Vizio Smart TV Mobile Pairing is Vulnerable to Brute Force Attacks

Advisory IDL9-44-478PublishedJune 28, 2021UpdatedAugust 19, 2021
CategoryBrute ForceVendorVizioProduct2018 P65-F1, 2017 E50x-E1Version6.0.31.4-2,

Risk Summary

The pairing procedure used by the Vizio TV and mobile application is vulnerable to a brute-force attack. The pairing process requires a user enter a PIN number shown on the TV during when attempting to connect a mobile application. The PIN is limited to digits from 0000 to 9999. Due to the limited PIN space, it is possible to perform multiple successive pairing attempts using a fixed PIN number which will eventually result in the device pairing.

A threat actor that is able to successfully authenticate to the TV is able to issue commands such as controlling the remote control, launching TV shows, and modifying device settings.

Technical Details

The researcher used a script to make successive request to the two endpoints 'pairing/start', and 'pairing/pair'.

Launching the Pair Attack

Launching the pair attack

Due to the mitigations implemented by Vizio, the pairing process must be restarted after a small number of failed PIN requests. However, given the short pin length, the is a 1/10000 chance of guessing the correct PIN. Therefore, it is possible to perform the entire pairing procedure multiple times until the guessed PIN is used. During testing, brute force attempts averaged around 10 minutes.

Successful Pairing

Successful pairing

After serval minutes the guessed PIN number is used, resulting in a successfullydevice pairing. The API key is printed to console which can be used to controlfunctions on the TV.