Samsung Remote Control Hack

Origin

So, I lost the remote and found an app that could do it, but it had a lot of ads and required pairing. I thought ok so that is possible but if the neighbor had a tv and I connected to it. Fast forward to a little while later when my GF complains that the Wi-Fi is slow.

Overview

The application would with the ip address of the tv be able to send signals without it even on or connected because it is forcing packets to the protocol.

Step 1 - Recon

I did Wireshark on the Wi-Fi and found that the TV was using UPNP protocol and through a Nmap scan it showed indeed that protocol was open | filtered which theoretically means it was possible. I found someone with code for before this version and shows that it is possible though it does use AES encryption which will have to be cracked.

All other programs I found was for versions 2018 or earlier devices meaning there was a patch so this was a concern at one point.

Failure

Once I was done with researching I had to determine one aspect of every project. Is the reward worth the amount of time I am going to spend. I have a low threshold as I will do things for stupid reasons but this one was different. The requirement for code and reverse engineering is possible and would say a medium skilled person like me could pull it off. The problem is the cryptography aspect being the key strength of the project. That is not a strong point at all so I would need someone else and not many people are reliable.

Theoretical steps of how it would work

I would be creating a virtual device through the OS Tizen and SDK (available so developers can make applications). Then to the actual application to set up an application that with the prior authentication can send signals to the OS for actions. Once we got our signals down we then have to get to the hard part of going backwards step by step. First step is the encryption, by sending malformed packets you can find the pattern used for a successful crack of the authentication process. One more step up is authentication and trying to get the device to interpret a packet without authentication process being used. That is how I would go about it but I am no expert so there might be a step that is not needed or an easier way.