‘Red Button’ Attack Could Compromise Some Smart TVs

A vulnerability in an emerging interactive television standard could open up number of smart TVs to untraceable drive-by attacks.

A vulnerability in an emerging interactive television standard could expose smart TVs to untraceable drive-by hacking attacks that could steal personal information and wreak havoc on televisions and anything connected to them.

The feature, HbbTV, Hybrid Broadcast Broadband Television was introduced by the Digital Video Broadcasting conglomerate in 2010 and essentially allows broadcasts to render embedded HTML in smart TVs using a specially enhanced web runtime.

The feature, usually launched when users hit a red button on their remote control, is largely deployed in Europe and is only just beginning to be introduced in the U.S.

That hasn’t stopped two researchers with Columbia University’s Network Security Lab from warning about its potential dangers. The two researchers, Yossef Oren and Angelos D. Kerymytis, discovered that attackers could hijack pretty much any smart TV that uses the feature just by getting a viewer to stumble upon a compromised channel.

If executed correctly, the attacks, nicknamed “red button attacks”, can transpire without the users’ knowledge and run in the background without even disrupting the channel’s feed.

“All of these attacks take place without the user’s knowledge or consent, requiring the user to do nothing more than keep his TV turned on and tuned to his favorite channel,” the two claim.

The attacks vary from local vulnerabilities to large-scale distributed exploits, some which are obviously easier to carry out, some which are more difficult.

According to Oren and Kerymytis, distributed denial of service attacks, unauthenticated request forgeries, authenticated request forgeries, intranet request forgeries, phishing, along with phishing attacks and social engineering scams are just a few of the attacks possible.

An intranet request forgery attack for example could wind up compromising a users’ router or printer if it were connected to the TV. An unauthenticated request forgery attack meanwhile could allow an attacker to weasel his or her way into a users’ Facebook or webmail account.

The two penned a comprehensive paper, “From the Aether to the Ethernet – Attacking the Internet using Broadcast Digital Television,” about the vulnerability last month and are slated to present their work in an Attacks and Transparency panel at USENIX’s 23rd Security Symposium in August.

Oren and Kerymytis presented their attack to the HbbTV Technical Group in December to warn them of the vulnerabilities, yet the group “did not consider the impact or severity” to be “sufficient to merit changes.”

Instead the group had two criticisms, one – that it’d be hard for an attack to reach a large number of systems and two – that Smart TVs have a very limited attack surface, meaning that attacks wouldn’t be cost-effective.

The duo claims the paper, although published several months later, should address those concerns.

In one particular scenario in the paper Oren and Kerymytis discuss installing equipment that would carry out the attack onto a drone and flying it to an appropriate location to increase its effectiveness and curb the likeliness of the attacker getting caught.

The duo points out that attackers could coordinate an untraceable attack in a high density area with just about $450 and target more than 20,000 devices in one fell swoop.

If attackers were able to create some sort of digital terrestrial television transmitter, on top of a drone, the paper notes they could go sight unseen, leaving “no trace of his activities in the form of IP or DNS transactions.”

In another scenario the two discuss how easily some targets in New York City could be to attack, including towers that belong to channels like the Home Shopping Network, along with stations like CBS, NBA, Fox and Telemundo.

The root of the problem lies in the insecure combination of broadband and broadcast systems. Something that opens systems in a locally contained area up to a series of radio frequency injection attacks in which internet content whose source is outside the internet is rendered.

“The attacks are of high significance, not only because of the very large amount of devices which are vulnerable to them, but because they exemplify the complexity of securing systems-of-systems which combine both Internet and non-Internet interfaces.”

U.S. smart TV owners probably shouldn’t get worried about the attack vector anytime soon though. It’s not even clear at this point how well the nation will embrace HbbTV, if at all. Additionally, attackers would need to create a signal that’s stronger than the original TV tower’s signal and direct it towards its target, something that’s easier said than done.

Regardless, the attack should still be a ringing reminder of how susceptible internet-connected devices can be to malware and other attacks.

Earlier this year, security researchers with the firm ReVuln disclosed a vulnerability in Miracast, a WiFi feature present in Philips’ internet-enabled Smart TVs. That bug – until it was fixed – could have let anyone within range of the device’s WiFi adapter steal cookies, browse the internet or cause other shenanigans.

Suggested articles