OMG – our Smart TV got pr0wn3d!
A large amount of the TV sets currently available for sale belong to the group of “Connected TVs” or “Smart TVs”. These devices have the capability to access the contents of online media libraries and allow users to access Internet-pages via an integrated web-browser. Mostly for the European market, the available devices have a feature called HbbTV. HbbTV stands for Hybrid Broadcast Broadband TV and defines a standard for TV sets to access station-specific online contents. Since April 2013, I am the proud owner of a SAMSUNG ES7000 – a device with HbbTV capabilities.
Introduction
Until now, most of the security researchers working with connected TVs focused on security vulnerabilities related to physical access to the device’s USB port or local network access (ReVuln – The TV is watching you: Samsung 0-day, great CanSec Talk by SeungJin Lee and Seungjoo Kim). In the end of may, at the 13th German IT-Security Congress (organized by the German BSI) the first security paper related to HbbTV got published. In the paper published by the German TU Darmstadt (Marco Ghiglieri, Florian Oswald, Erik Tews), mostly privacy-related issues with the HbbTV standard were addressed. Since I also had some time for SmartTV -research during the past two months, I will share my findings in this blog entry. These findings will confirm most of the findings of the aforementioned paper but also introduces attack vectors that become possible with HbbTV.
During BerlinSides 0x04 (May 2013 in Berlin) I was giving a short lightning talk about this. This is the transcript of this presentation.
The HbbTV Standard
The Hybrid Broadcast Broadband TV consortium aims to define a standardized way on how content from so-called entertainment providers (e.g. broadcast stations, online media providers) is delivered on connected TVs. Starting as a Pan-European effort, the HbbTV consortium wants to create a globally adopted standard for hybrid entertainment services. Especially within the so-called Declarative Application Environment (DAE) – the HbbTV browser – another standard for connected TVs is being adopted: The Open IPTV Forum standard for Internet protocol TVs (IPTV). This standard seems to cover the device-specific part for Internet functionality.
The Red Button
In many countries, the use of the red button, which is found on many TV remote controllers, has already been used for accessing additional information years before the introduction of HbbTV. In the HbbTV standard, the red button defines the entry-point for the content offered by the respective entertainment provider. In case of broadcast providers, the red button will in most cases load a menu-structure that enable the user to access media contents when the user presses it. But here is the catch: In order to refer to the offered content, a small hint is displayed on the TV screen once the user switches to the respective channel. This hint is in the most cases implemented as semi-transparent HTML-layer that overlays the actual TV picture and is in the most cases retrieved from a specific web server. In these cases, the URL for the red button webpage is encoded within the DVB stream. So technically, the connected TV becomes visible to the broadcast station without notification of the user or the consent of the TV user. The moment the red button hint is displayed on the TV screen, the user’s privacy is possibly breached.
DAE Capabilities
The TV’s browser component is able to display HTML content and to execute Javascript-Code. In the case of the SAMSUNG ES7000, the TV’s browser component is even WebKit 1.1 compatible. Additionally, the DAE offers certain OIPF-objects. Accessing the OIPF-objects from a Javascript context, information like the station list and other device specific information can be accessed. Possible attack vectors will be shown below.
Data Collection
In order to find out the different URLs that are either encoded within the DVB stream or accessed in order to display the red button, an observing approach was chosen. The data connection of the Samsung ES7000 Smart TV (firmware release 002008) has been redirected through a transparent proxy (the ES7000 itself doesn’t support configuring a proxy). A set of scripts on the proxy server took care of switching through a previously acquired channel list and copying the different URLs from the proxy’s access log to one file per station. The URLs were acquired from stations transmitted via ASTRA 19.2E. The different channels were accessed using a HD+ subscription. Other subscription stations (e.g. SKY) are not included. The proxy logs were captured on the 9th of May 2013. Download the logs here: http://trifinite.org/hbbtv/hbbtv_proxy_logs-2013-05-09.zip
Logs
The logs show the URLs that the TV was accessing when the respective channel was switched to. In order to avoid caching effects, the channels were switched through in random order. The URLs captured in the files clearly show whether the respective station is directly or indirectly using an analytics service. Since the switching of channels was performed every 15 seconds, the aforementioned repeated tracking requests are not shown in the captured logs.
