Luigi Auriemma, the prolific Italian researcher and tester that continuously discovers new vulnerabilities in a great number of devices, platforms, games, browsers, SCADA systems, and software, has discovered a bug that can make all current versions of Samsung devices with support for remote controllers (TVs and Blue Ray systems) enter in a difficult-to-break endless circle of restarts.
“When the controller packet is received on the device it displays a message on the screen for telling the user that a new ‘remote’ device has been found and he must select ‘allow’ or ‘deny’ to continue,” he explains.
“The message includes also the name and MAC address specified in the received packet, they are just normal strings (there is even a field containing the IP address for unknown reasons).”
He discovered that when he changed the string field used for the name of remote controller into an invalid name string (for example containing line feed and other invalid characters), the TV behaves normally for 5 seconds, then stops accepting input either from the remote controller of the TV panel.
After 5 more seconds, the device restarts automatically, and repeats the 5 minute-normal-bahavior and failure-to-accept-input steps, waits 5 seconds, restarts, and so on and so forth.
“During these continuous reboots it’s not even possible to reset the device (for example the ‘EXIT’ button for 15 seconds can’t work in this state) or doing other operations allowed by the normal users without affecting the warranty,” Auriemma claims.
“This is not a simple temporary Denial of Service, the TV is just impossible to be used and reset so it’s necessary the manual intervention of the technical assistance that will reset it via the service mode (luckily the 5 seconds of activity are enough to reach the reset option).”
He also points out that the exploitation of the vulnerability can be avoided by pushing the EXIT button when faced with the “allow/deny” option, but the bug definitely seems like one that has to be patched soon.
“The vulnerabilities require only the Ethernet/wi-fi network connected to be exploited so anyone with access to that network can do it,” he added, referring also to another possible buffer-overflow bug that could crash the device.
Unfortunately, he says that he doesn’t know where to report the problem to Samsung, because the company does not have a dedicated email address for reporting these kind of things.