Researcher: 90% Of 'Smart' TVs Can Be Compromised Remotely
from the internet-of-very-broken-things dept
So we've noted for some time how "smart" TVs, like most internet of things devices, have exposed countless users' privacy courtesy of some decidedly stupid privacy and security practices. Several times now smart TV manufacturers have been caught storing and transmitting personal user data unencrypted over the internet (including in some instances living room conversations). And in some instances, consumers are forced to eliminate useful features unless they agree to have their viewing and other data collected, stored and monetized via these incredible "advancements" in television technology.
As recent Wikileaks data revealed, the lack of security and privacy standards in this space has proven to be a field day for hackers and intelligence agencies alike.
And new data suggests that these televisions are even more susceptible to attack than previously thought. While the recent Samsung Smart TV vulnerabilities exposed by Wikileaks (aka Weeping Angel) required an in-person delivery of a malicious payload via USB drive, more distant, remote attacks are unsurprisingly also a problem. Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, recently revealed that around 90% of smart televisions are vulnerable to a remote attack using rogue DVB-T (Digital Video Broadcasting - Terrestrial) signals.
This attack leans heavily on Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable companies and set top manufacturers that helps integrate classic broadcast, IPTV, and broadband delivery systems. Using $50-$150 DVB-T transmitter equipment, an attacker can use this standard to exploit smart dumb television sets on a pretty intimidating scale, argues Scheel:
"By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city. Furthermore, an attack could be carried out by mounting the DVB-T transmitter on a drone, targeting a specific room in a building, or flying over an entire city."
Scheel says he has developed two exploits that, when loaded in the TV's built-in browser, execute malicious code, and provide root access. Once compromised, these devices can be used for everything from DDoS attacks to surveillance. And because these devices are never really designed with consumer-friendly transparency in mind, users never have much of an understanding of what kind of traffic the television is sending and receiving, preventing them from noticing the device is compromised.
Scheel also notes that the uniformity of smart TV OS design (uniformly bad, notes a completely different researcher this week) and the lack of timely updates mean crafting exploits for multiple sets is relatively easy, and firmware updates can often take months or years to arrive. Oh, and did we mention these attacks are largely untraceable?:
"But the best feature of his attack, which makes his discovery extremely dangerous, is the fact that DVB-T, the transmission method for HbbTV commands, is a uni-directional signal, meaning data flows from the attacker to the victim only. This makes the attack traceable only if the attacker is caught transmitting the rogue HbbTV signal in real-time. According to Scheel, an attacker can activate his HbbTV transmitter for one minute, deliver the exploit, and then shut it off for good."
So yeah, that internet of broken things security we've spent the last few years mercilessly making fun of? It's significantly worse than anybody imagined.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
This sounds exactly like an IMSI catcher/stingray.
[ link to this | view in thread ]
[ link to this | view in thread ]
I realize this is quoted from the linked article, but it's somewhat confusing.
DVB-T is a broadcast standard, not a cable standard. I'm assuming "cable providers" in this context is meant to mean the broadcaster, then? After all, a transmitted signal on a nearby house wouldn't hijack the cable feed coming in to the TV.
I don't know anything about the HbbTV systems being discussed, so I suppose it's possible that a broadcast signal could trick it into changing over from a cable signal, but it seems like that would be unlikely. (If you're watching XYZ network on cable, would a DBV-T signal claiming to be XYZ network win? That seems odd. And I'd be surprised if that was "stronger" than the signal off the cable, either way.)
I don't mean to dismiss the implications of these kinds of flaws. I'm just not sure all of the relevant caveats have been accounted for.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re:
ATSC 3 is in testing which has an optional incompatible technology similar to HbbTV but there are no broadcasters using it yet and no TV's on sale that support it.
Point me to a TV for sale at retail (not imported) in the US that supports DVB.
[ link to this | view in thread ]
Re:
If the hardware or software is not designed properly, even that could be exploitable. (Software video decoders have a long history of vulnerabilities.) And if there's any persistent memory without hardware write-protection, malware could persist.
I'd be interested to see a security analysis of a non-smart TV (like, can you send a bad signal to turn the receiving antenna into a transmitter, and turn the speaker into a microphone?-and can that persist between power cycles?).
[ link to this | view in thread ]
Re: Re:
Or "100% of smart TVs, but we don't have the specific proof yet"?
Maybe one day somebody will write a complex, provably bug-free, computer program. It's not going to happen in a non-safety-critical system like a TV first.
[ link to this | view in thread ]
Re:
I don't know the details of this standard, but certainly there were past standards that might have allowed such things. For example, some TVs would scan around for a station broadcasting an XDS clock signal. Program guides might be similar. Some TVs show station names; I wouldn't be surprised if they scan OTA broadcasts even when cable is used, so the names will be cached when you choose to watch from the antenna.
There was talk in the past about TVs etc. doing over-the-air firmware updates. I hope it was just an idea and never implemented.
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
90%??
Get your OWN small computer, Roku, Anything ELSE..
[ link to this | view in thread ]
My real question is:
[ link to this | view in thread ]
Re:
It actually will. When I had (analog) cable, channel 11 was barely usable because there was a nearby VHF antenna transmitting on channel 11. The cable company would put garbage channels there, most recently the "TV Guide channel", and people would see the wireless channel 11 superimposed on it.