Stations on ASTRA 19.2E using HbbTV
Here is a list of stations that are currently using HbbTV. Due to caching effects some of the stations which are using HbbTV might not be in this list of 66 stations:
| 3sat HD | ANIXE HD | ARTE HD |
| a.tv | BR-alpha | BR Süd HD |
| Das Erste HD | DAS VIERTE | Dr.Dish TV-Welt der Technik |
| EinsExtra | EinsFestival | EinsPlus |
| Franken Fernsehen | hr-fernsehen | HSE24 HD |
| HSE24 TREND | kabel eins HD | kabel eins Österreich |
| Kinowelt TV | Mainfranken | MDR Sachsen |
| MDR S-Anhalt | MDR Thüringen | münchen.tv |
| NDR FS HH HD | NDR FS MV HD | NDR FS SH HD |
| Niederbayern | n-tv | PHOENIX HD |
| ProSieben HD | ProSieben Österreich | PULS 4 Austria |
| QVC BEAUTY | QVC HD | QVC PLUS HD |
| Radio Bremen TV | rbb Berlin | rbb Brandenburg |
| rfo Regional Oberbayern | RTL2 HD | RTL HD |
| SAT.1 Bayern | SAT.1 NRW | SAT.1 Österreich |
| sonnenklar.TV HD | SR SÜDWEST Ferns. | SWR BW HD |
| TVA-OTV | TV Oberfranken | Ulm-Allgäiu |
| VOX HD | WDR HD Aachen | WDR HD Bonn |
| WDR HD Dortmund | WDR HD Duisburg | WDR HD Essen |
| WDR HD Münster | WDR HD Siegen | WDR HD Wuppertal |
| ZDF HD | ZDFinfokanal HD | ZDF.kultur HD |
Use of Third-Party tracking services
As the logs show, the following stations are using Google Analytics. One station is using a service called etracker (https://www.etracker.com/). Whether any of the stations (including the stations not mentioned below) have implemented their own tracking functionality – as the ProSiebenSat.1 group obviously has – cannot entirely be determined using the proxy approach, since this functionality would be visible mostly in server-side code.
ANIXE HD (Google Analytics)
ARTE HD (Google Analytics)
DAS VIERTE (Google Analytics)
kabel eins HD (Google Analytics)
kabel eins Österreich (Google Analytics)
ProSieben HD (Google Analytics)
ProSieben Österreich (Google Analytics)
RTL HD (Google Analytics)
RTL2 HD (etracker)
SAT.1 Bayern (Google Analytics)
SAT.1 HD (Google Analytics)
SAT.1 NRW (Google Analytics)
SAT.1 Österreich (Google Analytics)
Possible attacks
WiFi eavesdropping
The TU Darmstadt paper describes an attack where it is possible to find out the neighbors’ TV watching preferences by monitoring wireless network traffic. Based on the lengths of the packets and the MAC addresses of the different devices, attackers are able to gather this kind of information even if the WiFi access point uses WPA encryption.
Fake Analytics
Presumed the stations using analytics services will use eventual results for strategic TV programming, this could probably go wrong. Attackers are able to generate fake requests via proxy networks simulating real TV watchers. Many coordinated fake requests based on the TV schedule probably could affect the broadcast network’s strategic decisions to e.g. discontinue a certain show. (Credits to Michael Schäfer)
Content attacks
This group of attacks will take advantage of the fact that content is requested by the Smart TV at the time the user changes the channel. Here, the attacker will provide the content that is going to be displayed on the TV. There are several possibilities on how attackers could become entertainment providers:
- DVB/DSM-CC Injection
being able to inject content into a streams content carousel, attackers could specify URLs referring to their content which is then accessed by the TV. - DNS Spoofing/Poisoning
attackers are manipulating DNS servers in order to make the URLs within the DVB stream resolve to servers with their content. - Content Spoofing
since none of the observed stations is using a SSL secured connections, attackers can perform man-in-the-middle attacks and replace the original content by their content. Even if SSL was in use, not all TVs would prevent the user from accessing the content. - Watering Hole Attacks
attackers can compromise the original source of the delivered content in order to replace the original content with their content. In the process of scanning some of the station’s servers, poorly configured servers using outdated software versions were identified.
