In fact, connected TVs are vulnerable to everything from Java exploits to Bitcoin mining to being completely hijacked, according to security researcher Martin Herfurt, who recently bought a smart TV and decided to take a look at the security situation. The Germany-based Herfurt also has access to a feature called HbbTV, which is the European standard for delivering hybrid TV experiences, which allows pay-TV operators to combine online apps and content with linear broadcast capabilities within branded portals of interactive content. HbbTV exacerbates the issue, he said.
Outlining the scope of the problem (and it’s wide), Herfurt didn’t pull any punches: “Connecting HbbTV-capable smart TVs to the home network is dangerous,” he noted. “Possibly malicious content is accessed and executed by the television when a user switches to an HbbTV enabled channel. So-called entertainment providers which provide content via HbbTV can be compromised by attackers or could be providing malicious content themselves that might lead to various attacks.”
He added, “Clearly, TV manufacturers seem to lack IT security know-how and have to learn from other industries in order to succeed…IMHO, it is just a matter of time before the attacks are spotted in the wild.”
It’s potentially a big problem: The connected TV phenomenon is on the rise. IHS iSuppli forecasts that smart TV shipments climbed 27% in 2012 to reach 66 million units. By 2015, the smart TVs will make up 55% of the market, with global shipments climbing to 141 million units.
Herfurt pointed out that the TV’s relationship to HTML content immediately bears a deeper look. For one, the interactive program and apps guide that pops up when users press a certain button on the remote is actually a semi-transparent HTML layer that overlays the broadcast TV picture, and is in most cases retrieved from a specific web server.
“So technically, the connected TV becomes visible to the broadcast station without notification of the user or the consent of the TV user,” he said. “The moment the red button hint is displayed on the TV screen, the user’s privacy is possibly breached.”
Wi-Fi eavesdropping is one threat. It is possible to find out the neighbors’ TV watching preferences by monitoring wireless network traffic. Based on the lengths of the packets and the MAC addresses of the different devices, attackers are able to gather this kind of information even if the Wi-Fi access point uses WPA encryption.
There are also content attacks that are possible, which essentially allow a hacker to hijack the TV and show whatever they want.
Content is requested by the smart TV at the time the user changes the channel. Attackers can inject content into a streams content carousel, specifying URLs to send content to the TV. Or, they could manipulate DNS servers in order to make the URLs within the DVB stream resolve to servers with their content.
Also, “since none of the observed stations is using a SSL secured connections, attackers can perform man-in-the-middle attacks and replace the original content by their content,” Herfurt warned. “Even if SSL was in use, not all TVs would prevent the user from accessing the content.”
Watering hole attacks are another danger: attackers can compromise the original source of the delivered content in order to replace the original content with their content. In the process of scanning some of the station’s servers, poorly configured servers using outdated software versions were identified.
Worst of all, not only the TV is the target of possible attacks but also other networked devices in the user’s home network. “Using a timing-based approach, attackers are able to scan the user’s home network from the TV for other devices that are behind the user’s firewall and would not directly be visible from the internet,” Herfurt said. “This could be used for user profiling and for finding further attack targets.”
To avoid a rash of TV p0wning, there are mitigation tactics that TV manufacturers could implement – although they aren’t foolproof.
“The software of currently available HbbTV devices lacks the possibility to configure security settings as might be done in decent browsers,” Herfurt said. “At the moment, the TV user has to trust the entertainment provider/broadcast station a lot….TV manufacturers have to implement mechanisms that allow the user to control the TV’s HbbTV functionality. Allowing users to whitelist trusted channels would solve at least some of the issues.”
Herfurt isn’t alone in researching this: In December ReVuln found a vulnerability in Samsung TVs that would allow hackers to gain eyes and ears inside the living room via the living-room set.
**Update November 2013 – Daily Mail Article on TV**
Huntley wrote about the findings on his blog. After his case was picked up by mainstream news outlets, LG announced an investigation. ‘Customer privacy is a top priority,’ the firm said. ‘We are looking into reports that certain viewing information on LG smart TVs was shared without consent.’
LG has also removed its promotional video about targeted advertising from its website.
The Information Commissioner’s Office says it is now investigating the firm for a ‘possible breach’ of the Data Protection Act. Jason Huntley, meanwhile, tells me he is ‘very suspicious and also a little worried’ by the affair.
‘I don’t think we’ve heard the last of this. Who knows what else these televisions are doing that we don’t know about?’