A new digital television standard, called Hybrid Broadcast-Broadband Television (HbbTV), can be exploited by hackers to “invisibly” hijack Europeans’ smart TVs using radio frequency injection, according to research by the Columbia University’s Network Security Lab.
By including HTML content into broadcast streams, HbbTV exposes a TV set to numerous security weaknesses. “Exploiting these vulnerabilities, an attacker can cause thousands of devices to interact with any website, even using any credentials stored in the TV sets for accessing services such as social networks, webmail or even e-commerce sites,” the study says.
Hackers can perform known attacks including “click-fraud, insert comment or voting spam, conduct reconnaissance, launch local or remote denial of service attacks, and compromise other devices within the home network or even elsewhere.” For instance, an intranet request forgery attack could compromise a users’ router or printer if it’s connected to the TV.
Other techniques include taking control of the viewer’s content to deliver phishing and social engineering scams, as well as distributing exploits to gain control of the TV hardware. For example, a malicious HbbTV content can overlay the user’s regular TV program and ask for credit card information in exchange for access to restricted content.
Despite basic software mechanisms, smart TVs have a long vulnerability-to-patch cycle, which leaves the attacker with plenty of time to compromise the device, the study says.
“It was just a matter of time until this rapidly emerging technology caught hackers’ attention. Information delivered via television or radio broadcasts is perceived as true by most of people and taken for granted. Imagine an attacker able to inject a fake piece of news in thousands of homes: this would cause massive havoc on the streets. While technology helps us communicate faster and more effectively, it is important to build it with security in mind,” says Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender.
The researchers note that attacks can run in the background, without the user’s knowledge, and can be amplified to affect thousands of TV sets. It seems an attacker can’t be identified by IP or DNS transactions.
The paper was presented to members of HbbTV Technical Group but the group did not find the seriousness of the threats to be “sufficient to merit changes.”
Hybrid Broadcast Broadband Television was introduced by the Digital Video Broadcasting in 2010 and helps display digital television content from different sources such as traditional broadcast TV, Internet, and connected devices in the home.