Slashdot Mirror
Millions of Smart TVs Vulnerable To 'Red Button' Attack
An anonymous reader writes "Researchers from Columbia University's Network Security Lab discovered a flaw affecting millions of Smart TVs supporting the HbbTV standard. The flaw allows a radio-frequency attacker with a low budget to take control over tens of thousands of TVs in a single attack, forcing the TVs to interact with any website on their behalf — Academic paper available online."
Yes, I RTFA. And the responsible consortium knows about the bug and doesn't consider it "important" enough to warrant a change because it's "not cost efficient" to execute an attack.
It is.
If all it takes is to weave a signal into the program, there are SO many places where this can take place that it's literally trivial to execute. Aside of the idea they present themselves, i.e. a 1MW transmitter used to infect a rather small area, how about using the broadcast itself? Yes, that means that you have to gain access to the show when or before it is aired, but considering just how many people are concerned with the creation of TV programming, having an "inside man" is fairly trivial. From production to cutting to storage to preparation to the actual broadcast, a show goes through many, many hands, every single thereof having the chance to inject the signal without anyone noticing before it's too late.
Now add that the more recent history taught us that governments are certainly not above abusing such a flaw and tell me again that there is "no need for concern".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So the idea is that the attacker overrides the RF signal with his own one, which contains the malicious data. The client TV then automatically interprets the HTML from the transport stream metadata. Provided that the attack was successful, a bunch of TVs can for example be controlled to access a certain website through HTTP requests, causing a denial of service attack for that website.
Well, one important detail. Exactly the neighborhoods that have a high level of SmartTVs, will also be receiving their programming via cable or sat, so your RF highjacking is received by only tiny subset.
Right. There is little need for TVs that tune or are smart anymore. Just need a monitor. Let separate upgradeable or replaceable devices handle video sources. Today's Smart TVs are like yesterday's TVs with the built in DVD player.
There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling transmission. If we wish to make it louder, we will bring up the volume. If we wish to make it softer, we will tune it to a whisper. We will control the horizontal. We will control the vertical. We can roll the image, make it flutter. We can change the focus to a soft blur or sharpen it to crystal clarity. For the next hour, sit quietly and we will control all that you see and hear. We repeat: there is nothing wrong with your television set. You are about to participate in a great adventure. You are about to experience the awe and mystery which reaches from the inner mind to... The Outer Limits.
The Forbes article mentions a 1W and a 25W amplifier. Quick check confirms the paper also says this (not 1MW !).
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
If space is a premium like it is in New York or other urban areas, a smart tv isn't bad value. Plus it frees up an HDMI socket. maybe Facebook integration is overboard but hulu and Netflix aren't going away for awhile. Neither is Plex or DLNA or Spotify or...
As an aside, what I really want from a smart tv is much smarter UI. I don't think I've seen a smart tv with a decent UI. Something that makes it easy to switch the inputs, change settings, etc. also implements CEC so I can turn on my consoles or whatever and have it control a receiver with one remote.
Non impediti ratione cogitationus.
Looks like I just escaped disaster by not owning a TV at all.
Aren't you so special and clever.
Torrents, baby, torrents and streaming.
And proud to be a thief. How many legitimate sources of video are offered as torrents? I'd be interested in trying them myself.
I honestly don't understand why people would buy a "smart" TV instead of a monitor, surround sound speakers, and plug it in to a laptop or computer.
Then you're an idiot. Not everyone wants 3 or 4 different devices to do one simple thing. Not everyone wants to dick around keeping a computer working properly all the time.
How many people really use OTA broadcasts nowadays?
About 8% at last check, use OTA exclusively. Significantly more use a mix of OTA and other sources. So a significant number of people.
Of course if you weren't so busy trying to show us how brilliant you were, you'd have taken the 3 seconds required to Google it.
So awesome, you've used your leet skills to run someone else's software, someone else's OS and done a custom setup so you could steal most of your content and contribute nothing at all useful to society other than your arrogance.
We're so glad you have more time than brains so you can set around and do, for more money, what the rest of us do for less without offering in significant advantage.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
I prefer my Roku 2/3 to the smart features on my TVs but it is difficult to buy a nicer TV these days without the "Smart" features included. It would be nice is if you could disable the "Smart" part of these TVs. I don't think I have seen that as an option but I guess you could just disable the networking.
Keep the Classic Slashdot.
I've been doing audits for a rather long while now. Few companies have sensors on their inside.
In other words, it will be easy to find out THAT something went on after the incident. Who did it, otoh, is an entirely different matter. You'd be surprised how easy it is to get into a lot of companies and move about unhindered with the right uniform and the "I belong here" attitude.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"All it'd take to do this is walk into the room and swap a commercial with one with the attack embedded."
