[2] I. Sutherland
The History of Digital Forensics on Smart TV
(accepted for
publication
2016. 11.)
M.S. Park
[5] “A Review of Smart TV Forensics: Present state & Future Challenges,”
Al Falayleh, Mousa., DIPECC 2013
(1) Digital evidences on the Smart TV (2) Challenges facing the Smart TV forensics
[4] "Forensic analysis of smart TV: A current issue and call to arms,”
Sutherland, Iain, et al., Digital Investigation
(1) Data acquisition method on the Smart TV
- Currently, Smart TV is continuously developed
- Can’t use existing forensics tools on the Smart TV
Smart TV uses the
soldered storage device
1. Relevant digital clues
2. Universality of methods and techniques
3. The availability of assistance from the industry
4. The need for specialist knowledge or equipment
10. 10 / 56
Samsung
UN46ES8000(2012)
Target Analysis Process
-> Collecting 9 User’s Action Data on Features of TV & Applications
Testing
Post-
Imaging
Images
Diffing
Pre-
Imaging
Get Root
privilege
Collect
User’s
action data
Using SW
Vulnerability
on Smart TV
The History of Digital Forensics on Smart TV
2013. 10.
[5] M. AI. Falayleh
2014. 10.
[3] H.S. Kang
2014. 06.
[4] I. Sutherland
2015. 03.
[1] A. Boztas
2014. 12.
[2] I. Sutherland
(accepted for
publication
2016. 11.)
M.S. Park
11. 11 / 56
LG
42LS570T-ZB(2012)
Target Analysis Process
LG
55LA740V(2013)
Collect
User’s
action data
Only TV’s
Setting Menu &
Applications
Menu
&
-> Collecting 10 User’s Action Data on TV & Applications Menu
(e.g. Recent History : My Apps -> Home -> Recent)
The History of Digital Forensics on Smart TV
2013. 10.
[5] M. AI. Falayleh
2014. 10.
[3] H.S. Kang
2014. 06.
[4] I. Sutherland
2015. 03.
[1] A. Boztas
2014. 12.
[2] I. Sutherland
(accepted for
publication
2016. 11.)
M.S. Park
12. 12 / 56
Samsung
UE40F7000SLXXN(2013)
Target Analysis Process
-> Collecting about 8 User’s Action Data on Features of TV & Applications
Get Root
privilege
Collect
User’s
action data
Using SW
Vulnerability
on Smart TV
eMMC
access
NFI
toolkit
Failure
Maybe using
diffing between
pre with post
image.
The History of Digital Forensics on Smart TV
2013. 10.
[5] M. AI. Falayleh
2014. 10.
[3] H.S. Kang
2014. 06.
[4] I. Sutherland
2015. 03.
[1] A. Boztas
2014. 12.
[2] I. Sutherland
(accepted for
publication
2016. 11.)
M.S. Park
13. 13 / 56
The History of Digital Forensics on Smart TV
2013. 10.
[5] M. AI. Falayleh
2014. 10.
[3] H.S. Kang
2014. 06.
[4] I. Sutherland
2015. 03.
[1] A. Boztas
2014. 12.
[2] I. Sutherland
(accepted for
publication
2016. 11.)
M.S. Park
Samsung
UN46ES8000(2012)
Target Compare with the previous studies
vs. vs.
2014. 12.
[2] I. Sutherland
2015. 03.
[1] A. Boztas
14. 14 / 56
TV Forensics Concepts
LG
Smart TV
Samsung Smart TV
M Al Falayleh
[5]
I.Sutherland
[4]
I.Sutherland
[2]
H.S.Kang
[3]
A.Boztas
[1]
M.S.Park
Issue Year 2013 2014 2014 2014 2015 2016
Published DIPECC 2013
Digital
Investigation
Australian digital
forensics confer
KIISC* Digital Investigation
The journal of
Internet Technology
Target - -
42LS570T-ZB,
55LA740V
UN46ES8000 UE40F7000SLXXN UN46ES8000
TV’s
Release
Year
- - 2012, 2013 2012 2013 2012
OS - - webOS 2.0 Proprietary OS Proprietary OS Proprietary OS
Data
Acquisition
Method
- -
Failed to
acquire data
Software
Vulnerability
(1-day vuln)
Software
Vulnerability
(1-day vuln)
Software
Vulnerability
(1-day vuln)
Analysis
Procedure
- -
Using only TV’s
functions(config
menu, app info)
(1) Disk Imaging
(2) Diffing
(It’s guessed in the
same way as us)
(1) Disk Imaging
(2) Diffing
*KIISC : Korea Institute of Information Security & Cryptology
The History of Digital Forensics on Smart TV
15. 15 / 56
The History of Digital Forensics on Smart TV
Smart TV Hacking
Hack In Paris 2017
“Are you watching TV now? Is It real?: Hacking of smart TV with 0-day"
LG Smart TV
16. 16 / 56
The History of Digital Forensics on Smart TV
Smart TV Hacking
Black Hat USA 2013
▼“Hacking, Surveilling, and deceiving victims on Smart TV” ▼“The Outer Limits: Hacking A Smart TV”
Online community on the Samsung TV Firmware ▶
Samsung Smart TV
17. 17 / 56
Common Criteria on the Smart TV
The History of Digital Forensics on Smart TV
Study a PP(Protection Profile) for Smart TV
(2014)
LG Smart TV LG Smart TV
How to obtain CC Certification of Smart TV
(2017)
18. 18 / 56
Common Criteria on the Smart TV
Samsung Smart TV Security Solution
(received CC EAL1 certification)
LG Smart TV Application Security Solution
(received CC EAL2 certification)
The History of Digital Forensics on Smart TV
LG Smart TV Samsung Smart TV
19. LG webOS 3.0 Smart TV Forensics
- Data Acquisition
- File System & Data Analysis
- Collect LG Smart TV’s digital evidences
20. Target - LG webOS 3.0 Smart TV
20 / 56
- Model : 43UH6810
- OS : webOS 3.0
- Firmware : 4.30.85 (17.04.19)
(Latest version is updated
on 17.10.28)
21. Target - LG webOS 3.0 Smart TV
21 / 56
• webOS is a mobile operating system acquired by HP for use in various products
manufactured by LG.
