SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
30 Mar 2017

About 90% of smart TVs vulnerable to remote hacking via rogue TV signals

A new attack on smart TVs allows a malicious actor to take over devices using rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users.

The attack, developed by Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, is unique and much more dangerous than previous smart TV hacks.

Until now, all smart TV exploits relied on attackers having physical access to the device, in order to plug in an USB that executes malicious code. Other attacks relied on social engineering, meaning attackers had to trick users into installing a malicious app on their TV. Even the mighty CIA developed a hacking tool named "Weeping Angel," which could take over Samsung smart TVs and turn them into spying devices. But despite its considerable human and financial resources, the CIA and its operators needed physical access to install Weeping Angel, which made it less likely to be used in mass attacks, and was only feasible if deployed on one target at a time, during carefully-planned operations.

Because of the many constraints that come with physical and social engineering attacks, Scheel didn't consider any of them as truly dangerous, and decided to create his own.

Scheel's attack is remote, no user interaction needed

Scheel's method, which he recently presented at a security conference, is different because the attacker can execute it from a remote location, without user interaction, and runs in the TV's background processes, meaning users won't notice when an attacker compromises their TVs.

The researcher told via email that he developed this technique without knowing about the CIA's Weeping Angel toolkit, which makes his work even more impressing. Furthermore, Scheel says that "about 90% of the TVs sold in the last years are potential victims of similar attacks," highlighting a major flaw in the infrastructure surrounding smart TVs all over the globe.

At the center of Scheel's attack is Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable providers and smart TV makers that "harmonizes" classic broadcast, IPTV, and broadband delivery systems. TV transmission signal technologies like DVB-T, DVB-C, or IPTV all support HbbTV. Scheel says that anyone can set up a custom DVB-T transmitter with equipment priced between $50-$150, and start broadcasting a DVB-T signal.

Rogue TV signals could deliver malicious HbbTV commands

By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city. Furthermore, an attack could be carried out by mounting the DVB-T transmitter on a drone, targeting a specific room in a building, or flying over an entire city.

According to Scheel, the problem is that the HbbTV standard, carried by DVB-T signals and supported by all smart TVS, allows the sending of commands that tell smart TVs to access and load a website in the background. Knowing this, Scheel developed two exploits he hosted on his own website, which when loaded in the TV's built-in browser would execute malicious code, gain root access, and effectively take over the device.


 

For his first exploit, Scheel used CVE-2015-3090, which is one of the Flash zero-days leaked in the Hacking Team 2015 incident. After coding and successfully testing the exploit, Scheel realized that not all smart TV browsers come with the Flash Player plugin enabled by default.

Because of this, Scheel developed a second exploit, which exploited an older vulnerability in the Array.prototype.sort() JavaScript function, support by all browsers, even by those shipped with smart TVs. This second exploit allowed him to escalate access from the user's browser to the underlying smart TV firmware, doing the same thing as the first (Flash) attack, but without relying on the presence of the Flash plugin.

Attack is almost untraceable

Scheel says his attack benefits from the way the smart TV ecosystem has developed. The researcher is referring to the fact that there are much fewer smart TV models on the market and a much higher homogeneity between their operating systems, than compared with personal computers, meaning an attacker could target a wide range of TVs without having to create different versions of his exploit.

Furthermore, because delivering smart TV firmware updates isn't a streamlined process, security flaws remain in the wild for years, or in some cases, forever, despite the fact that TV vendors fixed issues many years before. But the best feature of his attack, which makes his discovery extremely dangerous, is the fact that DVB-T, the transmission method for HbbTV commands, is a uni-directional signal, meaning data flows from the attacker to the victim only.

This makes the attack traceable only if the attacker is caught transmitting the rogue HbbTV signal in real-time. According to Scheel, an attacker can activate his HbbTV transmitter for one minute, deliver the exploit, and then shut it off for good. Forensics experts investigating the hack would have no way of tracing back the attack to its source over DVB-T unless the attacker started broadcasting again.

It's almost impossible to clean infected smart TVs

Because the attack takes minutes to execute and the user doesn't notice anything, Scheel's discovery is a technique that's tailor-made for nation-state surveillance operations. The recent WikiLeaks revealed an active interest in hacking embedded (IoT) devices on the CIA's part.

In addition, any backdoors added through this method are almost impossible to remove, as the attacker could sabotage any firmware update mechanism and remain on the device until users got rid of their smart TVs. Furthermore, Scheel says factory reset operations didn't help for the devices he tested, and the backdoor he developed remained on the TVs.

The researcher says that such a backdoor could be used to run IoT DDoS botnets, use the smart TVs as relay points for attacks on enterprise networks, spy on users via the TV's microphone and camera, steal data stored on the TV, inject ads on the TV (sabotage competitors on the smart TV market), and many other actions.

In his presentation, Scheel says that he doesn’t understand the HbbTV security concept. "For me, it's really dangerous to use such an untrusted signal to do something really critical," the researcher said. "In website security, calling a different website would be classified as a vulnerability." But apparently not in smart TVs.

Attacks via DVB-C and IPTV are also possible

Scheel says he tested his attack with rogue HbbTV commands via DVB-T signals only, but, in theory, the attack should also work over DVB-C (Digital Video Broadcasting - Cable) and IPTV channels as well. The problem of sending rogue HbbTV commands is not anything new. According to Scheel, researchers from Columbia University spotted this issue in 2015, but they were largely ignored by the HbbTV Consortium because they did not include an exploit that hacked the smart TV, which would have guaranteed an adequate response.

The researcher has presented his attack at the EBU (European Broadcasting Union) Media Cyber Security Seminar held in Geneva, Switzerland, last month. A video of his presentation, which also includes demonstrations for both DVB-T attacks and proposed mitigations, is embedded below.

Tags:
information leaks USB
Source:
BleepingComputer
1725
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015