Opening My Smart TV to the World

This year I moved into a new apartment and had to get a TV for the living room. I ultimately got this TCL Roku TV which my journey of getting is a whole nother story. I powered it on, selected my language and country, then it was time to configure the network connection. Shoot.

You see, RIT gives students public IP addresses for everything besides mobile devices on the Wi-Fi. This is great for hosting content on my servers. It’s not so great when you want to connect an IoT device like an Amazon Echo, test Raspberry Pi project, or smart TV. I have plans to make a hidden Wi-Fi network using a Cisco access point behind a firewall and router to hopefully secure my devices better. Until then, I still need to watch Netflix. Reluctantly I registered it with the university and got the green checkmark on the TV indicating I could connect to the internet (and the internet could connect to me).

But what exactly am I exposing to the internet? As soon as the setup was done, I headed to nmap on my laptop to see if the TV really was reachable. I started with a ping and eventually worked my way up to a banner grab of the only listening port, 9080.

NMAP Results

From a quick search it looks like a RESTful API that can be used to interact with the TV. It has legitimate uses like the Roku mobile app which can take control of the TV simply by putting in the IP address. It can also be used with Home Assistant to switch to your security camera feed when someone rings the doorbell (Source).

I had never heard of the Mongoose embedded web server before so I decided to look it up on Shodan. There are currently 4,470 results. Many of them appear to be part of a “SpectrumAnalizer” project, Z-Wave Smart Home servers in Germany, or a simple site with an error message in a foreign language.

Mongoose Servers

That’s all I have time for tonight. I’m excited to climb further down this rabbit hole and maybe find some other cool smart appliances on the internet.

Written on August 25, 2018