In fact, connected TVs are vulnerable to everything from Java exploits to Bitcoin mining to being completely hijacked, according to security researcher Martin Herfurt, who recently bought a smart TV and decided to take a look at the security situation. The Germany-based Herfurt also has access to a feature called HbbTV, which is the European standard for delivering hybrid TV experiences, which allows pay-TV operators to combine online apps and content with linear broadcast capabilities within branded portals of interactive content. HbbTV exacerbates the issue, he said.
Outlining the scope of the problem (and it’s wide), Herfurt didn’t pull any punches: “Connecting HbbTV-capable smart TVs to the home network is dangerous,” he noted. “Possibly malicious content is accessed and executed by the television when a user switches to an HbbTV enabled channel. So-called entertainment providers which provide content via HbbTV can be compromised by attackers or could be providing malicious content themselves that might lead to various attacks.”
He added, “Clearly, TV manufacturers seem to lack IT security know-how and have to learn from other industries in order to succeed…IMHO, it is just a matter of time before the attacks are spotted in the wild.”
It’s potentially a big problem: The connected TV phenomenon is on the rise. IHS iSuppli forecasts that smart TV shipments climbed 27% in 2012 to reach 66 million units. By 2015, the smart TVs will make up 55% of the market, with global shipments climbing to 141 million units.
Herfurt pointed out that the TV’s relationship to HTML content immediately bears a deeper look. For one, the interactive program and apps guide that pops up when users press a certain button on the remote is actually a semi-transparent HTML layer that overlays the broadcast TV picture, and is in most cases retrieved from a specific web server.
“So technically, the connected TV becomes visible to the broadcast station without notification of the user or the consent of the TV user,” he said. “The moment the red button hint is displayed on the TV screen, the user’s privacy is possibly breached.”
Then there’s the integrated web browser to worry about. The TV’s browser component is able to display HTML content and to execute Javascript code. In the case of his own Samsung ES7000, the TV’s browser component is also WebKit 1.1 compatible. “Accessing the OIPF-objects from a Javascript context, information like the station list and other device specific information can be accessed,” he said. That gives hackers a foothold, and, in turn, provides a wide range of attack vectors.
Wi-Fi eavesdropping is one threat. It is possible to find out the neighbors’ TV watching preferences by monitoring wireless network traffic. Based on the lengths of the packets and the MAC addresses of the different devices, attackers are able to gather this kind of information even if the Wi-Fi access point uses WPA encryption.
There are also content attacks that are possible, which essentially allow a hacker to hijack the TV and show whatever they want.
Content is requested by the smart TV at the time the user changes the channel. Attackers can inject content into a streams content carousel, specifying URLs to send content to the TV. Or, they could manipulate DNS servers in order to make the URLs within the DVB stream resolve to servers with their content.
Also, “since none of the observed stations is using a SSL secured connections, attackers can perform man-in-the-middle attacks and replace the original content by their content,” Herfurt warned. “Even if SSL was in use, not all TVs would prevent the user from accessing the content.”
Watering hole attacks are another danger: attackers can compromise the original source of the delivered content in order to replace the original content with their content. In the process of scanning some of the station’s servers, poorly configured servers using outdated software versions were identified.
And, once attackers managed to redirect the HTTP requests of the TV to controlled sources, many different HTML-Javascript-based attacks become possible, like Bitcoin mining.
“Exemplarily for abusing foreign CPU power, attackers could use the TVs of many people for Bitcoin mining using the Javascript-based BitcoinPlus miner for websites,” Herfurt said.
Hackers also can use Javascript programs to access device specific information such as channel lists, recording capabilities, parental control settings and personal information, such as the user’s favorite channel list.
Worst of all, not only the TV is the target of possible attacks but also other networked devices in the user’s home network. “Using a timing-based approach, attackers are able to scan the user’s home network from the TV for other devices that are behind the user’s firewall and would not directly be visible from the internet,” Herfurt said. “This could be used for user profiling and for finding further attack targets.”
To avoid a rash of TV p0wning, there are mitigation tactics that TV manufacturers could implement – although they aren’t foolproof.
“The software of currently available HbbTV devices lacks the possibility to configure security settings as might be done in decent browsers,” Herfurt said. “At the moment, the TV user has to trust the entertainment provider/broadcast station a lot….TV manufacturers have to implement mechanisms that allow the user to control the TV’s HbbTV functionality. Allowing users to whitelist trusted channels would solve at least some of the issues.”
Herfurt isn't alone in researching this: In December ReVuln found a vulnerability in Samsung TVs that would allow hackers to gain eyes and ears inside the living room via the living-room set.