Researcher: 90% Of 'Smart' TVs Can Be Compromised Remotely

from the internet-of-very-broken-things dept

So we've noted for some time how "smart" TVs, like most internet of things devices, have exposed countless users' privacy courtesy of some decidedly stupid privacy and security practices. Several times now smart TV manufacturers have been caught storing and transmitting personal user data unencrypted over the internet (including in some instances living room conversations). And in some instances, consumers are forced to eliminate useful features unless they agree to have their viewing and other data collected, stored and monetized via these incredible "advancements" in television technology.

As recent Wikileaks data revealed, the lack of security and privacy standards in this space has proven to be a field day for hackers and intelligence agencies alike.

And new data suggests that these televisions are even more susceptible to attack than previously thought. While the recent Samsung Smart TV vulnerabilities exposed by Wikileaks (aka Weeping Angel) required an in-person delivery of a malicious payload via USB drive, more distant, remote attacks are unsurprisingly also a problem. Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, recently revealed that around 90% of smart televisions are vulnerable to a remote attack using rogue DVB-T (Digital Video Broadcasting - Terrestrial) signals.

This attack leans heavily on Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable companies and set top manufacturers that helps integrate classic broadcast, IPTV, and broadband delivery systems. Using $50-$150 DVB-T transmitter equipment, an attacker can use this standard to exploit smart dumb television sets on a pretty intimidating scale, argues Scheel:

"By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city. Furthermore, an attack could be carried out by mounting the DVB-T transmitter on a drone, targeting a specific room in a building, or flying over an entire city."

Scheel says he has developed two exploits that, when loaded in the TV's built-in browser, execute malicious code, and provide root access. Once compromised, these devices can be used for everything from DDoS attacks to surveillance. And because these devices are never really designed with consumer-friendly transparency in mind, users never have much of an understanding of what kind of traffic the television is sending and receiving, preventing them from noticing the device is compromised.

Scheel also notes that the uniformity of smart TV OS design (uniformly bad, notes a completely different researcher this week) and the lack of timely updates mean crafting exploits for multiple sets is relatively easy, and firmware updates can often take months or years to arrive. Oh, and did we mention these attacks are largely untraceable?:

"But the best feature of his attack, which makes his discovery extremely dangerous, is the fact that DVB-T, the transmission method for HbbTV commands, is a uni-directional signal, meaning data flows from the attacker to the victim only. This makes the attack traceable only if the attacker is caught transmitting the rogue HbbTV signal in real-time. According to Scheel, an attacker can activate his HbbTV transmitter for one minute, deliver the exploit, and then shut it off for good."

So yeah, that internet of broken things security we've spent the last few years mercilessly making fun of? It's significantly worse than anybody imagined.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: iot, malware, smart tv


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 7 Apr 2017 @ 6:38am

    One has to wonder why TVs have built in browsers. I'm kind of worried since my TV is smart even though I've never used such things and thus never updated the firmware (you can't really find dumb models anymore nowadays). The bright part is that it has no wireless connection, only an wired network port so at the very least it won't be doing anything funny if it's compromised. No, seriously, let the TVs do what they do best: convert signals into images. If I need anything smarter I have a plethora of much better devices to choose from. Yay for the INEPT?

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 7 Apr 2017 @ 6:47am

    Re:

    Newer versions of HDMI support ethernet but i'm not sure if that means an internet enabled device connected to a TV could share its internet connection, but it seems possible.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 7 Apr 2017 @ 6:52am

    "By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city. Furthermore, an attack could be carried out by mounting the DVB-T transmitter on a drone, targeting a specific room in a building, or flying over an entire city."

    This sounds exactly like an IMSI catcher/stingray.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 7 Apr 2017 @ 7:00am

    I wonder how this applies to other computers that process OTA signals such as a TiVO, TV tuner hardware, or streaming server like Tvheadend. Even if these systems are airgapped it could infect client devices.

    link to this | view in thread ]

  5. identicon
    Jason, 7 Apr 2017 @ 7:25am

    By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city.

    I realize this is quoted from the linked article, but it's somewhat confusing.

