I’ve just returned from Berlin, the capital city of Germany, where I attended the 35th Virus Bulletin cybersecurity conference and (ahem, humblebrag) delivered the closing keynote address, entitled Cybersecurity in 2035.
As usual, I went on my bicycle (admittedly with the help of a plane for most of the journey), making it easy to explore the city in the evenings, albeit with the risk of getting hopelessly lost in unfamiliar surroundings.
But I quickly realized that all I had to do was memorize how to get from my hotel to Berlin’s most prominent landmark and back, after which getting home was just a matter of aiming for the TV Tower, nearly 400m tall, now a huge tourist attraction but originally a soaring Soviet-bloc symbol, just over the old inner German border in East Berlin.
TV towers, especially in areas like Berlin without any natural hills, were built super-high because TV transmission works on line of sight, so the higher up you could mount the transmitter, the more people you could reach from a single point.
These towers visibly signaled the huge power and reach of their broadcasts, and those of us who grew up in the days of analog TV will surely remember worriedly asking asking our parents, “If we can watch the newsreaders live in the studio, what’s to stop them watching us in our living room?”
Back then, of course, even in surveillance-hungry East Germany, that the system simply couldn’t, and didn’t, support that sort of thing.
Embedding a microphone, a video camera and a sufficiently powerful transmitter into every TV was impossible, on the three-fold grounds of size, cost, and power consumption.
Just think how powerful the transmitter in the tower had to be to reach you, and imagine every household having enough power to beam its own spy signal all the way back to the tower.
O, how times have changed!
Today’s Smart TVs aren’t just internet-connected, two-way communication devices like your phone and your laptop.
They pretty much act as always-on servers, hooked up permanently on the inside of your home network, which you probably use for work at least some of the time.
They can consume, display, and send out content of all sorts, not just so you can watch TV shows and films on the Smart TV itself, but so you can stream pictures and movies from your phone to the TV (and vice versa).
You can install apps on them for a wide range of purposes; run a built-in web browser; use the TV to store and share files with each other; retrieve live feeds of weather, news and more; send and receive messages; and more.
Given that many Smart TVs run an operating system such as Linux or Android, you can even log into them across the network (officially or unofficially, depending on the vendor) and run commands, just as your sysadmins do when they manage the servers on your business network.
Some Smart TVs have built-in microphones and webcams for audio and video calls, the sort of built-in surveillance-friendly capabilities that the authorities of the former DDR (the so-called German Democratic Republic, or East Germany) could only have dreamed about.
In short, there’s a lot that could go wrong in both your physical and digital lives if your Smart TV turns out to have exploitable software vulnerabilities.
indeed, a recently disclosed vulnerability in LG WebOS TVs is an interesting reminder that Smart TVs aren’t always programmed to the standards we might expect.
These security flaws were uncovered in May 2025 at TyphoonPWN 2025, a sponsored hacking contest held in South Korea, where product vendors put forward bug bounties that successful entrants can win in return for providing the vendor with full details of exploitable bugs and a reasonable time to fix them before telling anyone else.
Now that the vulnerabilities have been patched by LG, news about the nature of the bugs involved has been published.
This approach to bug-hunting, known as responsible disclosure, is considered normal these days. It contrasts with full disclosure, where bugs are documented publicly right away, thus forcing vendors to take them seriously and fix them immediately; and with non-disclosure, where bugs are never publicly documented and unscrupulous vendors are therefore free to sweep them under the carpet and pretend they don’t exist. Responsible disclosure is seen as a sensible half-way point. It gives well-meaning vendors a fair chance to fix flaws before they become known to everyone (including cybercriminals), while nevertheless holding lazy or incompetent vendors to account by agreeing a date when the bug will become public whether it has been fixed or not.
Sadly, the primary bug in this case is a so-called path traversal vulnerability, a well-known programming mistake that has plagued web servers for decades, and really shouldn’t be seen these days.
As you probably know, when your browser (or any URL-aware program) fetches a web page from a server, it usually does so with a hypertext transfer protocol (HTTP) request that looks something like this:
GET /images/happy-faces.png HTTP/1.1
To this day, the default behavior of many web servers is to treat requests of this sort as a filename, complete with subdirectories, and to look for a file with exactly that name in the server’s own website storage area.
