Truly Braindead “smart” TV Spec and Hack

From the “OMG! Can an industry be that braindead?” department, we have “Smart” HDTV with HbbTv installed.

Folks will remember I was “rushed” into buying a new HDTV due to the old dumb set dying. Then “rushed” into buying a 2nd “smart” TV when the spouse would not let me put “my” TV where the old one had died, until I replaced the “big set” in the living room. Well, I’m not fond of “rushing” as that is how errors happen. Especially errors involving security exploits.

Well the “good news” is that it looks like I’ve “dodged the bullet” on this particular exploit. The “bad news” is that it was entirely by accident.

The first TV I bought was a “dumb” Toshiba. I’ve been VERY happy with it. Added a “Roku” device for internet TV that has also given me more than I’d expected. (Realize I mostly want news – at which it is great; not the current trendy new series on networks, at which it is sucky unless you buy a service from someone like Netflix or a Cable Provider, but then what’s the point of the Roku?…) Not a lot of security issues with a dumb TV that has no WiFi or Ethernet connection, no camera, no microphone, and not much more than a TV tuner and screen.

The second TV was the more problematic one. I’d scoped out an “on sale” larger LG TV that was also a dumb TV; but they had sold out by the time I went to make the buy. I decided to accept an “upsell” for about $75? to a “smart” TV of larger size that was also being cleared out, and also on sale. I was a tiny bit worried about the “smart” aspect. Over time, I’ve finally gotten around to researching TV hacks and exploits.

The Good News: Near as I can tell, my LG TV does not have HbbTV in it, so is not subject to this particular family of exploit. It also doesn’t have microphone, camera, etc. but I already knew that.

The actual exploit is a fairly standard memory leak / smashing exploit using the browser of the “smart” TV; so if your TV doesn’t have a browser (even a hidden one you don’t see…) you are probably fine. It depends on the HbbTV standard for the remote aspect of the exploit. HbbTV is Hybrid Broadcast / Broadband TV.

Hybrid Broadcast Broadband TV (HbbTV) is both an industry standard (ETSI TS 102 796) and promotional initiative for hybrid digital TV to harmonise the broadcast, IPTV, and broadband delivery of entertainment to the end consumer through connected TVs (smart TVs) and set-top boxes. The HbbTV consortium, regrouping digital broadcasting and Internet industry companies, is establishing a standard for the delivery of broadcast TV and broadband TV to the home, through a single user interface, creating an open platform as an alternative to proprietary technologies. Products and services using the HbbTV standard can operate over different broadcasting technologies, such as satellite, cable, or terrestrial networks.

HbbTV is the association of two projects born in February 2009, with the French H4TV project and the German HTML profil project.

HbbTV can show
digital television content from a number of different sources including traditional broadcast TV, Internet, and connected devices in the home. To watch hybrid digital TV, consumers will need a hybrid IPTV set-top box with a range of input connectors, including Ethernet as well as at least one tuner for receiving broadcast TV signals. The tuner in a hybrid set-top box can be digital terrestrial television (DVB-T, DVB-T2), digital cable (DVB-C, DVB-C2) and digital satellite (DVB-S, DVB-S2).

HbbTV was first demonstrated in 2009, in France by France Télévisions and two developers of Set Top Box technologies, Inverto Digital Labs of Luxembourg, and Pleyo of France, for the Roland Garros tennis sport event on a DTT transmission and an IP connection and in Germany using the Astra satellite at 19.2° east during the IFA and IBC exhibitions.

In June 2014, the HbbTV Association merged with the Open IPTV Forum, a similar industry organisation for end-to-end Internet Protocol television (IPTV) services formed in 2007, which worked closely with the HbbTV initiative on browser and media specifications for network-connected televisions and set-top boxes. The two initiatives were combined under the HbbTV Association’s banner because the markets for IPTV, OTT and hybrid broadcast and broadband TV are converging.