• LG announces products that use webOS at CES every year.
• Currently, Smart TV, SmartWatch(Urbane), and Refrigerator produced in LG have used the
webOS.
What is webOS?
22. LG webOS 3.0 Smart TV Forensics
- Data Acquisition
- File System & Data Analysis
- Collect LG Smart TV’s digital evidences
23. Data Acquisition
23 / 56
laborious work
(In general, Smart TV’s cost over $1000.)
Invasive Physical Data Acquisition
=> Data Acquisition through application vulnerabilities
- But, Smart TV uses soldered storage devices & Disable JTAG, UART port
24. Data Acquisition
24 / 56
Known Vulnerabilities (1-day)
Using application vulnerability to acquire data
Obtain accessible
privilege to filesystem
Unknown Vulnerabilities (0-day)
25. Data Acquisition
25 / 56
• webOS emulator for developers
1) Connect to TV’s SSH services
2) Remote app installation on TV
3) Remote app execution
4) …
Attack Vector
Hack In Paris 2017 – LG webOS Smart TV’s 0-day
“Are you watching TV now? Is It real?: Hacking of smart TV with 0-day"
28. Data Acquisition
28 / 56
How can achieve the integrity of original data when
data is acquired via rooting?
e.g. Smartphone’s Digital Forensics
Partition
boot
recovery
cache
system
userdata
sdcard
Partitions affected by the vulnerabilityPartitions that achieve integrity
Available as digital evidences
29. Data Acquisition
29 / 56
How can achieve the integrity of original data when
data is acquired via rooting?
e.g. Smartphone’s Digital Forensics
boot
recovery
cache
system
userdata
sdcard
Partitions affected by the vulnerabilityPartitions that achieve integrity
Available as digital evidences
Partition
30. Partition
Data Acquisition
30 / 56
How can achieve the integrity of original data when
data is acquired via rooting?
e.g. Smartphone’s Digital Forensics
boot
recovery
cache
system
userdata
sdcard
Partitions affected by the vulnerabilityPartitions that achieve integrity
Available as digital evidences
31. Data Acquisition
31 / 56
as in the case of the United States, there will be a social debate on using a vulnerability to
acquire original data against smart TV as the need for smart TV forensics increases.
In case of Smart TV,
① The use of partitions is ambiguous. Therefore, the vulnerability affects most partitions.
(It is corresponding to not only our study but also existing studies)
② Integrity can be considered on a folder-by-folder basis, not a partition.
So, I think…
How can achieve the integrity of original data when
data is acquired via rooting?
32. LG webOS 3.0 Smart TV Forensics
- Data Acquisition
- File System & Data Analysis
- Collect LG Smart TV’s digital evidences
34. Data Analysis
34 / 56
Data
Acquisition
&
File System
Analysis
Pre-
Imaging
Functions
Testing
Post-Imaging
Comparing
pre-Image with
post-image
Collect
User’s Action
① ② ③ ④ ⑤
Other function tests OR The function re-tests
Process of Data Analysis
LG Smart TV
(43UH6810)
Analysis Computer
(1) Connect to ssh of TV with root perm
(2) Upload Image.py scripts through tftp & execute
(3) Disk image on …/usb/sda/sda1/[images].[time].dd
(4) Sending Image file
& $ rm ../usb/sda/sda1/*
Smart TV’s Disk Imaging Environment
35. Data Analysis
35 / 56
② Pre-Imaging ④ Post-Imaging③ Functions Testing
Example) Steps ② ~ ④ - Disk Imaging & Testing
36. Data Analysis
36 / 56
Example) Step ⑤ - Compare Pre-Image with Post-Image (diffing)
(1) $ diff –rNd ~/pre_image ~/post_image
(2) Using Beyond Compare, Windump to binary diffing
37. Data Analysis
37 / 56
Example) Step ⑤ - Compare Pre-Image with Post-Image (diffing)
(1) $ diff –rNd ~/pre_image ~/post_image
(2) Using Beyond Compare, WinHex to binary diffing
Plain Text File
Binary File
38. Data Analysis
38 / 56
Example) Step ⑤ - Compare Pre-Image with Post-Image (diffing)
(1) $ diff –rNd ~/pre_image ~/post_image
(2) Using Beyond Compare, WinHex to binary diffing
pre-image post-image
39. LG webOS 3.0 Smart TV Forensics
- Data Acquisition
- File System & Data Analysis
- Collect LG Smart TV’s digital evidences
40. Collect LG Smart TV’s digital evidences
40 / 56
12 User’s Actions (First check : 18 July 2017, Last check : 14 Oct 2017)
# User’s Action Path
1 Last TV On time /mmcblk0p50/vardb/main/LOG
2 TV Channel List
/mmcblk0p51/epg/db/PBS_OFF_DB_0_4.db
/mmcblk0p51/epg/tuner_favorite_move_index.txt
3 External Storage Usage History /mmcblk0p52/cryptofs/data/db8/mediadb/media/*.log
