Experiment on the uprising of cars in a single TV.
The TV was an unexpected target for an experiment with artificial intelligence. The developers gave the OpenAI Codex system limited access to the browser on Samsung Smart TV and offered to check whether it will be able to hack the device on its own and get full control. As a result, the algorithm not only found vulnerability, but also reached the root level.
The experiment began with an already hacked browser. The code was executed inside its limited environment, and then everything depended on the capabilities of the system: it was necessary to study the device, understand what interfaces are available, find a weak point and bypass the protection. The developers did not tell where to look for a mistake, and did not give ready-made scenarios of the attack.
The algorithm gained access to the original firmware code and the TV itself. He analyzed the magazines, sent commands to the system, and checked the result. If necessary, he collected auxiliary programs and ran them directly into memory, bypassing the built-in protection of Tizen, which blocks the launch of unsigned files.
Quite quickly, the system drew attention to drivers with names ntk*. These devices were available for recording to any process, including the browser. In the source there was a key problem: the driver allowed to specify an arbitrary physical memory address and display it into the user space without checking the rights.
Simply put, the program could read and change the contents of RAM directly. Such access is rarely left without restrictions, but in this case, the developers of the TV opened it to everyone. To make sure that the reception works, the system first received the correct physical address through another driver, and then successfully read and changed the data to this address. After that, it remains to find in memory the structure that is responsible for the rules of the process.
The algorithm scanned the memory, found the data of the current browser process and changed the values of the user identifiers and group by zeros. In Linux-based systems, such values mean maximum privileges. After substituting the rights, the browser actually became the device administrator.
The final test showed the expected result: the process received uid=0 and full access to the system. The whole chain – from analysis of the source to operation – went automatically, with several adjustments from a person when the system went aside or performed commands not as expected.
The author emphasizes that it was not about finding an initial vulnerability: access to the browser has already been obtained in advance. The task sounded simpler whether artificial intelligence could develop the attack until the device was completely captured. The answer was exhaustive.
The TV was an unexpected target for an experiment with artificial intelligence. The developers gave the OpenAI Codex system limited access to the browser on Samsung Smart TV and offered to check whether it will be able to hack the device on its own and get full control. As a result, the algorithm not only found vulnerability, but also reached the root level.
The experiment began with an already hacked browser. The code was executed inside its limited environment, and then everything depended on the capabilities of the system: it was necessary to study the device, understand what interfaces are available, find a weak point and bypass the protection. The developers did not tell where to look for a mistake, and did not give ready-made scenarios of the attack.
The algorithm gained access to the original firmware code and the TV itself. He analyzed the magazines, sent commands to the system, and checked the result. If necessary, he collected auxiliary programs and ran them directly into memory, bypassing the built-in protection of Tizen, which blocks the launch of unsigned files.
Quite quickly, the system drew attention to drivers with names ntk*. These devices were available for recording to any process, including the browser. In the source there was a key problem: the driver allowed to specify an arbitrary physical memory address and display it into the user space without checking the rights.
Simply put, the program could read and change the contents of RAM directly. Such access is rarely left without restrictions, but in this case, the developers of the TV opened it to everyone. To make sure that the reception works, the system first received the correct physical address through another driver, and then successfully read and changed the data to this address. After that, it remains to find in memory the structure that is responsible for the rules of the process.
The algorithm scanned the memory, found the data of the current browser process and changed the values of the user identifiers and group by zeros. In Linux-based systems, such values mean maximum privileges. After substituting the rights, the browser actually became the device administrator.
The final test showed the expected result: the process received uid=0 and full access to the system. The whole chain – from analysis of the source to operation – went automatically, with several adjustments from a person when the system went aside or performed commands not as expected.
The author emphasizes that it was not about finding an initial vulnerability: access to the browser has already been obtained in advance. The task sounded simpler whether artificial intelligence could develop the attack until the device was completely captured. The answer was exhaustive.