In September 2016 it was announced that the Smart TV Alliance, founded in 2012 by LG Electronics, Panasonic, Toshiba and TP Vision, is to merge with HbbTV, extending the scope of the HbbTV specification to address over-the-top services and to streamline standards. The merger is expected to be finalised within a year.

So getting that “clearance” model was likely the key step…

Now this could be done in a secure and well thought out manner. Unfortunately, it wasn’t. THE big issue is that it allows the hybridization of a one-way insecure network (broadcast) with a secure two way network (internet) in such a way that the insecure system can cause the secure system to download an “exploit” to the little computer in your TV set without you doing anything or even being aware of it. Oh, and you have no control of it either, and you can’t remove it once it is installed.

The article is here:

If you leave the page open long enough it puts up a “pop up” soliciting your enrollment in their newsletter, plus, even if you click the “stop loading” button, it keeps ‘refreshing’ (likely the advertizing to increase ‘view’ counts) so I’ll quote a bit more aggressively than usual.

Over 85% Of Smart TVs Can Be Hacked Remotely Using Broadcasting Signals
Friday, March 31, 2017 Swati Khandelwal

The Internet-connected devices are growing at an exponential rate, and so are threats to them.

Due to the insecure implementation, a majority of Internet-connected embedded devices, including Smart TVs, Refrigerators, Microwaves, Security Cameras, and printers, are routinely being hacked and used as weapons in cyber attacks.

We have seen IoT botnets like Mirai – possibly the biggest IoT-based malware threat that emerged late last year and caused vast internet outage by launching massive DDoS attacks against DynDNS provider – which proves how easy it is to hack these connected devices.

Now, a security researcher is warning of another IoT threat involving Smart TVs that could allow hackers to take complete control of a wide range of Smart TVs at once without having any physical access to any of them.

The proof-of-concept exploit for the attack, developed by Rafael Scheel of cyber security firm Oneconsult, uses a low-cost transmitter for embedding malicious commands into a rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals.

Those rogue signals are then broadcast to nearby devices, allowing attackers to gain root access on the Smart TVs, and using those devices for nasty actions, such as launching DDoS attacks and spying on end users.

Scheel provided a live hacking demonstration of the attack during a presentation at the European Broadcasting Union (EBU) Media Cyber Security Seminar, saying about 90 percent of the Smart TVs sold in the last years are potential victims of similar attacks.

Scheel’s exploit relies on a transmitter based on DVB-T — a transmission standard that’s built into TVs that are connected to the Internet.

The attack exploits two known privilege escalation vulnerabilities in the web browsers running in the background and once compromised, attackers could remotely connect to the TV over the Internet using interfaces, allowing them to take complete control of the device.

Once compromised, the TV would be infected in a way that neither device reboots nor factory resets would help the victims get rid of the infection.

cheel’s exploit is unique and much more dangerous than any smart TV hack we have seen so far.

Previous Smart TV hacks, including Weeping Angel (described in the CIA leaked documents), required physical access to the targeted device or relied on social engineering, which exposes hackers to the risk of being caught as well as limits the number of devices that can be hacked.

However, Scheel’s exploit eliminates the need for hackers to gain physical control of the device and can work against a vast majority of TV sets at once.

The hack once again underlines the risks of “Internet of Things” devices. Since the IoT devices are rapidly growing and changing the way we use technology, it drastically expands the attack surface, and when viewed from the vantage point of information security, IoT can be frightening.

Swati Khandelwal
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

In the original there are live links to references for some of the claims made.

I also note that the footer with a mini-bio on Swati has a picture of her. So she’s smart AND cute… Oh to be a 20 or 30 something again ;-)

The core of the article is this video on YouTube. It is an hour and 16 minutes long and the meat of it begins about 3 or 4 minutes in after a short bio-mercial on the author and company. It is a detailed technical step by step “how to” on this particular exploit, WITH a live demo. The ‘creepy bit’ being held for the end where they mount their mini-TV broadcaster on a drone… so you could literally fly a small drone over a house or next to a skyscraper, hijack the TVs inside, and leave zero “footprint” or forensic evidence.

