A bug in Netflix’s screencast protocol allowed hackers to hijack video streams and “Rickroll” unassuming victims, or worse. The bug, which impacted the DIAL protocol created by Netflix and Alphabet’s YouTube, was patched in 2019. Last week the researcher who discovered the vulnerability, Yunus Çadirci, released the technical specifics of the vulnerability for the first time at Black Hat Middle East and Africa.
The flaw, dubbed DIALStranger, affects TVs, game consoles and any hardware that is discoverable to a nearby device in a local network that also supports the DIAL protocol.
The researcher told SC Media that he waited years to disclose the vulnerability to allow vendors to phase out or implement fixes on effected hardware. “I decided to wait a couple of years for devices to be updated to be aligned with protocol changes and browsers became more secure,” he said.
DIAL lacked basic IOT security features
The DIAL protocol was developed by Netflix and YouTube, with collaboration from Sony and Samsung, and allows easy screen casting between devices connected to the same local network. The protocol allows pairing without authentication. The protocol shortens the process for multi-screen video sharing from seven steps to just two steps, allowing “second screen” devices such as smartphones to discover and launch playback commands to “first screen” devices like smart TVs.
“I found [the] protocol doesn’t cover some basic security features and most of [the] TV vendors didn’t implement [the] protocol correctly,” Çadirci wrote on GitHub. “Hackers can play any video on the TVs with or without user interaction.”
Çadirci, an IT security architect at D360 Bank, found that DIAL automatically trusted the local network and made service URLs of first screen devices readily available to devices that discovered them. Using Masscan, a TCP port scanner, and similar tools to locate unsecured devices online, Çadirci determined more than a million of these exposed URLs could be exploited by malicious actors to remotely control screens.
Delivering a Rickroll payload
At Black Hat, Çadirci demonstrated how DIALStranger could be used to play an unexpected video – in this case, a “Rickroll” – on an LG smart TV. He also said he successfully used the vulnerability to exploit an Xbox One console and a Philips smart TV in 2019.
Beyond pranks and mischief, DIALStranger could be used to spread propaganda, or to profit from paid ads by commandeering hundreds of thousands of devices to rack up views for a particular video, Çadirci said. The vulnerability would be especially troublesome for large offices or malls with many devices on the same local area network, he added.
The arduous task of patching IoT devices
Smart TVs and other first screen devices are safer now than they were in 2019, said Çadirci, who previously discovered a vulnerability called CallStranger in the Universal Plug and Play (UPnP) protocol that DIAL relies on. He told SC Media his experience with CallStranger showed him that it can take years for such IOT vulnerabilities to be reasonably resolved.
“This research started 2019 simultaneously with CallStranger CVE-2020-12695 and I saw fixing protocol vulnerabilities related to IoT is one of the hardest things in cyber security,” Çadirci said. “Most of [the] devices are not getting updates and vendors are providing updates for just latest devices.”
Netflix’s fix for DIAL
Çadirci first provided his DIALStranger report to Netflix in January 2020, and Netflix updated the protocol in August the same year. The latest version beefs up security checks around the protocol’s CORS mechanism that previously failed to insulate devices from all potential attack vectors.
In the last four years, device vendors have also mitigated the problem in several ways, including by implementing DIAL updates or adopting more secure protocols.
“For example, Microsoft Xbox added randomization to DIAL URL against spraying,” Çadirci said. “Even if we bypass CORS, this randomization will help to be secure.”
Additionally, modern browsers no longer allow FTP document loading in iframe, a method that could previously be used to bypass CORS access controls. Browsers have also largely disabled WebRTC local IP disclosure, which made it easier for bad actors to locate vulnerable devices.
How smart is your TV?
Along with his report, Çadirci made a tool called DIAL Scanner available on his GitHub page, which sends an M-SEARCH SSDP request to identify all DIAL devices on a network. He further offers a DIAL CORS testing website that network managers can use to see if their DIAL devices are vulnerable to exploitation.
Even after four years, however, “we are not fully secure,” wrote Çadirci, who shared on X how he used DIAL Scanner to locate over a dozen DIAL devices at his hotel on Monday. He noted that many older DIAL devices will likely never be updated.
“To be honest this is not a technical problem, it is a business decision,” Çadirci told SC Media. “Vendors generally assigning developers to new device related tasks and old devices stay without any responsible team.”
He added that in working with embedded software development companies, he saw internal teams lose access to old development boards and toolchains within 4-5 years after device deployment, which prevented them from patching of older firmware.