Don't forget that DOCSIS cable modems transmit data into the cable system, and anyone on the same node can see that data. (It's encrypted, probably poorly. And factory-fresh modems will only transmit as authorized but people have hacked firmware before.)
[ link to this | view in thread ]
Let's say, in addition to turning off anything 'smart' in the menu options, I block my tv at the router level from accessing the net - does this help anything? Or are all of these exploits beyond my ability to mitigate? I'd avoid 'smart' altogether if finding 'dumb' wasn't becoming almost impossible.
[ link to this | view in thread ]
[ link to this | view in thread ]
- and routers and computers and IoT's and whatever electronics
Borrow a paper printed book to read in the evening and enjoy the morning newspapers at breakfast!
And then everybody will understand how odd you are and that you need to be kept an eye on.
Can you escape supervision without being noticed for escaping supervision?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
then, as soon as anyone in range sets up such a connection for internet access... your TV is already auto-connected to the internet and and is mining bitcoins.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re:
Let's say, in addition to turning off anything 'smart' in the menu options, I block my tv at the router level from accessing the net - does this help anything?
Yes, that would stop many exploits that rely on hitting an exploit website over the network to get software. And would likely make it more difficult for any software that somehow did get on there to ever report back.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
How Does It Pick Up Signals Over The Air?
Copper coaxial cable is not perfectly cylindrical. A very powerful transmitter, close to, might be able to inject a signal. It might be possible to design a two-piece coil which clamps together over coaxial cable, preferably bending the cable in the process, so as to push one copper element in one direction, and other copper element in the other direction. Alternatively, I can imagine a situation in which a badly-built broadcast transmitter might be transmitting a signal over the electric power wires, and these might run parallel to cable television cables for hundreds of feet, at a distance of six feet or so. Or the power thus transmitted might affect the power source of one of the cable company's internal amplifiers.
I haven't had occasion to deal with broadcast or cable television for many years, and therefore have some rather dumb questions. A bit of looking-up on Amazon indicates that an inexpensive reception antennae for digital broadcast (~$30) has dimensions of 13 inches wide by 9 inches high, and is capable of being physically pointed in the direction of the transmitter. In short, it seems like a somewhat larger and more efficient version of the old UHF loop antennae. More expensive models appear to be designed to mount on the roof and rotate to the broadcast station's bearing. Do upscale smart televisions have built-in antennae? If not, would they not have to be plugged into an external antennae to pick up signals from the air?
[ link to this | view in thread ]
Re: Re:
It is almost Impossible to get a new TV these days without the so called Smart crap that's in them. I have a couple 50" Panasonic Plasma's without a single smart thing in them, but they're getting old. Still a great picture. But my Dad went out with my brother to get a new TV and came back with a Best Buy brand ROKU TV. It really is a ROKU with a screen attached. The Interface for the TV really just SUCKS!!! It was poky. The speakers were really bad.
So I went with him and brought that junk back to a different Best Buy and picked out a little larger SONY TV. It was a little more money, but the picture was better and the sound 100 times better. The Smart stuff is there, but limited and you wouldn't know it's there unless you went out and tried accessing it, which he doesn't. I have a Tivo Mini and a AppleTV attached to it. That's all the Smarts it needs.
Give me a dumb tv any day. I can attached a AppleTV, a ROKU, a Chromecast or whatever I want and Smarten it up. They're small enough that you can Velcro onto the back of the TV to be out of site if you want. Security is far better. These devices are supported far longer. Once a TV is sold, they don't give a crap about it any longer. They move on and your so called Smart TV gets more and more outdated.
I just won't buy any of these so called Internet of Things devices as security suck. Really, the only one I would be Interested in is Apple's Homekit. That's because of the far better security and Encryption Apple uses. Of course it's a little more costly to use which is why most of these devices are just using the crap Internet of Things cheap junk instead.
[ link to this | view in thread ]
Re: Re:
More difficult, but not necessarily difficult. If there's wifi it can jump on a neighbors network.
[ link to this | view in thread ]
Re:
Except that it's active broadcast only, unlike a IMSI catcher which can both send/broadcast and receive.
[ link to this | view in thread ]
Re: Re: Re:
And if the TV is connected to your LAN (for say streaming from other devices) it would also have to be on a separate VLAN (or entirely physically separate, but that'd make it hard to stream from other devices like a computer!), and the entire VLAN would have to be blocked from internet access.
Because if you just use a plain old source IP block, the TV's IP, this attack could, in addition to activating any WiFi on the TV, change its IP address so an IP address block wouldn't work.
[ link to this | view in thread ]
Re:
Already happened (sorta): Wi-Fi sex toy with built-in camera fails penetration test
So, since the vibrator contains a WiFi access point, the TV could connect to it, and stream pictures from the vibrator. So you could be using the vibrator, and have it streaming the video from its built-in camera onto the TV.
So since the TV and the vibrator are both hackable, you could control the vibrator from the TV with the right hacked firmware, and vice-versa.
Brings a twist (and thrust) to invasion of privacy!
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]