Researchers discover a massive security flaw in smart TV’s that allow hackers to intercept data broadcasts, insert malicious code, and transform the TV into an antenna that infects all other Internet-connected devices in the household. Once the television is infected, it seeks out all other devices connected to the router.
The attacks are untraceable as no source IP address or DNS server is ever presented, instead, hackers perform a classic “man-in-the-middle” attack using radio transmissions. The hijacking, which was discovered by Yossef Oren and Angelos Keromytis from the Network Security Lab at Columbia University, can be accomplished with as little as a $250 antenna.
“For this attack you do not need an internet address, you do not need a server,” Oren told Forbes. “You just need a roof and an antenna and once you are done with your attack, there's completely no trace of you.”
Massive reach
A 1-watt amplifier could potentially infect an entire 1.4 kilometer area. Oren determined that a hacker possessing a drone outfitted with retransmission gear could hover the drone near a broadcasting tower and piggyback off its signal to infect the 70,000 Smart TVs in the area receiving the transmission.
The flaw is dubbed the “Red Button attack,” after the supposed red button that usually controls the TV’s smart features. The attack exploits the Hybrid Broadcast Broadband TV (HbbTB) standard, an up-and-coming Smart TV standard, or loophole, designed to help broadcasters insert individually tailored advertisements.
The most glaring security flaw is caused by the fact that content embedded in the HbbTV broadcast stream is not linked to a web server, making it virtually impossible to trace the source of the hack without positioning a vehicle-mounted antennas around the city to triangulate the rogue signal and zone-in on the hacker, but he/she will be long gone before any law enforcement can possibly arrive.
The mayhem it may causes
Exploiting HbbTV allows hackers to access any of the apps installed on the television so long as the user remains logged on.
1.) Hackers will be able to post messages on the user’s social networking sites
2.) Bombard a target website with data or log clicks
3.) Breach an unprotected router
4.) Scan for other devices connected to the router
5.) Display seemingly realistic on-screen notices asking for credit card information or log-in requests
6.) Cut off Internet access to all broadcast-deliver HTML content
Oren and Keromytis’ discovery will undoubtedly halt the wide adoption of Smart Television until the issue can be rectified. Currently, HbbTV is widespread in Europe and has just recently been added to the ATSC standards list that’s used in North America.
Oren has already presented the findings before the governing body overseeing the standard, but the body did not deem the threat series enough to re-evaluate the technology’s security. He suggests that one fix would be to prompt users with a button to confirm before an app launches on their TV, but he fears that advertisers will undoubtedly fight this.
Via WSJ
Advertisement
Learn more about Electronic Products Magazine