Microsoft IIS, for example, uses the directory C:/INETPUB/WWWROOT
as the starting point for the files you want to publish (Windows filenames can use Unix-style forward slashes as well as Windows-style backslashes), so that a request such as the one above would cause the server to look for a file called C:/INETPUB/WWWROOT/images/happy-faces.png
.
Clearly, sneakily trying to access a file outside the official website directory ought to fail, because the server knows to start in a specific subdirectory, and to work downwards from there.
For instance, trying to retrieve the Windows HOSTS
file, which often gives away information about the local network by listing important servers, wouldn’t work, because․․․
GET /Windows/System32/drivers/etc/hosts HTTP/1.1
․․․gets converted into a local filename of C:/INETPUB/WWWROOT/Windows/System32/drivers/etc/hosts
, which is a completely different file that almost certainly doesn’t exist.
But what if you include various “special” characters in the filename, notably the sequence dot-dot (/․․/
), universal shorthand for “go up one directory and start again from there,” like this:
GET /../../Windows/System32/drivers/etc/hosts HTTP/1.1
If the programmer doesn’t check for the rather obvious (and dangerous) dot-dot sequence, this request gets processed as shown below, as each dot-dot part is simplified.
Each dot-dot effectively “cancels out” the subdirectory name immediately before it, by backing up one step in the directory structure:
C:/INETPUB/WWWROOT/../../Windows/System32/drivers/etc/hosts --> C:/INETPUB/../Windows/System32/drivers/etc/hosts --> C:/Windows/System32/drivers/etc/hosts
The result of this progamming mistake, where the server doesn’t validate its input, is to allow website visitors to wander around at will.
The attacker doesn’t even have to know how many dot-dot sequences are needed, because once you get to the top of the tree, any extra dot-dot commands are simply ignored, so that C:/../../..
is equivalent to specifying the root directory C:/
exactly.
Right now, you may be thinking, “But why all the fuss about buggy web servers on my Smart TV?”
Well, it turns out that to help you access files on USB devices that you plug into your WebOS TV, LG helpfully and automatically fires up a special web server on port 18888 (unencrypted HTTP usually uses port 80).
This means that you can easily look at the files via a web browser on any mobie phones, laptops, and other computers you have at home.
And it also turns out that although LG’s programmers published the files in dedicated subdirectories on the TV, such as /tmp/usb
and /tmp/home.office.documentviewer
, they made the rather elementary blunder of not checking for the presence of dot-dot sequences in the filenames requested.
A rogue user on the network, or a rogue script in a web page loaded into someone’s browser on the network, could therefore read out almost any file from the TV, including private OS files containing authentication keys, such as:
GET /../../var/db/main/CURRENT HTTP/1.1 --> /tmp/usb/../../var/db/main/CURRENT --> /tmp/../var/db/main/CURRENT --> /var/db/main/CURRENT
In this way, what starts as read-only access to the TV’s authorized users’ database can be parlayed, in future web requests, into read-and-write access to the system by extracting user details from the exfiltrated data.
As the TyphoonPWN bug report puts it, this subsequent authenticated access could be used to “enable developer mode, install malicious applications, and ultimately take control of the device.”
The bug bounty hunters who uncovered the flaw showed in their bug breakdown how a rogue app called com.reverseshell.myapp
could be injected onto the TV to hand over a remote command prompt to an attacker waiting for malicious connections from affected TVs.
Usually, if you want to login and get access to a command prompt on a remote server, you need to connect inwards to the server, go through authentication checks, and then get hooked up over the network connection to the command prompt.
(On Linux, this is usually a command-processing program such as the well-known Bash
shell; on macOS, it’s typically Zsh
; on Windows, it’s usually CMD.EXE
or a PowerShell
prompt.)
But if you can trick the server into starting a command prompt and then creating an outbound network connection to a computer where you just happen to be ready and waiting․․․
․․․then no authentication is needed, because you are the accepting the connection “in reverse,” instead of the server itself taking control of an incoming connection.
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image of rainbow TV icon from Flaticon by Freepik.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.