    DVB-T is a broadcast standard, not a cable standard. I'm assuming "cable providers" in this context is meant to mean the broadcaster, then? After all, a transmitted signal on a nearby house wouldn't hijack the cable feed coming in to the TV.

    I don't know anything about the HbbTV systems being discussed, so I suppose it's possible that a broadcast signal could trick it into changing over from a cable signal, but it seems like that would be unlikely. (If you're watching XYZ network on cable, would a DBV-T signal claiming to be XYZ network win? That seems odd. And I'd be surprised if that was "stronger" than the signal off the cable, either way.)

    I don't mean to dismiss the implications of these kinds of flaws. I'm just not sure all of the relevant caveats have been accounted for.

    link to this | view in thread ]

  6. identicon
    me, 7 Apr 2017 @ 7:30am

    Re:

    Also, it should probably be "90% of smart tvs that support HbbTV" (which is an unknown number worldwide and 0 in the US) not "90% of smart tvs".

    link to this | view in thread ]

  7. icon
    JoeCool (profile), 7 Apr 2017 @ 7:57am

    Re: Re:

    It's not 0 in the US as it's testing in the US right now. And even if most places in the US don't take advantage of it, it's almost assuredly in the hardware of most smart TVs in the US. Remember that most TVs are made someplace else - someplace already using HbbTV.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 7 Apr 2017 @ 8:21am

    Re:

    if the TV only has wireless but that wireless has never set up, can this exploit remotely enable wireless? if so, pretty impressive and also very scary!

    link to this | view in thread ]

  9. identicon
    me, 7 Apr 2017 @ 9:36am

    Re: Re: Re:

    ATSC 3 is in testing which has an optional incompatible technology similar to HbbTV but there are no broadcasters using it yet and no TV's on sale that support it.

    Remember that most TVs are made someplace else - someplace already using HbbTV.

    Point me to a TV for sale at retail (not imported) in the US that supports DVB.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 7 Apr 2017 @ 10:13am

    Re:

    No, seriously, let the TVs do what they do best: convert signals into images.

    If the hardware or software is not designed properly, even that could be exploitable. (Software video decoders have a long history of vulnerabilities.) And if there's any persistent memory without hardware write-protection, malware could persist.

    I'd be interested to see a security analysis of a non-smart TV (like, can you send a bad signal to turn the receiving antenna into a transmitter, and turn the speaker into a microphone?-and can that persist between power cycles?).

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 7 Apr 2017 @ 10:28am

    Re: Re:

    should probably be "90% of smart tvs that support HbbTV"...not "90% of smart tvs".

    Or "100% of smart TVs, but we don't have the specific proof yet"?

    Maybe one day somebody will write a complex, provably bug-free, computer program. It's not going to happen in a non-safety-critical system like a TV first.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 7 Apr 2017 @ 10:35am

    Re:

    If you're watching XYZ network on cable, would a DBV-T signal claiming to be XYZ network win? That seems odd.

    I don't know the details of this standard, but certainly there were past standards that might have allowed such things. For example, some TVs would scan around for a station broadcasting an XDS clock signal. Program guides might be similar. Some TVs show station names; I wouldn't be surprised if they scan OTA broadcasts even when cable is used, so the names will be cached when you choose to watch from the antenna.

    There was talk in the past about TVs etc. doing over-the-air firmware updates. I hope it was just an idea and never implemented.

    link to this | view in thread ]

  13. icon
    JoeCool (profile), 7 Apr 2017 @ 11:09am

    Re: Re: Re: Re:

    They won't put it on the feature list, but it IS in the hardware and software. That's all handled by the processor in the TV anymore, not custom hardware. Or at least, very little custom hardware.

    link to this | view in thread ]

  14. identicon
    Babs, 7 Apr 2017 @ 11:21am

    Re:

    I recently bought a new TV and did have some trouble locating a decent-sized dumb one, but I finally found one. (And I mean one! It was the last one left.) I fear it will be much harder when this one inevitably dies in a couple years.

    link to this | view in thread ]

  15. icon
    ECA (profile), 7 Apr 2017 @ 11:58am

    90%??