I managed the Cable TV systems for commercial insertion for 10 years, so tell me again how easy it is to swap a TV commercial? Because all the AD insertion servers are password protected and also in locked racks that you have to get through first. Are you an uber haxor? where hacking a server is a 30 second trivial thing and then you know the Ad insertion software suite (Seachange By the way for all you Uber Hax0rs) so well that you carry the client insertion apps with you on your laptop? Oh and what file format did you encode that TV commercial? Because you need the right format for the system setup, no it's not the same nation wide.
In fact it's easier for you to pick a far less protected network location, Like a sales office, Get hired on the cleaning crew and attack the network from there to try and gain access to the encode and upload station at the main ad insertion office. If you are lucky, that one was set up by IT retards and is on both the corporate network and the ad insertion network (ad insertion network is a protected and isolated network)
A far more plausable route is social engineering while wearing a suit and having a lot of money. Contact a sales person for AD insertion, buy Air time and supply them with a Pre Encoded TV commercial that is already set up for their systems file and encoding settings. A file that hopefully they will just drop in the system and not run through any video re-encoding software that will destroy or strip your evil info. faking urgency and throwing a lot of cash at the sales person increases the chances of just a straight file copy, but that is against SOP and has a high possibility of failing. But then Places like Comcast pay nearly minimum wage for the poor guys that do video conversion and upload, so if done late in the day the chance that they will just copy and call it done is high.
Just swap a TV commercial..... That's Hilarious, this is not 1993 when you had racks full of video tapes for the TV commercials.
Do not look at laser with remaining good eye.
I honestly don't understand why people would buy a "smart" TV instead of a monitor, surround sound speakers, and plug it in to a laptop or computer. How many people really use OTA broadcasts nowadays?
Yeah, because computers aren't susceptible to attacks at all. Everyone knows there's nothing more secure than keeping an internet-connected computer running 24/7 in your house.
Pretty good is actually pretty bad.
If you think "space is at a premium" even in a 250 sq foot apartment, that a Smart TV is a good idea, then you are nuts.
You have a buttload of space on the back of that TV to put a Roku Box, and a Apple TV, and a XBMC box, and your Cable TV box Plus a HDMI switcher if you bought low end with less than 4 HDMI inputs. And if that space is really at a premium, then you also bought a universal remote and a IR extender so all the devices can be on the back of that TV out of the way and you have only one remote to really simplify operation of the whole setup.
There is NEVER a reason to buy a smart TV other than being talked into it by the sales guy at Best Buy.
Do not look at laser with remaining good eye.
When you make cheap, shitty, under-engineered, non-compatible systems that can't be commodotized because everyone is banking on their propriety system taking off and cornering the market... that you'll end up with a cheap, shitty, under-engineered system with major security flaws?
Yet another reason why Smart TVs are worse than useless.
The TS most likely re-written on final broadcast. If it is going out OTA, then the transmitter will repack the data as ATSC, regroom the MPEG2 content, and rewrite the PAT at the tower (usually with a custom PID for each video stream, a PID for DATA, etc, to make it consistent at the viewer's side). So changes are low there.
Since most CATV providers require a STB, very few TVs are using the ClearQAM streams directly (usually encrypted streams that require an handshaked box). Those very few that are using a CableCARD or equivalent are probably in such a minority you might not even want to bother. Oh, and the streams are re-packed when they are encrypted so garbage data is probably removed at that point.
Oh, and good luck "just walking into a CATV headend and replacing commercials." Every CATV headend that I've seen (including the one I run), don't store the commercials there, let alone have any way to change them. Those are usually controlled up-stream in some no-name office remotely then muxed or pulled in by the groomers or stat-muxers (depending on how they are setup).
Actually it requires about $200 and nothing more.
http://www.hides.com.tw/produc...
Bundled Opencaster offers point and click HbbTV support.
Who logs in to gdm? Not I, said the duck.
Heh. Well, I'm kinda proud of our security staff, they even sent a board member back (despite said board member ranting and raving about how he'll ensure the security person be fired) because he forgot his access card.
And yes, the board member actually demanded him to be fired. When I asked him if he really wants me to fire one of our guards on grounds of him doing his job and following the security protocol unlike a certain board member who expected and ordered the guard to break security protocol, suddenly he had to leave in a hurry... dunno why...
I LOVE working in a company where security trumps productivity.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
http://www.hides.com.tw/produc...
This is an USB dongle, you push TS stream into it. Bundled Opencaster software will build TS stream for you. Basically its a small Digital TV station capable of transmitting one mux.
* DVB-T version, will not work with ATSC TVs in US. Btw LOL US and your ATSC A/53 mpeg2 "hd"tv.
Who logs in to gdm? Not I, said the duck.
Executable content from an uncontrolled source. Sheesh! Why do the folks who design/build entertainment electronics have such a limited understanding of the digital world? Going back to the invention of the Compact Disc as a music medium, the industry consistently demonstrates an inability to think broadly about the opportunities and consequences of the digital world.
People with home networks (i.e., lots of folks) and a TV that permits executable content that was received from an uncontrolled RF source to run on a CPU that has access to the TV's in-home Local Area Network connection will be so screwed it isn't funny.
