Yossef Oren and Angelos Keromytis from the Network Security Lab at Columbia University have found that the so-called Smart TV could be hacked using a cheap antenna and broadcast messages, and relies on an insecurity in the Hybrid Broadcast-Broadband Television Standard (HbbTV), which now features on millions of internet-connected TVs after being introduced two years ago.
HbbTV has been adopted by more than 90 percent of TV set producers, according to research outfit GFK, and allows the approximate 60 broadcasters using the standard in Europe to add interactive HTML content to DVB cable, satellite or terrestrial signals. This means that viewers can use their favourite web services via TV apps, and allows advertisers to serve up relevant ads.
But writing in a new research paper published this week, Oren and Keromytis have detailed that the standard is vulnerable to a “large-scale exploitation technique” that is “remarkably difficult to detect”. It is low entry too – as a budget of just $270 would be enough to target around 20,000 devices.
The so-called “Red Button attack” allows a would-be hacker to intercept the sound, picture and accompanying data sent by the broadcaster using data packets, and then takeover apps on the TV or even launch attacks across the Internet. On Facebook, for example, the hacker could log in and post messages to the social network on the person's behalf.
"For this attack you do not need an internet address, you do not need a server," Oren told Forbes. "You just need a roof and an antenna and once you are done with your attack, there's completely no trace of you."
Oren added that the researchers told the DVB standards body about the security loophole in January, although the group has not reacted, as it does not think that the threat is serious enough to re-write the technology's security code.
The researchers say that it will affect future devices on HbbTV too: “While the impact of many of these attacks is exacerbated by poor implementation choices, for most attacks the core of the problem lies with the overall architecture, as defined in the specification itself.
“Thus, our findings are significantly broader than the specific devices that we used in our analysis; indeed, any future device that follows these specifications will contain the same vulnerabilities.”
David Emm, senior security researcher at Kaspersky Lab, said that this Man-in-the-Middle (MiTM) attack is nothing new.
“This potential attack method isn't related specifically to the use of the red button on a TV remote specifically, but to any interaction with a smart TV. Such an attack would effectively be a ‘man in the middle' attack, with hackers placing themselves between the consumer and the broadcaster and injecting their own, bogus information into the broadcast stream - for example, fake adverts and other content.
“After hacking the radio signal, hackers ‘become the broadcaster' and even have the ability to hack into anything sent or received by the consumer. One problem with such an attack is that, since it would involve hacking into the radio signal through the use of an antenna, it would be difficult to track down the attackers. It's reminiscent of someone sniffing the traffic on a public Wi-Fi hotspot or setting up a fake one.”
Emm also warned that the growing number of Internet-connected devices represents a risk to end users, as evidenced by a recent report from Spiceworks which indicates that while 86 percent of IT administrators believe that IoT will create security and privacy issues, only 59 percent are taking steps to protect themselves.
“Smart fridges, garage doors, car entertainment systems and electricity meters are all examples of new technology that all benefit from Internet connectivity, but the extension of technology in this way also brings the possibility of more cyber-attacks.”
IOActive Labs CTO Cesar Cerrudo – who recently published research on how to hack traffic control systems, added in a further email to SCMagazineUK.com.
"As more and more devices connect to the internet, it is their insecurity that is increasing the attack surface and the threats to our daily life. Every day there is a new vulnerability on an 'Internet-of-Things' device and the everyday consumer's exposure to attacks will continue to increase and this won't stop. Luckily security researchers are finding issues and trying to get them fixed but this is not nearly enough. Vendors should invest more on security, through the development process and upwards, because if this does not happen soon, the attack surface will be so big that hacking someone will become trivial."
Barry Coatesworth, CISO in the retail sector and industry advisory on cyber security, told SCMagazineUK.com that the attacks are not new.
"The red button attack against smart TV's shows just how vulnerable smart objects can be if adequate security is not included as part of the design. Attacks against smart TVs are not new; in 2010 Mocana Corporation published a report on how it was possible to send fake credit card forms to Smart TVs. Last year researchers in Germany also showed how a number of security weakness could allow such attacks as man-in-the-middle, watering holes or the ability to change what users watch on TVs.
"In the rush to get to market with smart devices, companies are ignoring security issues some are potentially very serious. As these devices expand their reach into society and pervade our everyday lives, they are going to become an attractive target for hackers, criminals and potential nation states. The risks are only going to increase."
This news won't come as a huge shock to an IT security industry still trying to comprehend what the Internet of Things (IoT) is, and what risks they represent, something that was discussed in-depth at last week's SC Congress London.
Gartner reports that there will be 26 billion Internet-connected devices in the world by 2020, with IDC optimistically putting this figure at 212 billion by the same time-frame.