4 TV ON/OFF Reservation /mmcblk0p51/var/luna/preferences/time
5
Hardware Connection
Information
/mmcblk0p51/var/lib/webappmanager3/LocalStorage/file_com.webos.ap
p.inputmgr_0.localstorage
6 Installed App Information /mmcblk0p52/cryptofs/apps/usr/lib/opkg/status
7 Internet History /mmcblk0p51/webbrowser/chrome/Default/Bookmarks, Prefer*, History
8 Recently Service Usage History /mmcblk0p52/cryptofs/data/db8/mediadb/media/*.log
9 App Install History /mmcblk0p51/var/luna/data/downloadhistory.db
10 Checking Captured Image /mmcblk0p52/captureTV
11 Last time app opened
/mmcblk0p51/var/lib/webappmanager3/LocalStorage/https_kr.lgrecomm
ends.lgappstv.com_0.localstorage
12 Connected Wifi Infomation /mmcblk0p51/var/lib/connman/*
41. Collect LG Smart TV’s digital evidences
41 / 56
12 User’s Actions (First check : 18 July 2017, Last check : 14 Oct 2017)
# User’s Action Path
1 Last TV On time /mmcblk0p50/vardb/main/LOG
2 TV Channel List
/mmcblk0p51/epg/db/PBS_OFF_DB_0_4.db
/mmcblk0p51/epg/tuner_favorite_move_index.txt
3 External Storage Usage History /mmcblk0p52/cryptofs/data/db8/mediadb/media/*.log
4 TV ON/OFF Reservation /mmcblk0p51/var/luna/preferences/time
5
Hardware Connection
Information
/mmcblk0p51/var/lib/webappmanager3/LocalStorage/file_com.webos.ap
p.inputmgr_0.localstorage
6 Installed App Information /mmcblk0p52/cryptofs/apps/usr/lib/opkg/status
7 Internet History /mmcblk0p51/webbrowser/chrome/Default/Bookmarks, Prefer*, History
8 Recently Service Usage History /mmcblk0p52/cryptofs/data/db8/mediadb/media/*.log
9 App Install History /mmcblk0p51/var/luna/data/downloadhistory.db
10 Checking Captured Image /mmcblk0p52/captureTV
11 Last time app opened
/mmcblk0p51/var/lib/webappmanager3/LocalStorage/https_kr.lgrecomm
ends.lgappstv.com_0.localstorage
12 Connected Wifi Infomation /mmcblk0p51/var/lib/connman/*
42. Collect LG Smart TV’s digital evidences
42 / 56
# User’s Action Path
1 Last TV On time /mmcblk0p50/vardb/main/LOG
43. Collect LG Smart TV’s digital evidences
43 / 56
# User’s Action Path
3 External Storage History /mmcblk0p52/cryptofs/data/db8/mediadb/media/*.log
8 Recently Service Usage History /mmcblk0p52/cryptofs/data/db8/mediadb/media/*.log
44. Collect LG Smart TV’s digital evidences
44 / 56
# User’s Action Path
3 External Storage History /mmcblk0p52/cryptofs/data/db8/mediadb/media/*.log
8 Recently Service Usage History /mmcblk0p52/cryptofs/data/db8/mediadb/media/*.log
File Name that exists
on the external storage
USB Serial Number
Unknown Strings
USB Serial Number Serial Number
Check Serial Number on my Mac
45. Collect LG Smart TV’s digital evidences
45 / 56
# User’s Action Path
3 External Storage History /mmcblk0p52/cryptofs/data/db8/mediadb/media/*.log
8 Recently Service Usage History /mmcblk0p52/cryptofs/data/db8/mediadb/media/*.log
47. Compare LG with Samsung Smart TV’s Digital Evidences
47 / 56
LG Smart TV Samsung Smart TV
Our research I.Sutherland [2] H.S.Kang [3] A.Boztas [1]
Issue Year - 2014 2014 2015
Published -
Australian digital
forensics confer
KIISC* Digital Investigation
Target 43UH6810
42LS570T-ZB,
55LA740V
UN46ES8000 UE40F7000SLXXN
TV’s
Release Year
2016 2012, 2013 2012 2013
OS webOS 3.0 webOS 2.0 Proprietary OS Proprietary OS
Data
Acquisition
Method
Software
Vulnerability
(1-day vuln)
Failed to
acquire data
Software
Vulnerability
(1-day vuln)
Software
Vulnerability
(1-day vuln)
Data Analysis
Main
Procedure
(1) Disk Imaging
(2) Diffing
Using only TV’s
functions(config
menu, app info)
(1) Disk Imaging
(2) Diffing
(It’s guessed in the
same way as us)
*KIISC : Korea Institute of Information Security & Cryptology
48. Compare LG with Samsung Smart TV’s Digital Evidences
48 / 56
LG Smart TV Samsung Smart TV
Our research H.S.Kang [3] A.Boztas [1]
Issue Year - 2014 2015
Published - KIISC* Digital Investigation
Target 43UH6810 UN46ES8000 UE40F7000SLXXN
TV’s
Release Year
2016 2012 2013
OS webOS 3.0 Proprietary OS Proprietary OS
Data
Acquisition
Method
Software Vulnerability
(1-day vuln)
Software
Vulnerability
(1-day vuln)
Software
Vulnerability
(1-day vuln)
Data Analysis
Main
Procedure
(1) Disk Imaging
(2) Diffing
(1) Disk Imaging
(2) Diffing
(It’s guessed in the
same way as us)
*KIISC : Korea Institute of Information Security & Cryptology
49. Compare LG with Samsung Smart TV’s Digital Evidences
49 / 56
User’s Actions about features of TV
User’s Action
LG Smart TV Samsung Smart TV
Our research H.S.Kang [3] A.Boztas [1]
