A bug in Netflix’s screen recording protocol allowed hackers to hijack video streams and unassuming “Rickroll” victims, or worse. The bug, which affected the DIAL protocol created by Netflix and Alphabet’s YouTube, was patched in 2019. Last week, the researcher who discovered the vulnerability, Yunus Chowdersi, released a Technical specifications of the vulnerability For the first time in Black Hat Middle East and Africa.
The flaw, dubbed DIALStranger, affects TVs, gaming consoles and any devices that can detect a nearby device in a local network that also supports the DIAL protocol.
The researcher told SC Media that he waited years to disclose the vulnerability to allow vendors to phase out or implement fixes on affected devices. “I decided to wait a few years until devices were updated to comply with protocol changes and browsers became more secure,” he said.
DIAL lacks basic IOT security features
the Telephony protocol Developed by Netflix and YouTube, in collaboration with Sony and Samsung, it allows easy screen mirroring between devices connected to the same local network. The protocol allows pairing without authentication. The protocol shortens the multi-screen video sharing process from seven steps to just two, allowing “second screen” devices such as smartphones to detect and fire playback commands to “first screen” devices such as smart TVs.
“Found [the] The protocol does not cover some and most basic security features [the] TV sellers are not sold out [the] “The protocol is correct,” CADirci wrote on GitHub. “Hackers can play any video on TVs with or without user interaction.”
Cadersi, an IT security engineer at D360 Bank, discovered that DIAL automatically trusts the local network and makes the service URLs of first-screen devices readily available to devices it detects. Using Masscan, a TCP port scanner, and similar tools to locate insecure devices online, CHAdirci determined that more than a million exposed URLs could be exploited by malicious actors to control the displays remotely.
Rickroll load delivery
At the Black Hat show, Qadersi demonstrated how DIALStranger can be used to play an unexpected video clip — in this case, “Rickroll” — on an LG Smart TV. He also said he successfully used the vulnerability to exploit an Xbox One console and a Philips smart TV in 2019.
Pranks and mischief aside, DIALStranger can be used to spread propaganda, or leverage paid advertising by hijacking hundreds of thousands of devices to increase the number of views of a particular video, Chaderji said. He added that the vulnerability would be particularly annoying for large offices or shopping centers that contain many devices on the same local network.
The arduous task of debugging IoT devices
Chaddersee, who previously discovered a vulnerability called CallStranger in the Universal Plug and Play (UPnP) protocol that DIAL relies on, said smart TVs and other screen-first devices are more secure now than they were in 2019. He told SC Media that his experience with CallStranger showed him that it could take years for these IoT vulnerabilities to be reasonably resolved.
“This research began in 2019 in conjunction with CallStranger CVE-2020-12695, and I saw that fixing protocol vulnerabilities related to the Internet of Things is one of the most difficult things in the field of cybersecurity,” said Chaderji. “Now get out [the] Devices do not get updates and vendors provide updates only for the latest devices.
Fix Netflix for DIAL
Kadersi first reported on DIALStranger to Netflix in January 2020, and Netflix updated the protocol in August of the same year. The latest version It enhances security checks around the protocol’s CORS mechanism that previously failed to isolate devices from all potential attack vectors.
In the past four years, hardware vendors have also mitigated the problem in several ways, including by implementing DIAL updates or adopting more secure protocols.
“For example, Microsoft Xbox added randomization to the DIAL URL against spraying,” Chadersey said. “Even if we get past CORS, this randomization will help us be safe.”
In addition, modern browsers no longer allow FTP documents to be uploaded in an iframe, a method that could previously be used to bypass CORS access controls. Browsers have also largely disabled WebRTC local IP address detection, making it easier for bad actors to locate vulnerable devices.
How smart is your TV?
Along with his report, Kadersi has made available a tool called DIAL Scanner on his GitHub page, which sends an M-SEARCH SSDP request to identify all DIAL devices on the network. It also provides a DIAL CORS Test Site Which network administrators can use to find out if their DIAL devices are vulnerable to exploitation.
But even after four years, “we are not completely safe,” Chaderji wrote Subscribed to X How he used DIAL Scanner to locate more than a dozen DIAL devices at his hotel on Monday. He noted that many older DIAL devices will likely never be updated.
“To be honest, this is not a technical issue, it is a commercial decision,” Chadersey told SC Media. “Vendors generally assign developers to tasks related to new devices and old devices remain without any responsible team.”
He added that while working with embedded software development companies, he saw internal teams losing access to legacy development boards and toolchains within 4 to 5 years after a device was deployed, preventing them from patching legacy firmware.