    90% of SMART TV's are STUPID, and never updated..
    Get your OWN small computer, Roku, Anything ELSE..

    link to this | view in thread ]

  16. icon
    bwburke94 (profile), 7 Apr 2017 @ 2:08pm

    My real question is:

    Only 90%?

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 7 Apr 2017 @ 2:27pm

    Re:

    After all, a transmitted signal on a nearby house wouldn't hijack the cable feed coming in to the TV.

    It actually will. When I had (analog) cable, channel 11 was barely usable because there was a nearby VHF antenna transmitting on channel 11. The cable company would put garbage channels there, most recently the "TV Guide channel", and people would see the wireless channel 11 superimposed on it.

    Don't forget that DOCSIS cable modems transmit data into the cable system, and anyone on the same node can see that data. (It's encrypted, probably poorly. And factory-fresh modems will only transmit as authorized but people have hacked firmware before.)

    link to this | view in thread ]

  18. icon
    Chryss (profile), 7 Apr 2017 @ 3:43pm

    So, possibly a stupid question, but for those of us who aren't super technical:

    Let's say, in addition to turning off anything 'smart' in the menu options, I block my tv at the router level from accessing the net - does this help anything? Or are all of these exploits beyond my ability to mitigate? I'd avoid 'smart' altogether if finding 'dumb' wasn't becoming almost impossible.

    link to this | view in thread ]

  19. icon
    Miles (profile), 7 Apr 2017 @ 5:03pm

    Now all they need to do is integrate a smart TV to a smart vibrator to achieve IoT nirvana.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 7 Apr 2017 @ 11:07pm

    Throw out TV's
    - and routers and computers and IoT's and whatever electronics

    Borrow a paper printed book to read in the evening and enjoy the morning newspapers at breakfast!

    And then everybody will understand how odd you are and that you need to be kept an eye on.

    Can you escape supervision without being noticed for escaping supervision?

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 8 Apr 2017 @ 4:46am

    Re:

    looks like deliberate act on part of manufactures .

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 8 Apr 2017 @ 5:10am

    Re: Re:

    if you can configure the TV through that DVB exploit to automatically and continuously scan and connect to the first available unencrypted wifi internet connection. If there's no internet available then drop the connection and continue scanning.

    then, as soon as anyone in range sets up such a connection for internet access... your TV is already auto-connected to the internet and and is mining bitcoins.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 8 Apr 2017 @ 5:11am

    Re: Re: Re:

    *facepalm* ok.. i messed the first paragraph and there's no edit button, but you get my meaning.

    link to this | view in thread ]

  24. icon
    Mike Masnick (profile), 8 Apr 2017 @ 10:39pm

    Re:

    Let's say, in addition to turning off anything 'smart' in the menu options, I block my tv at the router level from accessing the net - does this help anything?

    Yes, that would stop many exploits that rely on hitting an exploit website over the network to get software. And would likely make it more difficult for any software that somehow did get on there to ever report back.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 9 Apr 2017 @ 12:50pm

    And this is why we can't have "smart" televisions.

    link to this | view in thread ]

  26. icon
    Chryss (profile), 9 Apr 2017 @ 1:58pm

    Re: Re:

    Thanks, Mike!

    link to this | view in thread ]

  27. identicon
    Andrew D. Todd, 9 Apr 2017 @ 10:35pm

    How Does It Pick Up Signals Over The Air?

    Obviously, cable television is periodically re-amplified over the network, and there is no reason for believing that the signal would be drastically weaker for having come a few hundred miles. DOCSIS, that is, cable-based internet, would have dictated cutting the copper-based cable network up into smaller chunks, and connecting those chunks together with optical fiber. Once you have an optical fiber in place, its capacity is virtually unlimited, and I don't know whether the cable company would want to go on maintaining long-distance coaxial cable runs.

    Copper coaxial cable is not perfectly cylindrical. A very powerful transmitter, close to, might be able to inject a signal. It might be possible to design a two-piece coil which clamps together over coaxial cable, preferably bending the cable in the process, so as to push one copper element in one direction, and other copper element in the other direction. Alternatively, I can imagine a situation in which a badly-built broadcast transmitter might be transmitting a signal over the electric power wires, and these might run parallel to cable television cables for hundreds of feet, at a distance of six feet or so. Or the power thus transmitted might affect the power source of one of the cable company's internal amplifiers.