Last TV On Time O O X
TV Channel List O O O
External Storage Usage History O O O
O : Discover the user’s action on the TV
X : Not discover user’s action or not exist on the TV
50. Compare LG with Samsung Smart TV’s Digital Evidences
50 / 56
User’s Actions about applications
User’s Action
LG Smart TV Samsung Smart TV
Our research H.S.Kang [3] A.Boztas [1]
Installed App Information O O O
Internet History O O O
Recently Service Usage History O O O
Checking captured images O
X
(There’s no capture
func)
X
(There’s no capture
func)
O : Discover the user’s action on the TV
X : Not discover user’s action or not exist on the TV
51. Compare LG with Samsung Smart TV’s Digital Evidences
51 / 56
User’s Actions about system configuration
User’s Action
LG Smart TV Samsung Smart TV
Our research H.S.Kang [3] A.Boztas [1]
Connected Wifi Information O O X
O : Discover the user’s action on the TV
X : Not discover user’s action or not exist on the TV
52. Compare LG with Samsung Smart TV’s Digital Evidences
52 / 56
User’s Actions that exists for each Smart TV only
User’s Action
LG Smart TV Samsung Smart TV
Our research H.S.Kang [3] A.Boztas [1]
TV ON/OFF Reservation O X X
Hardware Connection Information O X X
Last time app opened O X X
App Install History O X X
Latest Watched TV Channel X O X
Camera Usage
X
(There’s no camera)
O X
Log policy configuration file X O X
Request information
In the cloud app
X
(There’s no cloud
app)
X
(Maybe there’s no
cloud app)
O
O : Discover the user’s action on the TV
X : Not discover user’s action or not exist on the TV
54. Conclusion
54 / 56
• Data Acquisition by obtaining root privilege
• Analyze data pre-imaging, testing, and post-Imaging
comparisons
• Features of TV : 5 user’s actions
• Pre-installed applications : 6 user’s actions
• System configuration : 1 user’s action
• Comparison of LG and Samsung Smart TV
• Because physical methods are laborious, data acquisition
in a logical way
• The large classification of user’s actions is similar
• User’s Actions have different depths
• Physical characteristics of Smart TV, such as camera presence
• Similar functionalities of are implemented differently
55. Acknowledgement
55 / 56
This work was supported by Institute for Information & communications
Technology Promotion(IITP) grant funded by the Korea government(MSIP)
(R7117-16-0161,Anomaly detection framework for autonomous vehicles)
58. Reference
[1] Boztas, Abdul., A. R. J. Riethoven., and Mark Roeloffs. "Smart TV forensics: Digital traces on televisions." Digital Investigation 12
(2015): S72-S80.
[2] Sutherland, Iain, et al. "A forensic overview of the LG Smart TV." (2014).
[3] Kang, Heesoo., Minsu Park., and Seungjoo Kim. "Study on Smart TV Forensics." Journal of the Korea Institute of Information Security
and Cryptology 24.5 (2014): 851-860.
[4] Sutherland, Iain., Huw Read., and Konstantinos Xynos. "Forensic analysis of smart TV: A current issue and call to arms." Digital
Investigation 11.3 (2014): 175-178.
[5] Al Falayleh, Mousa. "A review of smart tv forensics: Present state & future challenges." The International Conference on Digital
Information Processing, E-Business and Cloud Computing (DIPECC). Society of Digital Information and Wireless Communication, 2013.
[6] “That Time Cops searched A Samsung Smart TV For Evidence Of Child Abuse”, https://goo.gl/YrQhXV
[7] “LG Electronics Acquires webOS from HP to Enhance Smart TV”, https://goo.gl/BKG6G6
[8] Lee, Jonghoo., Mingeun Kim. “Are you watching TV now? Is it real?”, Hack in Paris 2017, https://goo.gl/Do51Zj
[9] Lee, Seungjin., and Seungjoo Kim. "Hacking, surveilling and deceiving victims on smart tv." Blackhat USA (2013).
[10] Grattafiori, Aaron., and Josh Yavor. “The Outer Limits: Hacking A Smart TV.” Blackhat USA (2013).
[11] SamyGo forum, “https://www.samygo.tv/”
[12] Park, Minsu, et al. “Developing a Protection Profile for Smart TV”, ICCC 2014, https://goo.gl/P7yNTv
[13] Application Security Solution V1.0 for LG webOS TV[Certification Report], https://goo.gl/jpH2HE
[14] Samsung Smart TV Security Solution V1.0[Certification Report], https://goo.gl/dNgvZA
[15] LG webOS TV Developer, http://webostv.developer.lge.com/
Editor's Notes
Good morning. My name is Sangmin. It’s my honor to present our research in CODEBLUE 2017
Our presentation title is LG vs. Samsung Smart TV: Which Is Better for Tracking You?
