Philips Smart TVs wide open to Gmail cookie theft, other serious hacks: Internet-connected TVs manufactured by Philips running the latest firmware update are wide open to browser cookie theft and other serious attacks by hackers within radio range, a security researcher has warned.
The hacks work against Philips Smart televisions that have a feature known as Miracast enabled, Luigi Auriemma, a researcher with Malta-based ReVuln (Twitter handle @revuln), told Ars. Miracast allows TVs to act as Wi-Fi access points that nearby computers and smartphones can connect to so their screen output can be displayed on the larger set. The hacking vulnerability is the result of a recent firmware update that allows anyone within range to connect to the TV, as long as they know the hard-coded authentication password “Miracast.”
Once someone has connected to the Miracast-enabled Wi-Fi network, they can use publicly available software to download any personal files that may be contained on USB drives plugged in to the Philips Smart TV. More troubling, connected devices can steal the highly sensitive browser cookies that many websites rely on to authenticate users when they access their private accounts.
In a video posted Wednesday, Auriemma showed how authentication cookies for valid Gmail accounts were siphoned off a Philips TV running the latest firmware. The video also demonstrated how videos, images, and other data stored on a USB drive connected to the TV can also be accessed. The theft took seconds to carry out, and there was no visible indication to an end user that anything was amiss.