Stop networking, dear Samsung TV

Yesterday, I noticed some ads for upcoming Amazon Prime TV shows have appeared on my Samsung “smart” TV (Serie 6). Apparently, they are provided by a preinstalled app called “Tv Plus”, developped by Rakuten Group and which I cannot uninstall. I cannot uninstall other preinstalled apps as well, such as Netflix.

I really don’t like paying an expensive smart TV and getting ads on it, so I investigated it a bit, trying to find a way to shut them down. Here are my findings.

First idea was to simply run mitmproxy on my laptop and find what was going on on the TV. Unfortunately, no matter how smart the TV is, there is no way to set some proxy settings, and I did not want to look for a workaround for too long. Then, I simply connected my TV to my Ethernet port on my laptop and created a bridge with Wifi interface to monitor what was going on with Wireshark, using this script.

I discovered that, even when the TV was shutdown (or at least seemed to be), it was making several queries per minute to a bunch of servers! Here is a quick list of servers contacted at least once per minute for about 15 mins:

ads.samsungads.com
samsungads.com
gpm.samsungqbe.com
osb.samsungqbe.com
osb-apps.samsungqbe.com
osb-eusvc.samsungqbe.com
cdn.samsungcloudsolution.com
musicid.samsungcloudsolution.com
notice.samsungcloudsolution.com
noticecdn.samsungcloudsolution.com
time.samsungcloudsolution.com
lcprd2.samsungcloudsolution.net
configprd.samsungcloudsolution.net
otnprd8.samsungcloudsolution.net
otnprd9.samsungcloudsolution.net
otn.samsungcloudcdn.com
samsungotn.net
www.samsungotn.net
prod-kami.wuaki.tv
prod-tvplus-pmd.akamai.cdn.wuaki.tv
netflix.com
api-global.geo.netflix.com
many other *.netflix.com

Wow, that’s a lot! Besides samsung domains, it contacts netflix.com at least once per minute (WTF, I don’t even have a Netflix account…) and wuaki.tv which is owned by Rakuten Group.

Then, I set up my local resolver to resolve all these domains to 127.0.0.1, and the ads went away! Or so I thought…

Two major things happened at this point: 1. First, the TV started contacting log-ingestion-eu.samsungacr.com, probably some crash-reporting endpoint to notify Samsung about not being able to contact other domains anymore. That’s not a big deal, one should just include it as well in the local resolver config. 2. Second, and more concerning, the TV started contacting 8.8.8.8 (yes, Google Public DNS…) because I was blocking requests through my DNS resolver. This seems to be hardcoded and to be a fallback whenever the DNS resolver is not responding what the TV expects.

My ISP router (Freebox Mini) does not let me add static routes to block 8.8.8.8. The TV is behing an OpenWRT bridge (without routing as it is a pity to configure to let DLNA pass through), and bridges can’t filter out at L3 level (apparently, it could be possible with ebtables, but I could not get it working).

In the end, a quick and dirty solution was to make the local resolver return an IP address of a local webserver I control and would answer any requests, and the number of DNS queries to 8.8.8.8 dropped. That’s not perfect and it still makes some queries, but at least I no longer have ads.

Finally, the TL,DR is: * Your Samsung TV is contacting a LOT of domains, even when it is offline. * My Unbound config which helped me get rid of the ads is:

# TV starts querying for eth0 domain, WTF? This is just to prevent unnecessary
# traffic upstream.
local-zone: "eth0" redirect
local-data: "eth0 86400 IN AAAA ::1"

local-zone: "samsungads.com" redirect
local-data: "samsungads.com 86400 IN A 192.168.0.1"
local-data: "samsungads.com 86400 IN AAAA ::1"

local-zone: "samsungqbe.com" redirect
local-data: "samsungqbe.com 86400 IN A 192.168.0.1"
local-data: "samsungqbe.com 86400 IN AAAA ::1"

local-zone: "samsungacr.com" redirect
local-data: "samsungacr.com 86400 IN A 192.168.0.1"
local-data: "samsungacr.com 86400 IN AAAA ::1"

local-zone: "samsungcloudsolution.com" redirect
local-data: "samsungcloudsolution.com 86400 IN A 192.168.0.1"
local-data: "samsungcloudsolution.com 86400 IN AAAA ::1"

local-zone: "samsungcloudsolution.net" redirect
local-data: "samsungcloudsolution.net 86400 IN A 192.168.0.1"
local-data: "samsungcloudsolution.net 86400 IN AAAA ::1"

local-zone: "samsungcloudcdn.com" redirect
local-data: "samsungcloudcdn.com 86400 IN A 192.168.0.1"
local-data: "samsungcloudcdn.com 86400 IN AAAA ::1"

local-zone: "samsungotn.net" redirect
local-data: "samsungotn.net 86400 IN A 192.168.0.1"
local-data: "samsungotn.net 86400 IN AAAA ::1"

local-zone: "wuaki.tv" redirect
local-data: "wuaki.tv 86400 IN A 192.168.0.1"
local-data: "wuaki.tv 86400 IN AAAA ::1"

# This trick with TV_IP and local-zone-override is here to block Netflix only
# on TV, in case other computers on my network want to use Netflix. TV has to
# get a static DHCP lease.
local-zone: "netflix.com" always_transparent
local-data: "netflix.com 86400 IN A 192.168.0.1"
local-data: "netflix.com 86400 IN AAAA ::1"
local-zone-override: "netflix.com" TV_IP redirect

where 192.168.0.1 is a webserver answering any request.

• It still makes some API calls to Samsung domains, by resolving through 8.8.8.8, but it is a pity to block in my setup. If you happen to have some ideas, I’m really interested! (Or I might simply buy a router…)

Note: Of course, one of the obvious thing to do would be to simply not connect the TV to the network. But then, there is no point in having a smart TV… (and stuff such as UPnP/DLNA streaming are very convenient, I don’t want to loose it). Other option would be to simply let it access the local network and not the internet, but my boyfriend sometimes watches Youtube and web services directly on the TV, so whatever solution I could come up with should leave these features intact.

Note: These API calls made by the TV might be legit. Still, blocking them did not result in any loss of functionnality so far (besides maybe auto-update). They are all encrypted and I did not set up a mitmproxy to check what actual data was sent. If anyone has a simple idea to set it quickly when the other device don’t let us set proxy settings, I’m more than interested :)

Update: I tried to sniff the queries with mitmproxy used as a transparent proxy, but there is no way to make the TV trust mitmproxy certificate, then it does not seem to be feasible (TV drops connections when it realizes that the certificate is invalid).

Update: Actually it is quite simple to set up an OpenWRT to let it pass DLNA content from WAN to LAN (see the wiki). Basically, you have to install kmod-bridge, igmpproxy and follow the wiki part on igmpproxy to set it. Don’t forget to disable multicast_snooping if you want WiFi clients from your router to be able to broadcast to wired clients (otherwise only wired clients can stream apparently). In the end, it works great and I can isolate the TV :) Then, it is better to simply use 127.0.0.1 rather than redirecting to a catchall webserver.

Update: I discovered that actually the apps on the TV can run in background, and it appears there is no way to close them. Then, if you open Netflix once, even without connecting, the Netflix app will stay in background and it is the reason why I had so many requests to Netflix. It seems that after some time the app will close and the TV will no longer make such requests.