This is related to Smart TV forensics.
Before started, I will introduce history of smart TV forensics research.
We mainly conduct a study on LG webOS 3.0(version three) Smart TV forensics.
So we will explain analysis process(what we did, what we learned, what we found) in detail.
In final, we will compare our research results based on LG Smart TV to earlier studies focused on Samsung Smart TV forensics.
At this part, We will explain difference User’s Action in LG and Samsung Smart TV
Let me start by saying just a few words about us and my professor.
First of all, as presenter of the day, I studied information security with mentor of Best of the Best in 2015.
Because interested in Offensive Security, I mostly conducted vulnerability analysis on embedded devices.
As a result, I made a presentation on POC 2015 one of the famous hacking conference in korea titled “what if Fire Sale occurs in Korea ?”
Now on, I’m master student in Korea university. During master course, I participated in many projects related to Security Testing, Common Creteria, and IoT Devices Vulnerability Analysis .
Next, let me introduce our second author, Minsu Park
Park is a Ph.D. student at Korea University.
His main research area are Digital Forensics, Information Assurance, and especially he participated in many projects related to Smart TV forensics and Security Evaluation.
Below is our professor Seungjoo Kim and our corresponding Author of this presentation.
He is interested in Cryptography, Information assurance, Security Evaluation & Certification.
Now that we have finished introducing the author, we will start to announce the history of Smart TV.
In the graph on the right, the share of smart TV in the home IoT market is second only to the game console like PlayStation.
Smart TV collects a variety of information from users to provide better personalized services and features in their daily lives. It is also closely related to daily life among smart devices.
Therefore, Smart TV has a lot of data that can track past behavior for users in the home. Through smart TV forensics we can get additional information that traditional computer forensics can not get.
In fact, in the US in 2016, there is a case where digital evidence obtained through smart TV forensics is used to prosecute sex offenders.
This is the first use of smart TV for digital forensics.
In order to emphasize the necessity of research on smart TV forensics, this case is most representative.
Prior to the aforementioned case, research on smart TV forensics has been going on steadily since 2013.
This picture shows you brief history of Smart TV forensics.
The first research was carried out in 2013, when smart TV became popular.
Since then, a total of six studies have been conducted.
In the graph, SANE mark indicates what I did in my lab.
I will talk more about the graph in detail.
Up to now, three studies have been conducted for Samsung Smart TV and one for LG Smart TV. I will tell you more in detail from the bottom of the graph.
A study conducted in October 2013 and June 2014 discusses the concept of smart TV forensics. At this time, smart TV is starting to spread. We have mainly proposed the necessity of smart TV forensics and methods of data acquisition.
Then in 2014, Our lab member Kang performed his first practical research on smart TV forensics. The forensic target is Samsung Smart TV.
Next, research was conducted on LG Smart TV and Samsung Smart TV. Through this graph, we can see that research focused only on smart TV of a specific manufacturer.
Let me tell you about each research from now on.
This graph shows the previous slide horizontally.
The first research on smart TV forensics was carried out by author Mousa.
They present digital evidence that could exist on smart TVs.
They also mentioned there are challenges that the tools used for traditional PC forensics can not be used because smart TVs are still under development.
In next , Sutherland says that the storage devices used by smart TVs are soldered and can not extract data in the conventional way.
So we proposed 4 methods of acquiring data on Smart TV.
Next is the study conducted in October 2014.
This is the first practical study on smart TV forensics.
Kang used a vulnerability in the smart TV's browser to acquire data.
This vulnerability was introduced by Seungjin Lee at Black Hat USA 2013.
We then proposed a total of 9 User's Action Data through the binary dipping method.
Later on, our research on LG Smart TV analysis used the same analysis method.
The binary dipping method will be described in detail later in our analysis.
Next, Sutherland conducted another forensic study on LG Smart TV.
Until that point, his Smart TV forensics study is the only one that analyze other manufacturers
However, there are some limits that the study proceeded with failure to acquire data.
Therefore they proposed a User's Action that can be obtained from basic TV settings and application settings. (User's Action mean, It can be used as digital evidence)
Next, Boztas conducted a forensic study on Samsung Smart TV.
Boztas used three methods to acquire data on smart TVs.
Each method is eMMC access, NFI toolkit, and Using Software Vulnerability.
However, data acquisition using the eMMC access, and NFI toolkit failed
So, they acquired administrator privilege with vulnerability acquired from samyGO. The data was obtained through this.
The data analysis process is not described in their paper, but I think they used binary dipping similar to Mr.Kang's research.
They proposed a total of 8 User's Action Data.
Lastly, Mr.Park conducted research on Samsung Smart TV.
This paper was accepted in November 2016, but has not yet been published.
Mr.Park, who is also the second author of our presentations, conducted a study on Samsung smart TV forensics.
He compared the results with those of the existing Sutherland and Boztas.
The following table summarizes all of the words so far.
Most notable points are followings.
Only one study on LG Smart TV forensics was conducted.
And the rest are Samsung smart TV forensics.
Also, Study cases of LG Smart TV did not acquire data.
Therefore, we have conducted forensic research on LG Smart TV and will release it in detail.
Go back to the table and look at the colored part of the table.
Samsung smart TV used a software vulnerability to acquire data.