If all TV's end up with this capability, we'll have to firewall off our TVs from the rest of our home networks. The last thing I need when I get home from work worrying about the unholy intersection of jackass hackers and jackass software vendors is my TV going rogue and hacking into the rest of my carefully secured digital castle through the television.
Is the US government asleep at the switch? Here is the opportunity to nip in the bud a huge threat to national security (ever see how many TVs there are all over all federal buildings these days?). If they can't understand basic Information Systems security enough to understand that executable content MUST be either be from a controlled/trusted source OR MUST be securely isolated from trusted network connections, then we need a new set of policy folks.
One way to stop this idiocy would be to convince the masses that this threat is too great to ignore. If no one buys the TV sets (which are essentially Trojan Horse wormholes), the manufacturers will certainly take notice. If we get the entertainment electronics journalists on board ringing the danger bell, that might put enough of a dent in sales to get their attention.
Thanks for the comments. I hope I can clarify some of the things people said here.
Re popularity of OTA vs. cable: Cable is more popular in the US, but that's just the US. Digital Terrestrial is much more common in other places - for example it's the most popular delivery method in Europe by far (page 39) . In the US immigrants use it a lot more than US-born.
To whomever suggested attacks via the remote control's IR port: that sounds a lot of fun to try, but the IR receiver's much less sensitive than the RF jack, it has a much lower data rate, and it needs line of sight.
About the power calculations: 1 Watt (0 dBm) can cover an area of 1.4 square Kilometers, under reasonable assumptions. The math is in the paper.
One last thing: A big shout-out to Martin Herfurt, whose work on HbbTV security was our starting point.
In this case, it's more like "Oh no, I've been inconvenienced as a direct result of someone else's negligent actions."
If the end result of TV manufacturers not releasing a more secure firmware for the affected models is your TV running malicious code that, say, simply bricks your TV, they should be liable for repair or replacement costs. If the result is that your TV ends up running code that hacks into your computer and steals your financial and personal details, they should likewise be liable for any resulting fraud and the cost of cleaning up that mess. In both cases, maybe a little something for the trouble, as well; it's best for society that we discourage purposeful negligence like this.
We're not talking about simply missing a TV show here; there are real and potentially damaging implications here.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
if your TV plays Netflix and Vudu, what is the point of upgrading?
For one thing, Netflix may choose to end compatibility with older devices that don't support the new digital restrictions management capabilities on which its licensors insist. For another, a TV that supports only WEP won't work anymore if you upgrade your house's wireless network to better WPA family protocols.
Tell me again why we even need 'smart TVs' in the first place?
I'd rather spend the money on a basic TV with better picture quality and get the 'smart' part from what I connect to it (DVR in my case).
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
So the idea is that the attacker overrides the RF signal with his own one, which contains the malicious data.
No. They are actually overriding the DVB broadcast signal from the broadcaster and inserting malicious packets into the stream.
Abstract: In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content which is rendered by the television. This system is already in very wide deployment in Europe, and has recently been adopted as part of the American digital television standard.
All of the references to the "red button" on the remote are a distraction that can be confusing. The red button on your remote is simply a way that you can invoke or interact with the hybrid content in the broadcast stream. It has nothing to do with the actual attack and the embedded content doesn't need to be actual interactive content.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Abstract: In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content which is rendered by the television.
And for anyone wondering just why the hell anyone would want this, TFA clarifies:
Broadcasters and advertisers have been eager to use the HbbTV to target ads more precisely and add interactive content, polls, shopping and apps, to home viewers.
So let me get this right... "Punch the Monkey", coming to a TV near you? Flashing and bouncing "Take the "Which Ninja Turtle are you most like?" poll for a chance to win $1000!!!"? Malicious "Your TV isn't secure! Click here to upgrade!" ads that install some bullshit TV "app" that does only god-knows-what? Remote scripting running on a device designed without any security in mind, and which will probably never be updated during its 8+ year lifetime?
How can I make this clear? Do. Not. Fucking. Want. Yet another reason to avoid "smart" TVs, I guess.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Of course you can! You're just looking in the wrong place. The TV's you want are labelled "Computer Monitor".
The Red button can be useful IFF there is no network connection at all (preventing most of the crap). For example, on DirecTV you can pull up sports scores, weather for your location, and such.
But over the air with a network connection? I agree with you, DO NOT WANT!
I notice they seem to have put plenty of effort into DRM in the spec to protect content providers, and none into security that would protect the owner of the TV.
And cable, and satellite.. dont forget those boxes we now have to rent again to get our video feed ( the real reason for moving to digital TV,, but that is a different subject ) are in effect a smart TV... THEY control what your set gets to display to you..
Now what i dont know, is: Do these 'receivers' have this technology yet? If not, its a matter of time.
---- Booth was a patriot ----
Another effective mechanism, is to Decline the privacy policy. According to a recent Slashdot post, that disables pretty much every smart feature the TV has.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".