    I haven't had occasion to deal with broadcast or cable television for many years, and therefore have some rather dumb questions. A bit of looking-up on Amazon indicates that an inexpensive reception antennae for digital broadcast (~$30) has dimensions of 13 inches wide by 9 inches high, and is capable of being physically pointed in the direction of the transmitter. In short, it seems like a somewhat larger and more efficient version of the old UHF loop antennae. More expensive models appear to be designed to mount on the roof and rotate to the broadcast station's bearing. Do upscale smart televisions have built-in antennae? If not, would they not have to be plugged into an external antennae to pick up signals from the air?

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 10 Apr 2017 @ 7:55am

    Re: Re:

    You would have to plug your TV into a surround sound receiver that also supported Ethernet over the HDMI cable and that Receiver was plugged into the Internet. That would complete your wired Internet connection.

    It is almost Impossible to get a new TV these days without the so called Smart crap that's in them. I have a couple 50" Panasonic Plasma's without a single smart thing in them, but they're getting old. Still a great picture. But my Dad went out with my brother to get a new TV and came back with a Best Buy brand ROKU TV. It really is a ROKU with a screen attached. The Interface for the TV really just SUCKS!!! It was poky. The speakers were really bad.

    So I went with him and brought that junk back to a different Best Buy and picked out a little larger SONY TV. It was a little more money, but the picture was better and the sound 100 times better. The Smart stuff is there, but limited and you wouldn't know it's there unless you went out and tried accessing it, which he doesn't. I have a Tivo Mini and a AppleTV attached to it. That's all the Smarts it needs.

    Give me a dumb tv any day. I can attached a AppleTV, a ROKU, a Chromecast or whatever I want and Smarten it up. They're small enough that you can Velcro onto the back of the TV to be out of site if you want. Security is far better. These devices are supported far longer. Once a TV is sold, they don't give a crap about it any longer. They move on and your so called Smart TV gets more and more outdated.

    I just won't buy any of these so called Internet of Things devices as security suck. Really, the only one I would be Interested in is Apple's Homekit. That's because of the far better security and Encryption Apple uses. Of course it's a little more costly to use which is why most of these devices are just using the crap Internet of Things cheap junk instead.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 10 Apr 2017 @ 9:33am

    Re: Re:

    And would likely make it more difficult for any software that somehow did get on there to ever report back.

    More difficult, but not necessarily difficult. If there's wifi it can jump on a neighbors network.

    link to this | view in thread ]

  30. icon
    Eldakka (profile), 10 Apr 2017 @ 5:15pm

    Re:

    Except that it's active broadcast only, unlike a IMSI catcher which can both send/broadcast and receive.

    link to this | view in thread ]

  31. icon
    Eldakka (profile), 10 Apr 2017 @ 5:26pm

    Re: Re: Re:

    And if the TV is connected to your LAN (for say streaming from other devices) it would also have to be on a separate VLAN (or entirely physically separate, but that'd make it hard to stream from other devices like a computer!), and the entire VLAN would have to be blocked from internet access.

    Because if you just use a plain old source IP block, the TV's IP, this attack could, in addition to activating any WiFi on the TV, change its IP address so an IP address block wouldn't work.

    link to this | view in thread ]

  32. icon
    Eldakka (profile), 10 Apr 2017 @ 5:44pm

    Re:

    Already happened (sorta): Wi-Fi sex toy with built-in camera fails penetration test

    So, since the vibrator contains a WiFi access point, the TV could connect to it, and stream pictures from the vibrator. So you could be using the vibrator, and have it streaming the video from its built-in camera onto the TV.

    So since the TV and the vibrator are both hackable, you could control the vibrator from the TV with the right hacked firmware, and vice-versa.

    Brings a twist (and thrust) to invasion of privacy!

    link to this | view in thread ]

  33. icon
    Chryss (profile), 10 Apr 2017 @ 6:48pm

    Re: Re: Re: Re:

    Right, my idea is just not to let it into the router at all and use a steamlink for any streaming.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.