Embedded devices such as smart phones are soldered to storage devices.
So, during the forensic process, you can lose all of your data through de-soldering.
Smart TVs also have the same problem as embedded devices.
Therefore, you can see that capturing the data through the software vulnerabilities is possible.
As we will tell you later, we also used software vulnerabilities for LG Smart TV forensics.
There was also research on software vulnerabilities in smart TVs.
LG Smart TV hacking was announced by our lab member named Jongho Lee at Hack In Paris 2017.
Mr.Lee introduced a vulnerability that could lead to acquiring administrator privileges by performing vulnerability analysis on LG webOS 3.0 Smart TV.
We were able to identify the attack vector through the presentation to obtain data from LG Smart TV.
Next is Samsung Smart TV hacking.
Samsung smart TV has the highest share in the global market.
Therefore, there are a lot of research on hacking.
Black Hat USA 2013 announced two research cases about smart TV hacking.
Especially the vulnerability of the browser from the announcement of Seungjin Lee was used for data acquisition in the study of Kang's Samsung Smart TV forensics.
And there is SamyGO, an online community related to Samsung smart TV firmware.
In this community, TV user’s can share firmware acquisition and analysis contents of Samsung smart TV.
Likewise, Boztas, who studied the existing Samsung Smart TV forensics, also used a vulnerability acquired from SamyGO.
So far, I have introduced a study on smart TV forensics and smart TV hacking.
There are also studies to implement safe smart TV.
In our lab, we have conducted projects referring the Common Criteria, an international security assessment standard.
In 2014, Minsu Park, our lab member, announced a study on the development of the Protection Profile, which specifies the minimum security functions Smart TV should have in ICCC.
In 2017, Sooyoung participated in the study on CC certification of LG Smart TV.
Sooyoung was the first to obtain a CC EAL 2 certificate for LG smart TV and published it as a thesis.
This(left side) is the CC EAL 2 certificate of LG Smart TV acquired through the research project in the lab.
Currently, LG Smart TV has acquired the CC EAL 2 certificate and Samsung Smart TV has the CC EAL 1 certificate.
So far, I have put all researches on forensics, hacking, and security evaluation of smart TV together.
In conclusion, we can see that the research on smart TV is carried out in various ways.
We also found that in the case of smart TV digital forensics, there is a limit to the fact that research is focused on specific manufacturers.
Besides one study on LG Smart TV forensics shows that the data was not acquired.
Therefore, we conducted research on LG Smart TV forensics.
Now, let me talk about what we have done for LG Smart TV.
We'll talk about data acquisition process in detail.
And We will talk about the data analysis and collection process.
The analysis target is LG webOS 3.0 smart TV.
The firmware version is 4.30.85 and It was the latest version at that time
But Currently, It was updated again on October 28th in 2017.
LG Smart TV uses webOS.
webOS is a Linux kernel based mobile operating system that is used by various LG products.
Various embedded products using webOS is introduced at CES every year.
This year, LG is introduced a refrigerator using webOS.
I’ll briefly finish the introduction part, And from now on, let me talk about the process of data acquisition.
First, there is Invasive Physical Data Acquisition.
However, smart TVs have soldered storage devices.
Furthermore Debugging ports such as JTAG and UART are also disabled.
Desoldering soldered storage is laborious work.
If desoldering works go to fail, you should have risk for taking the risk of failure in Smart TV.
Currently our TV is about $ 1000, so it is a very expensive price for me.
Of course, Mr.Boztas, a researcher on Samsung Smart TV Forensics, mention it has the disadvantage of using Application Vulnerability that can easily be blocked by firmware updates.
In contrast, the physical method is difficult, but once you have succeeded, you have the advantage of continuing to use it.
But in order to collect the LG Smart TV's digital evidences, we need to see the data multiple times.
Therefore, we have acquired data through application vulnerabilities for data acquisition.
There are two ways to obtain data using application vulnerabilities.
One is a way to exploit the 0-day vulnerability, the Unknown vulnerability.
There is a way to find the 0-day vulnerability directly. Or, if you can purchase the vulnerability, you can purchase it.
The other one is a way to exploit 1-day vulnerability, the Known vulnerability.
1-day vulnerability can use exploit codes published in CVE or Exploit Database.
You can also identify Attack Vectors through material published at hacking conferences such as Black Hat and Hack In Paris.
Through many conference papers and vulnerability database, we can personally analyzed 1-day vulnerabilities.
We decided to analyze the vulnerability directly to acquire data from LG Smart TV.
We saw the announcement of Hack In Paris and identified the Attack Vector.
The Attack Vector is a webOS Emulator that is distributed to developers.
The emulator has many features such as enabling SSH service on your TV, installing and running apps remotely on your TV.
So we analyzed the emulator intensively and found a Command Injection vulnerability that could gain administrator privileges.
I prepared the video, but I explained the vulnerability in detail, so I will explain by the picture.
If you access SSH through emulator, connect as prisoner account.
However, the account can not access all file systems.
At the bottom of the picture, you can see that the result of the mount command is zero.
As a result, we have found a vulnerability in Command Injection that can elevate privilege through analysis of the vulnerability of the emulator.
So I got root privilege as a Command Injection vulnerability. And I was able to access all the file systems.
You can see that 115 results are printed by executing the mount command.
Of course, this vulnerability has already been patched via a firmware update.
There is a point to be noted before going forward.
