Connected TVs are rapidly becoming popular devices inside the homes across mature consumer electronics markets and, as with anything else that’s exposed to the internet, it is poised to become a ripe attack vector for cybercriminals. The latest is a proof-of-concept “red button” attack that exploits a loophole in the Hybrid Broadcast Broadband TV (HbbTV) standard, popular across Europe for smart TVs.
HbbTV allows broadcast streams to include embedded HTML content that is rendered by the television, for uses like targeted, personalized advertising and blended, interactive content that marries normal linear video feeds and content from the web. In addition to its very wide deployment in Europe (60 broadcasters already use it there), HbbTV has recently been adopted as part of the American digital television standard.
According to a report from Yossef Oren and Angelos Keromytis from the Network Security Lab at Columbia University, attackers can use a weakness in the standard and a cheap antenna to hijack smart TVs via radio signals, and from there perform a variety of nefarious tasks. For instance, they can interact with any website, even using credentials stored in the TV sets for accessing services such as social networks, webmail or e-commerce sites.
“This capability can be leveraged to perform traditional attack activities: perform click fraud, insert comment or voting spam, conduct reconnaissance (within each home network or against a remote target), launch local or remote denial of service attacks, and compromise other devices within the home network or even elsewhere,” the researchers explained in their paper on the flaws.
“Beyond these, the attacker can also control the content displayed on the TV, to craft phishing and other social engineering attacks that would be extremely convincing, especially for TV viewers who are educated to (and have no reason not to) trust their screens,” they added. “Finally, the attacker can use the broadcast medium to effectively distribute exploits that completely take over the TV set’s hardware.”
At the heart of it all is a well-known attack style – the man-in-the-middle attack. “This potential attack method isn't related specifically to the use of the red button on a TV remote specifically, but to any interaction with a smart TV,” explained David Emm, senior security researcher at Kaspersky Lab, in an email. “Such an attack would effectively be a ‘man in the middle’ attack, with hackers placing themselves between the consumer and the broadcaster and injecting their own, bogus information into the broadcast stream - for example, fake adverts and other content.”
He added that after hacking the radio signal, hackers in effect become the broadcaster, and even have the ability to hack into anything sent or received by the consumer.
The researchers said that most of these attacks require no user knowledge or consent – the victims are only required to keep watching their televisions – hence the term “red button attack.” But perhaps what’s most concerning is the fact that the attacks can be carried out at scale and without leaving clues behind as to what’s going on.
“The unique physical characteristics of the broadcast TV medium allow these attacks to be easily amplified to target tens of thousands of users, while remaining completely undetectable,” they said. “Remarkably, the attacker does not even require a source IP address.”
Emm elaborated, “Since it would involve hacking into the radio signal through the use of an antenna, it would be difficult to track down the attackers. It’s reminiscent of someone sniffing the traffic on a public Wi-Fi hotspot or setting up a fake one.”
The attack surface for the issue is potentially considerable: In France, 42% of households have smart TV, compared with 40% in Turkey and Poland, 34% in Germany, 28% in Italy, 26% in Spain and the Netherlands, and 22% in the UK, according to Concentra Marketing Research. Advisory firm TDG, meanwhile, said that a quarter of households in the US have a smart TV.
"As more and more devices connect to the internet, it is their insecurity that is increasing the attack surface and the threats to our daily life,” said IOActive Labs CTO Cesar Cerrudo, in a note to Infosecurity. “Every day there is a new vulnerability on an 'Internet-of-Things' device and the every day consumer's exposure to attacks will continue to increase and this won't stop.”
He added, “Vendors should invest more on security, through the development process and upwards, because if this does not happen soon, the attack surface will be so big that hacking someone will become trivial."
Oren said the standards body that oversaw HbbTV had been told about the security loophole.