Researchers at Columbia University have published research showing how new technology that combines broadband and broadcast content could enable a wide range of traditional and novel cyber attacks on smart televisions and other devices: forcing them to interact with malicious web pages, harvesting credentials or carrying out denial of service attacks.
The paper, published in May, explores potential attacks on combined broadcast-broadband devices that use an industry specification called Hybrid Broadcast-Broadband Television (HbbTV). According to the researchers, Yossef Oren and Angelos D. Keromytis, the HbbTV specification combines broadband technologies like HTML and broadcast features in an insecure manner. The vulnerabilities affect a wide range of smart entertainment devices, including smart televisions, in Europe and the United States.
“This enables a large-scale exploitation technique with a localized geographical footprint based on radio frequency (RF) injection, which requires a minimal budget and infrastructure and is remarkably difficult to detect,” the researchers write. “The technical complexity and required budget are low, making this attack practical and realistic, especially in areas with high population density – in a dense urban area, an attacker with a budget of about $450 can target more than 20,000 devices in a single attack.”
HbbTV enables a wide range of interactive applications that can be bundled with traditional broadcast content. For example, broadcasters can create “autostart” applications that launch when a HbbTV-compliant television is tuned to a specific channel, then closed when the set switches to another channel.
The root of the problem is what the researchers describe as a “problematic security model” for rendering embedded web content on HbbTV devices. Specifically: the standard violates the web’s Same-Origin Policy, which dictates that a piece of web content from one source (a web host) can’t interfere with the operation of content from another source. HbbTV content that is embedded in a broadcast data stream has no origin information attached to it. To address that limitation, the specification allows broadcasters to define their own web origin for that content.
“The security implications of this design decision are staggering,” the researchers argue. “Allowing the broadcast provider control over the purported origin of the embedded web content effectively lets a malicious broadcaster inject any script of his choice into any website of his choice.”
To demonstrate how that failing might be exploited, the researchers designed a proof of concept attack involving a malicious autostart broadcast application that delivers a malicious Javascript payload over HbbTV. The script forces multiple HbbTVs to visit an online rating site and leave a favorable review of a restaurant.
In another example, the researchers described how the HbbTV vulnerability could be used to launch a large scale attack using a television broadcast to deliver a malicious HbbTV application. The researchers claim that legitimate digital TV content could be downloaded, modified to include the malicious content, then re-transmitted to compliant devices in a specific geographic area.
The security of devices like smart televisions is a growing area of concern. To date, however, most of the issues raised with such devices have focused on the vulnerability of underlying firmware, and the susceptibility of individual units to traditional network based attacks. The research from Columbia is novel in proposing attacks via traditional broadcast medium that could infect thousands or hundreds of thousands of devices at once.