Once attackers managed to redirect the HTTP requests of the TV to controlled sources, many different HTML-/Javascript-based attacks become possible:
Fake News Tickers
Especially news stations are using inserts in the lower third of the screen in order to display news headlines and stock tickers. Similar to the partly transparent page used to deliver the red button hint, attackers can use a partly transparent page to overlay the actual news ticker with an equally looking fake news ticker featuring misinformation. (Credits to Roger Klose)
Bitcoin Mining
Exemplarily for abusing foreign CPU power, attackers could use the TVs of many people for Bitcoin mining using the Javascript-based BitcoinPlus miner for websites. (Credits to Matthias Zeitler)
Arbitrary Video Display
The DAE’s capabilty to stream video from any location on the Internet might coin a new term: Now attackers could not only 0wn or p0wn your Smart TV, now they can also pr0wn it. (by streaming rouge content)
OIPF Objects
As defined in the OIPF standard, certain Javascript objects are provided within the DAE. These objects allow Javascript programs to access device specific information such as channel lists, recording capabilities, parental control settings and probably personal information such as the user’s favorite channel list (on my SAMSUNG TV, only very few information was accessible through Javascript within the DAE).
Using the TV to attack further components in user LAN
Since the well-known Javascript object XmlHttpRequest is available within the DAE, not only the TV is the target of possible attacks but also other networked devices in the user’s home network.
Using a timing-based approach, attackers are able to scan the user’s home network from the TV for other devices that are behind the user’s firewall and would not directly be visible from the internet. This could be used for user profiling and for finding further attack targets.
The next step for the attackers could be the reconfiguration of components in the local area network in order to facilitate further attacks via different vectors. For example the home router – which in many cases has no password protection when accessed from the LAN – could be reconfigured by the attacker to have no protection against attacks from the internet.
In order to gain personal information, attackers could access well-known services like UPnP or http in the user’s network via the connected TV. For example IP cameras or printers could be compromised using this technique.
Also using the XmlHttpRequest object, attackers can transfer all of the gained information to arbitrary Internet drop-zones, which would also expose the victim’s IP address.
As a lot of these attacks have been publicized in the context of browser hacking, there is a lot of available code on the Internet that might be used for also compromising Smart TVs.
Possible Mitigation
The software of currently available HbbTV devices lacks the possibility to configure security settings as this might be done in decent browsers. At the moment, the TV user has to trust the entertainment provider/broadcast station a lot. In order to mitigate the risks described above, the TV manufacturers have to implement mechanisms that allow the user to control the TV’s HbbTV functionality. Allowing users to whitelist trusted channels would solve at least some of the issues. A legislative approach could be to force entertainment providers to embed the red button content in the DSM-CC, so that the Smart TV wouldn’t have to request information from a web server before the red button can be displayed.
Conclusions
As shown before, connecting HbbTV-capable Smart TVs to the home network is dangerous. Possibly malicious content is accessed and executed by the television when a user switches to an HbbTV enabled channel. So-called entertainment providers which provide content via HbbTV can be compromised by attackers or could be providing malicious content themselves that might lead to various attacks which are described in this blog post. Possible measures are mentioned that might help to mitigate the addressed privacy and security issues. Even though these measures cover the majority of the attack scenarios, not all of the risks can be mitigated. Still, the user has no means to tell whether the HbbTV content is authentic or not. Clearly, TV manufacturers seem to lack IT security know-how and have to learn from other industries in order to succeed.
This blog post is an effort to draw attention to this issue. The described attack scenarios are examples that help to show the severity of this topic. IMHO, it is just a matter of time before the attacks are spotted in the wild. At the time of writing, a few broadcast channels are already using IP geolocation services to target banner-like on-screen inserts. In this early stage of adoption, HbbTV is used by broadcast stations in many creative ways that might not only put the privacy of the users at stake but also raises security issues.
