Millions of Smart TVs Vulnerable To 'Red Button' Attack 155
An anonymous reader writes "Researchers from Columbia University's Network Security Lab discovered a flaw affecting millions of Smart TVs supporting the HbbTV standard. The flaw allows a radio-frequency attacker with a low budget to take control over tens of thousands of TVs in a single attack, forcing the TVs to interact with any website on their behalf — Academic paper available online."
It doesn't take a genius to come up with an attack (Score:5, Informative)
Yes, I RTFA. And the responsible consortium knows about the bug and doesn't consider it "important" enough to warrant a change because it's "not cost efficient" to execute an attack.
It is.
If all it takes is to weave a signal into the program, there are SO many places where this can take place that it's literally trivial to execute. Aside of the idea they present themselves, i.e. a 1MW transmitter used to infect a rather small area, how about using the broadcast itself? Yes, that means that you have to gain access to the show when or before it is aired, but considering just how many people are concerned with the creation of TV programming, having an "inside man" is fairly trivial. From production to cutting to storage to preparation to the actual broadcast, a show goes through many, many hands, every single thereof having the chance to inject the signal without anyone noticing before it's too late.
Now add that the more recent history taught us that governments are certainly not above abusing such a flaw and tell me again that there is "no need for concern".
Re:It doesn't take a genius to come up with an att (Score:5, Informative)
"All it'd take to do this is walk into the room and swap a commercial with one with the attack embedded."
I managed the Cable TV systems for commercial insertion for 10 years, so tell me again how easy it is to swap a TV commercial? Because all the AD insertion servers are password protected and also in locked racks that you have to get through first. Are you an uber haxor? where hacking a server is a 30 second trivial thing and then you know the Ad insertion software suite (Seachange By the way for all you Uber Hax0rs) so well that you carry the client insertion apps with you on your laptop? Oh and what file format did you encode that TV commercial? Because you need the right format for the system setup, no it's not the same nation wide.
In fact it's easier for you to pick a far less protected network location, Like a sales office, Get hired on the cleaning crew and attack the network from there to try and gain access to the encode and upload station at the main ad insertion office. If you are lucky, that one was set up by IT retards and is on both the corporate network and the ad insertion network (ad insertion network is a protected and isolated network)
A far more plausable route is social engineering while wearing a suit and having a lot of money. Contact a sales person for AD insertion, buy Air time and supply them with a Pre Encoded TV commercial that is already set up for their systems file and encoding settings. A file that hopefully they will just drop in the system and not run through any video re-encoding software that will destroy or strip your evil info. faking urgency and throwing a lot of cash at the sales person increases the chances of just a straight file copy, but that is against SOP and has a high possibility of failing. But then Places like Comcast pay nearly minimum wage for the poor guys that do video conversion and upload, so if done late in the day the chance that they will just copy and call it done is high.
Just swap a TV commercial..... That's Hilarious, this is not 1993 when you had racks full of video tapes for the TV commercials.
Re:It doesn't take a genius to come up with an att (Score:5, Informative)
The TS most likely re-written on final broadcast. If it is going out OTA, then the transmitter will repack the data as ATSC, regroom the MPEG2 content, and rewrite the PAT at the tower (usually with a custom PID for each video stream, a PID for DATA, etc, to make it consistent at the viewer's side). So changes are low there.
Since most CATV providers require a STB, very few TVs are using the ClearQAM streams directly (usually encrypted streams that require an handshaked box). Those very few that are using a CableCARD or equivalent are probably in such a minority you might not even want to bother. Oh, and the streams are re-packed when they are encrypted so garbage data is probably removed at that point.
Oh, and good luck "just walking into a CATV headend and replacing commercials." Every CATV headend that I've seen (including the one I run), don't store the commercials there, let alone have any way to change them. Those are usually controlled up-stream in some no-name office remotely then muxed or pulled in by the groomers or stat-muxers (depending on how they are setup).
Re:Good luck with that (Score:5, Informative)
Actually it requires about $200 and nothing more.
http://www.hides.com.tw/produc... [hides.com.tw]
Bundled Opencaster offers point and click HbbTV support.
Hi, I co-authored the paper :-) (Score:5, Informative)
Thanks for the comments. I hope I can clarify some of the things people said here.
Re popularity of OTA vs. cable: Cable is more popular in the US, but that's just the US. Digital Terrestrial is much more common in other places - for example it's the most popular delivery method in Europe by far (page 39) . [europa.eu] In the US immigrants use it a lot more than US-born.
To whomever suggested attacks via the remote control's IR port: that sounds a lot of fun to try, but the IR receiver's much less sensitive than the RF jack, it has a much lower data rate, and it needs line of sight.
About the power calculations: 1 Watt (0 dBm) can cover an area of 1.4 square Kilometers, under reasonable assumptions. The math is in the paper.
One last thing: A big shout-out to Martin Herfurt, whose work on HbbTV security [wordpress.com] was our starting point.
Re:Hi, I co-authored the paper :-) (Score:2, Informative)
About the power calculations: 1 Watt (0 dBm) can cover an area of 1.4 square Kilometers, under reasonable assumptions. The math is in the paper.
I hope the math in the paper is right, then, because 1 watt would be 30 dBm. A value of 0 dBm is 1 milliwatt.
http://en.wikipedia.org/wiki/DBm [wikipedia.org]
Re:It doesn't take a genius to come up with an att (Score:5, Informative)
So the idea is that the attacker overrides the RF signal with his own one, which contains the malicious data.
No. They are actually overriding the DVB broadcast signal from the broadcaster and inserting malicious packets into the stream.
Abstract: In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content which is rendered by the television. This system is already in very wide deployment in Europe, and has recently been adopted as part of the American digital television standard.
All of the references to the "red button" on the remote are a distraction that can be confusing. The red button on your remote is simply a way that you can invoke or interact with the hybrid content in the broadcast stream. It has nothing to do with the actual attack and the embedded content doesn't need to be actual interactive content.