HbbTV holes make tellys hackable

Vulnerabilities in Hybrid Broadcast Broadband TV (HbbTV) television sets have been found that allow viewers' home networks be hacked, the programs they watched spied on, and even for TV sets to be turned into BitCoin miners.

The laboratory attacks took take advantage of the rich web features enabled in smart TVs running on the HbbTV network, a system loaded with online streaming content and apps which is used by more than 20 million viewers in Europe.

Such systems will be Down Under as early as May next year after Australia's Channel Seven announced plans last month to roll out HbbTV. Nine and Network Ten would follow suit.

The research into the next generation TV systems was done by Marco Ghiglieri, Florian Oswald and Erik Tews of the Technical University of Darmstadt and later built on by Martin Herfurt from Germany consultancy Nruns. Together the researchers tested Samsung TV models UE40ES6300, UE40D6200 and UE46ES7000 available across Europe.

Many of the attacks could be made when TV viewers changed stations – a process which pulled new information from broadcasters and internet sources.

These attacks made assailants essentially entertainment providers. They included digital video broadcasting (DVB) and digital storage media command and control injection in which attackers specified a URL to inject content into streaming carousels within the TV.

Alternatively, attackers could manipulate DNS servers to direct DVB streams to resolve their own content servers.

Or, because stations did not use SSL, they could run man-in-the-middle attacks and serve their own content. SSL would not necessarily prevent the attacks, Herfurt said.

Watering hole attacks could also be conducted to own specific types of individuals by compromising the broadcasting providers they would tune into. The providers were found be to running outdated software.

“Once attackers managed to redirect the HTTP requests of the TV to controlled sources, many different HTML-/JavaScript-based attacks become possible,” HerFurt said.

He said JavaScript Bitcoin miners like Bitcoin Plus could be also run on the TVs, though it's effectiveness may be questionable.

The university researchers described in a paper that it was possible to sniff wireless networks to discover which programs consumers were watching based on MAC addresses and the size of packets (pdf in German).

They also noted that because station providers used analytic services including Google to quietly monitor consumer habits – a privacy problem they noted in itself – users could generate fake requests via proxy networks to simulate real TV watchers.

Enough fake requests may affect a broadcaster's decision to continue or axe TV shows

Scores of holes have been found previously in smart TVs. In December, Luigi Auriemma found holes in Samsung TVs that  allowed remote attackers to swipe data from attached storage devices, track shows users watch and gain root on the appliances.

He also managed to put TV sets into continous boot-loops

Mocana researchers published a report (pdf) it was possible to push fake credit card forms to TVs, redirect internet traffic to phish users and steal manufacturer keys, and tap backend services.

Users could do little to protect themselves but vendors could lock down features and deploy whitelisting.

Copyright © SC Magazine, Australia