Press articles covering this article:
http://www.scmagazine.com.au/News/345632,hbbtv-holes-make-tellys-hackable.aspx
http://www.xakep.ru/post/60743/
http://www.theregister.co.uk/2013/06/06/smart_tvs_riddled_with_dumb_security_holes/
http://business.chip.de/news/Smart-TV-Uni-Forscher-hackt-sich-in-die-Kanaele_62389705.html
http://www.net-security.org/secworld.php?id=15014/
http://www.broadbandtvnews.de/2013/06/07/it-spezialist-demontiert-smarttv-sicherheit/
http://www.infosecurity-magazine.com/view/32805/connected-tvs-open-up-a-host-of-threat-vectors/
http://www.spiegel.de/netzwelt/netzpolitik/hbbtv-sicherheitsluecke-in-smart-tvs-entdeckt-a-904086.html
Martin Herfurt's Blog 
[…] See on mherfurt.wordpress.com […]
[…] post describing the attacks, here, credits TU Darmstadt for demonstrating that MAC addresses and packet lengths sniffed from the […]
[…] 6th June 2013: Well, there you go. “Smart” Televisions: the security swiss cheese that keeps on […]
[…] In a recent blog post, Professor Martin Herfurt demonstrates a number of easy remote attacks that can be performed on Samsung Hybrid Broadcast Broadband TVS, or HbbTVs, including such things as fake analytics, fake news tickers, Wi-Fi eavesdropping, content redirection, Bitcoin mining and others. […]
[…] from Java exploits to Bitcoin mining to being completely hijacked, according to security researcher Martin Herfurt, who recently bought a smart TV and decided to take a look at the security situation. The […]
[…] hat in seinem Blog-Bericht alle Daten, die sein SmartTV ins Netzwerk übermittelt in einem Logfile veröffentlicht. Die Files […]
[…] Security concerns with HbbTV […]
[…] Here is a list of all possible attacks studied by the researcher: […]
[…] He writes at his blog: […]
[…] to be vulnerable to attack back in 2010, but now Nruns researcher Martin Herfurt has published a blog on flaws with Hybrid Broadcast Broadband TV. In particular, Herfurt, who might be best known for […]
[…] post describing the attacks, here, credits TU Darmstadt for demonstrating that MAC addresses and packet lengths sniffed from the […]
[…] información | mherfurt | […]
[…] to test out the device’s security, and the results aren’t particularly impressive: in a blog post (via InfoSecurity), Herfurt notes that TV makers have little to no security understanding, because […]
[…] test out the device’s security, and the results aren’t particularly impressive: in a blog post (via InfoSecurity), Herfurt notes that TV makers have little to no security understanding, […]
[…] from Java exploits to Bitcoin mining to being completely hijacked, according to security researcher Martin Herfurt, who recently bought a smart TV and decided to take a look at the security situation. The […]
[…] Problemas de seguridad de unos nuevos smart tvs. Los primeros de muchos! […]
Hello, i think thuat i saw yoou visited my website so
i came to “return thе favor”.I’m attempting tο find things to improve my web site!ӏ
suppose its ok tο uѕе a few of your ideas!!
[…] camera feels a little creepy. The same sort of creepy loved by “Smart” TV manufacturers (Samsung and LG, I’m looking at you, because you’re probably looking at me, […]
[…] teoretiska möjligheten att cyberattackera HbbTV är känd sedan länge och i december i fjol demonstrerade forskarna attacken för HbbTV-standardgruppen, som inte ansåg […]
[…] language to more clearly illustrate what it’s doing, the fact that smart TV security is relatively awful has many people quite justly concerned about smart TVs becoming another poorly-guarded repository […]
[…] language to more clearly illustrate what it’s doing, the fact that smart TV security is relatively awful has many people quite justly concerned about smart TVs becoming another poorly-guarded repository […]
[…] — if a thought at all. It doesn’t matter if we’re talking about Smart TVs with trivial to non-existent security or easily hacked smart car tech, companies are showing again and again that privacy and security […]
[…] — if a thought at all. It doesn’t matter if we’re talking about Smart TVs with trivial to non-existent security or easily hacked smart car tech, companies are showing again and again that privacy and security […]
[…] che fossero delle casseforti, ma neanche dei colabrodi di tale portata. Lo studio completo è disponibile qui e inizia con la parte più facile e ovvia: spiare le abitudini del vicino di […]
[…] In options, you can also disable HbbTV tracking and HbbTV cookies if you do not want to share information with the service provider. The good news is that even with all options, all aspects of the service normally work, at least at this time. More information on security aspects can be found on this blog . […]
[…] Your TV as a Beachhead […]
[…] HbbTV-capable Smart TVs to the home network is dangerous,” Herfurt blogged. “Clearly, TV manufacturers seem to lack IT security know-how and have to learn from other […]