Smart TVs Rely on Vulnerable Technology, Insecure Code

Research shows smart TVs can be compromised remotely without user interaction, and the origin of the attack can be next to impossible to determine. Underlying the issues are a new technology supported by almost 90% of sets sold in recent years and programming without an eye to security.

Senior Penetration Tester Rafael Scheel demonstrated at the European Broadcasting Union security conference in February how a smart TV can be hijacked by taking advantage of HbbTV (Hybrid Broadcast Broadband TV), the latest specification for web-based entertainment services delivered through TVs or set-top boxes. HbbTV is supported by the DVB-T (digital video broadcasting – terrestrial) standard, one of the wireless video and data distribution methods available today.

Scheel found that attack code can be sent to a smart TV through a broadcast signal using an inexpensive DVB-T transmitter ($150 or less). The command could be to load a website hosting browser exploits. The page would load in the background, completely hidden from view. For the attacker, the DVB signal comes with important advantages: it is uni-directional and can be turned on just for the brief time needed to deliver the malicious command, significantly lowering the chances of getting caught.

TVs automatically connect to the strongest DVB signal so, depending on the strength of the transmitter, this attack can work both against specific targets and a larger group. To fend off such attacks, users can turn off HbbTV functionality in the TV set, essentially downgrading the device. Depending on the strength of the signal created, this attack can be used against specific targets as well as larger areas.

Rafael Scheel’s Smart TV Hacking full presentation:

Following Scheel’s presentation, the DVB Steering Board updated the technical specification od standard and added an authentication mechanism for broadcasters. “In essence, the television receiver learns the legitimate transmission on each channel and will then identify and reject any subsequent tampering,” reads the board announcement

At the beginning of the week, another researcher disclosed vulnerabilities in the Tizen operating system running on Samsung smart things, including TVs, watches and phones. Amihai Neiderman told Motherboard that the code in Tizen may be the worst he had ever seen.

“Everything you can do wrong there, they do it,” Niederman said. “You can see that nobody with any understanding of security looked at this code or wrote it. It’s like taking an undergraduate and letting him program your software.”

Out of more than 40 vulnerabilities the Israeli researcher discovered in Tizen, one stands out: the TizenStore app, responsible for adding software and updates to the device, suffers from a heap overflow vulnerability that can be exploited before any verification of software legitimacy. This means that a Tizen system could be updated with any sort of malicious code, allowing it to be controlled remotely.

Cybercriminals intentionally seek out insecure technology and poor programming. The two researchers show that smart TVs suffer from both, and exploiting them can be cheap and easy. On top of this, connected sets come with capabilities like online video chatting, email and even online purchases, sufficient incentives for turning them into a target.