How can achieve the integrity of original data when data is acquired via rooting?
Take the digital forensics of smartphones as example.
Smartphones are clearly divided according to the use of partitions.
Therefore, there is a partition affected by the vulnerability.
The partition can not preserve integrity.
Therefore, the data on that partition is not recognized as digital evidence.
In Contrast, partitions that are not affected by the vulnerability are not compromised.
Therefore, the data on that partition can be used as digital evidence.
In the case of smart TVs at present, the partitions are not clearly divided.
So many partitions are affected by the vulnerability.
If the integrity of the data is taken into consideration, integrity can be preserved on a folder-by-folder basis.
In my opinion as in the case of the United States, there will be a social debate on using a vulnerability to acquire original data against smart TV as the need for smart TV forensics increases.
We acquired administrator privileges and acquired data through software vulnerabilities that existed in the webOS Emulator.
Next, I will explain the process of analyzing the data acquired.
We already acquired root privileges, and now it’s time to analyze the data to collect the user's action data.
The first thing we did was check the file system through the mount instruction.
A lot of mount information was displayed through mount instruction, and I checked the mount information of the flash memory starting with mmcblk.
Mmcblk is a block of MMC (Multi Media Card) which is the memory card standard of flash memory.
In the table, there are partition blocks from mmcblk0p15 to 52.
As you will see on the next slide, however, mmcblk mount disks do not change as you use your TV except 50, 51, and 52.
Therefore, we focused on mmcblk50, 51, 52 where data is created, deleted, and modified according to TV usage.
Next, let's talk about the data analysis process.
The process totally takes 6 steps.
First step is data acquisition and file system analysis.
We used Application Vulnerability to gain administrative privileges and obtain data.
We also identified the mmcblk partition through file system analysis.
Second step is the Pre-Imaging. Through the dd command to image all mmcblk partitions.
Third step is just use the functions of the TV, such as application launch, HDMI connection or some other things.
Fourth is post-imaging step. through the dd command, Imaging all the mmcblk partitions one more time.
In Fifth step, we compares the data between Pre-Imaging and Post-Imaging.
We did binary imaging using the Diff command on linux, Winhex and Beyond Compare on Windows tool.
This allows us to identify User's Actions that can be used as digital evidence.
Finally, repeat steps 2 to 5 to identify User's Action data that can be used as Digital Evidence for various functions on the TV.
The environment I implemented to perform steps 2 to 4 of the process is shown below.
It takes about 10 minutes to image all mmcblock once.
Therefore, the most important thing to consider when imaging a disk was to minimize storage space and minor mistake.
My target is using a small amount of flash memory.
So, This can cause problems during the imaging process
Since the TV supports USB, I saved the image file to USB.
We also used tftp to transfer the image directly from Smart TV to computer conducted analysis and immediately delete images to minimize any human error due to the increased image file.
Smart TV provided Python, so I wrote a script and got it to work at once.
Of course, the reason I used Python scripts was to minimize mistakes.
The data analysis process described in the previous five steps will be explained again with an example.
Steps 2 to 4 of the analysis procedure is like this slide :
In step 2, Pre-Imaging is conducted
In step 3, just use the TV features such as TV ON / OFF and HDMI connection.
In step 4, Post-Imaging is conducted.
In Step 5, Through Comparison between the Pre-Image file and the Post-Image file, we find the user's action.
Mount each imaged image file in a different folder.
Then run pre & post image diffing through Linux diff command.
If you execute the whole Pre & post image file through the diff command, you can get the same result as the picture above.
From the results, you can identify the data from Create, Delete, and Modify in pre and post images.
After executing diff command with –rNd option, you can see which files are created or deleted.
If the different file is plain text files, you can see the contents through the diff command.
Also if the different file’s type is binary, you can identify the binary files are different.
After this, binary files marked differently were analyzed manually by Socoter's Beyond Compare and X-Ways' winHex files one by one.
So in the case of a binary file marked different from the results obtained by the diff command, binary dipping was conducted in Windows.
It all took a long time to go through the manual.
Through the analysis process, various user's action data that can be used as Digital Evidence are identified.
Let me talk about this.
We have identified 12 User's action data that can be used with Digital Evidence through our analysis process.
For each User's Action, we will explain it in comparison with the results of previous Samsung Smart TV forensics research.
However, three marked User's Actions have a special character that data is volatile.
So only the three will be described in detail.
First, let me talk about Last TV On Time.
When you turn on Smart TV, the TV turns on first, and webOS boots in the background.
A LOG file including Last TV On Time information is created each time when webOS is booted.
Then, let’s take a look at the picture below.
The contents of the LOG could not check correctly.
I carefully guess it is related to booting.
But, the information marked by the red rectangle always points to boot time.
Therefore, although it does not explicitly indicate Last TV On time, you can obtain Last Time on Time information by viewing the date and time information in the LOG file.
The following is about User's Actions in External Storage History and Recently Service Usage History.
Two pieces of information share a single log file.
The log file has a dot log extension.
And file expressed with asterisk is given a certain number every time the TV is booted, but I have not found a reason why this happened.
The * .log files also use their own format.
So we continued to analyze the format, but we could not figure it out.
So the exact format is unknown, but the file’s contents was existed in the text, so I could manually analyze it through the Text Viewer.
Let's move on to User's Action again.
First, let's start with External Storage History.
LG Smart TV offers a USB port for photo, video, music, and patch functions.