Unstated in the video is the potential for State Actors to do horrid things. It is hinted at with pointing out that instead of your own dinky transmitter doing a signal override, you could inject a signal at the broadcaster and cover all TVs in an area. This ignores that if a TLA (Three Letter Agency) walks in and flashes a badge, or just puts ‘their guy’ in the control booth by having a ‘killer’ resume ;-) (Perhaps after the ‘regular guy’ gets a belly ache… free lunch anyone?…) that said TLA could do a mass broadcast and mass exploit of ALL the “smart” TVs tuned to that channel at that time. But I’m sure we don’t have to worry about the CIA, NSA, FSB, GCHQ / MI6 / SIS et. al. doing such a thing… /sarc;

OK, so I’m fairly “clean” even though it was 1/2 by accident. This HbbTV thing is mostly a European initiative at this point so little penetration elsewhere so far. There is still time for the HbbTV folks to actually add some security to their process, and on some TVs you can turn off that function.

For now, though, it looks like the best approach is to buy a “dumb” TV and add any intelligence outboard via an HDMI plug in ‘stick’ or computer. Or go buy a 2016 ‘clearance’ model that doesn’t have HbbTV in it just now; and hope ‘updates’ can’t add it. “But hope is not a strategy. -E.M.Smith”

Otherwise you might have to hold off a few years until they get this fixed… and hope they don’t introduce even more exposures in the process…

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , , , . Bookmark the permalink.

5 Responses to Truly Braindead “smart” TV Spec and Hack

  1. Ian W says:

    Or of course the security issue could be built into the firmware of the chips like the Lenovo (and other) instances. Even a factory reset will not remove this built in malware.

  2. Jeff says:

    Funny thing, here in Germany we just switched from DVB-T to DVB-T2, causing a world of hurt to folks (like us) who have TVs which “speak” “T” but not “T-2”. As they’re different, the only solution is to get a set-top box to sit between, as it’s more than a firmware update can deal with (H.264 versus H.265 codecs).

    So, I just bought a Xoro (Zorro —slash, slash, hey, what’s that Z doing on my TV?), which can do DVB-T2, but NOT HbbTV. Good thing I didn’t spring for the extra “smarts”. I’m looking at doing some kind of media centre, but we don’t have Roku over here (at least yet, darn).

    Actually, there are three types of transmission, DVB-C (cable), DVB-S (satellite), and DVB-T (Terrestrial, which humble rabbit-ears and the old-fashioned roof-TV antennae can usually receive just fine, with Yagis, et. al. doing better). The -2 variants have just come online, with DVB-T being totally blacked-out. Sigh. Minimum investment to get a pic back is around €50.00, with an additional €69.00 for a year’s worth of subscription to the “Privat-sender” if you want to get anything more than bog-standard (news and container shows) productions. Add to that the mandatory TV-tax of €18.00 per month (with clamps on your car wheels or even jail time if you don’t pay) and it’s “money for nothing and no shows for free”…

    So the article saying DVB-T is standard isn’t quite right. It’s one of three (or six) options that are available. Indeed, there are fancy-dancy boxes with SIX tuners and PVR capability that can tune
    all three input types, but they are north of €300.00, so most folks won’t go there.

    No wonder TV is dying. With the internet, and the myriad options for content it offers, the old-skool networks are hard-pressed to keep up. The “tax man” gets his 30 pieces of silver no matter what…

  3. gallopingcamel says:

    George Orwell warned us it would happen in 1984, His timing was out by a few decades but Big Brother is watching you now.

  4. cdquarles says:

    Big Brother’s been watching ever since radio and TV (also radio) became a thing. It was written into the 1934 act that created the GSE known as the FCC.

  5. philjourdan says:

    The good news – I never use it. The bad news – My TVs are fine, my Blue Ray is another matter. ;-)

Comments are closed.