Researcher Says 9 in 10 Smart TVs Vulnerable to Broadcast-based Attacks

In-brief: a security researcher demonstrated a broadcast-based attacks on smart televisions, almost three years after a similar demonstration by researchers at Columbia. More than 90 percent of smart TVs may be vulnerable – but carrying out an attack may be challenging. 

A security researcher at the German firm Oneconsult has demonstrated a method for hacking smart televisions using attacks buried in rogue broadcasts, and warns that many brands of the devices may be vulnerable.

Rafael Scheel of OneConsult said that up to 90% of smart television sets sold today are vulnerable to exploits that use Hybrid Broadcast Broadband TV (HbbTV). An attacker equipped with an inexpensive DVB-T transmitter could remotely compromise smart TVs within its broadcast range, forcing TVs to load a malicious website in the background that could be used to install a malicious software program.

However, another researcher who has worked on smart television security cautions that broadcast based attacks using HbbTV are harder to make work than it would seem, while low hanging fruit in the form of  network-based exploits of smart televisions are there for the taking.

HbbTV is an industry standard supported by most cable providers and smart TV makers that “harmonizes” classic broadcast, IPTV, and broadband delivery systems. An attacker who set up a rogue television transmitter. DVB-T, or Digital Video Broadcasting – Terrestrial, is a EU-based standard for broadcasting compressed audio, digital video and other data.

Scheel presented his research at the European Broadcasting Union (EBU) Media Cyber Security Seminar on March 22, demonstrating how a rogue DVB-T broadcast could be used to force the embedded web browser on a vulnerable smart set to load a malicious web page.

 

Poor design and security practices often make smart televisions easy targets. But getting access to the devices is a challenge. The malicious application route is one option – making smart televisions similar to mobile phones. However, users are much less apt to download and install smart TV apps than smart phone applications, making that attack vector even more challenging.  Use of the web browser on TVs is even more rare. The CIA tool, dubbed “Weeping Angel,” relied on physical access to the target TV to plug-in a malicious USB stick that contained the malicious software.

Scheel said he wanted to find a way to target a wide range of smart TVs, and doing so remotely. His solution was an exploit for the mobile browser running on smart televisions using known vulnerabilities. The HbbTV-based attack method allows an attacker to send a browser exploit to the device and have it run in the background, without requiring user interaction. HbbTV is also “on” by default in most TVs, he said.
“The call works in the background. As long as the site doesn’t want to show itself, it remains completely hidden,” he said.

He is not the first to point to security issues in the HbbTV standard. In 2014, Yossef Oren and Angelos Keromytis of the Network Security Lab at Columbia University, demonstrated a similar HbbTV attack against smart TV sets. However, the fact that HbbTV attacks are still a problem with even late-model sets suggests that calls for security improvements to the standard have gone unheeded by the HbbTV consortium, which manages the standard, said Craig Young, a principle researcher at the firm Tripwire.

Fixes like “whitelisting” features that would limit what stations could be received by smart television sets, or support for SSL and other authentication technologies are an option, but have not been embraced, he said. “It’s a real concern given that these televisions have much more computing power.”

That said, Young cautions that there are limits to HbbTV attacks that make them challenging to carry off. For one thing, smart televisions targeted in such attacks would need to be tuned to a terrestrial broadcast in order to pick up and receive the pirate HbbTV broadcast carrying the attack. Televisions that are streaming video from Netflix or tuned to a cable TV station would not be susceptible.
Second, Young notes that an attacker would still need to craft an exploit for the specific make and model of the television she was attacking. That requires foreknowledge of the target and limits the scope of any broadcast attack. While it’s possible that a very skilled exploit writer could craft an exploit that worked across makes and models of smart TV, that would be a very high bar to clear.
Much more likely are network based attacks on smart televisions that are launched from other compromised devices on the same wired or wireless environment, Young said. IP layer attacks, where someone connects to the television through the network and compromises the embedded web browser are far easier to carry out. And, given the spotty record of smart TV makers of patching their platforms, such an attack is likely to work, he said.
Internet-connected smart television sets are a growing concern. The devices are popular – more than 200 million have been sold globally. Under the hood, many are indistinguishable from general purpose computing devices. Many run variants of the Linux operating system and support third-party applications. They are typically equipped with storage, memory, microphones and even cameras.
The devices are also long-lived. “The problems we create ourselves today will be there in six or ten years,” Scheel said at the event. “That’s something unique. And not all the problems can be patched away.”
There have been a number of demonstrations and public reports of attacks on smart TV platforms. Last y ear, Researchers at Pen Test Partners adapted an Android snooping application to run on the Sony Bravia, a smart television set that runs on the Android mobile operating system. Words captured by a mic attached to the TV were rendered as text and sent to a remote laptop. You can see the whole setup in action in this YouTube video.
In December, Twitter user Darren Cauthon of Olathe, Kansas became an Internet sensation for showing a relative’s LG smart TV on December 25th crippled by Android ransomware. And, in March, the web site WikiLeaks on Tuesday published thousands of documents that it claims are hacking tools developed and used by the U.S. Central Intelligence Agencies to spy on and surveil targets. Among the targets were Samsung smart TVs.