When the storage device is connected to the corresponding port, the serial number of the connected device and the file name information existing in the connected device are stored in the log file.
In case of Serial Number, it is displayed as Hexadecimal Value.
You can check the serial number by converting hex value to ASCII code through Script.
The bottom right photo shows the serial number of the same storage device connected to my MacBook.
You can also see that log file records the file names that exist in the connected external storage device.
However, there are also Unknown Strings in the log file. I continued to analyze, but I could not figure it out.
Next is the Recently Service Usage History.
It is stored in the same file where the previous External Storage History stored.
The log file writes new data by appending them at the bottom.
When you run the Application, the Application's Package Name is written to the * .log file.
Therefore, you can check the log file to find out the order in which the application runs.
However, the 3 User's actions mentioned so far are characterized by being deleted each time the TV is turned off, and newly created when turned on. Which means it is volatile information.
So far, we have introduced the results of LG Smart TV forensics.
Finally, let me tell you a comparison of Digital Evidence presented in a study on LG and Samsung smart TV forensics
The comparison results are shown in the table.
The comparison with LG Smart TV is Sutherland’s research.
And the comparison for Samsung Smart TV is the research of Kang and Boztas.
First, our research and Sutherland analyzed smart TVs with webOS 3.0 and webOS 2.0, respectively.
And we used software vulnerabilities for data acquisition.
However, Sutherland proposed only a simple User's action that could be checked in the configuration because the data acquisition in his research was not successful.
Therefore, we compared forensics research except for the Sutherland’s.
Kang and Boztas on Samsung Smart TV analyzed smart TV with proprietary OS.
For Samsung smart TV, they currently use Taizen.
But there is no research on Smart TV forensics that currently uses Tizen.
We think that forensic research is necessary for Samsung smart TV using Tizen OS.
In the data acquisition procedure, all three studies used software vulnerabilities.
In the data analysis procedure, our research and Kang's research performed binary dipping after Partition Imaging.
In case of Boztas, he did not mention in detail on the data analysis procedure in his paper, but I guess he used the same method.
And to conclude, the table shows that you have used software vulnerabilities to acquire data on embedded devices.
Therefore, the existing oftware vulnerabilities such as digital forensics of smartphones is likely to become an important issue for smart TV forensics.
Now, let's compare each study’s results.
O marks in the table means “Discover the user's action on the TV”.
In contrast, X means “Not discover user's action or not exist on the TV”.
First, it's User's Actions on the TV's traditional functions.
In case of Last TV On Time, it was existed in LG Smart TV and Samsung Smart TV analyzed by Kang.
Also TV Channel List and External Storage Usage History are found in both LG and Samsung Smart TV.
We'll compare them through demo videos in detail. (There may or may not be a demonstration vedio.)
Next is User's Actions for Smart TV applicatoins.
You can see that Installed App Information, Internet History, and Recently Service Usage History data exist.
However, Checking captured images exist only on LG Smart TV.
Because Samsung smart TV analyzed by Kang and Boztas has no capture function.
We will also compare them through the demo video. (There may or may not be a demonstration vedio.)
Next is the User's Action for system configuration.
Connected Wifi Information data exists on TV analyzed by Kang and Our research.
I think we can check this data from the TV's setting through the remote controller.
Boztas did not suggest, but I think it will exist.
But in case of LG Smart TV, you can get more detailed data about WiFi information.
Let's take a look at the demo video. (There may or may not be a demonstration vedio.)
Finally, it is User's Actions that are unique to each Smart TV.
User's Actions written in the table can be differently found depending on the manufacturer's implementation method or physical characteristics.
First, let's take an example of the differences in implementation method.
For example, in case of TV ON / OFF Reservation, Samsung Smart TV does not have TV ON / OFF Reservation function.
Additionally, ‘Request Information exists only on the cloud application’ User’s Action in TV analyzed by Boztas.
And let me give an example of the difference by physical characteristics.
For example, in case of ‘Camera Usage’, LG Smart TV does not have a camera.
The User's Action that we describe now is affected by the implementation method or physical characteristics, so it is likely to be different for each manufacturer or product.
We'll explain one by one in detail through the demo video. (There may or may not be a demonstration vedio.)
Initially I have talked about related research on forensics, hacking, and security assessment for Smart TV.
Next, I described the research on LG Smart TV forensics.
In presentation, I talked about my personal thoughts about the integrity of smart TV data when acquiring data using software vulnerabilities.
Finally, we compared results among LG Smart TV and Samsung smart TV forensics research.
Now, let me tell you the conclusion of today's presentation.
We acquired data by gainng root privileges through software vulnerabilities.
We analyzed the data through pre-imaging, testing, and post-imaging processes and proposed a total of 12 User's Actions.
Our suggested User's Actions are 5 for the TV's native functionality, 5 for the pre-installed applications, and 1 for the system configuration.
And we compared LG and Samsung Smart TV.
As a result, we found when conducting Smart TV forensics, Using software vulnerabilities for data acquisition is in common.
And the large classification of User's actions proposed in each study was found to be the same.
But Depths were different depending on implementation method and physical characteristics.
Although the depth is different, I think that the user's action that each TV has in common can be utilized as main Digital Evidence when performing actual smart TV forensic.
I also think we can use the unique Digital Evidence of TV by analyzing the characteristics of smart TV first.
Thank you all for listening.
This is end of my presentation. If you have questions, ask me without hesitation