About 90% of smart TVs vulnerable to remote hacking

Sony_TV_Android_TV

Happy Tuesday! Also, your TV is vulnerable as shit, apparently. We’ve known for some time that a lot of connected products like IoT devices are susceptible to outside attacks, but I never quite thought smart TVs would make that list in such a big way. Here is Catalin Cimpanu from Bleeping Computer:

 Scheel says that about 90% of the TVs sold in the last years are potential victims of similar attacks, highlighting a major flaw in the infrastructure surrounding smart TVs all over the globe.

At the center of Scheel’s attack is Hybrid Broadcast Broadband TV (HbbTV), an industry standard supported by most cable providers and smart TV makers that harmonizes classic broadcast, IPTV, and broadband delivery systems. TV transmission signal technologies like DVB-T, DVB-C, or IPTV all support HbbTV.

Scheel says that anyone can set up a custom DVB-T transmitter with equipment priced between $50-$150, and start broadcasting a DVB-T signal.

By design, any nearby TV will connect to the stronger signal. Since cable providers send their signals from tens or hundreds of miles away, attacks using rogue DVB-T signals could be mounted on nearby houses, a neighborhood, or small city. Furthermore, an attack could be carried out by mounting the DVB-T transmitter on a drone, targeting a specific room in a building, or flying over an entire city. 

The fact that the price of entry into creating such a device is so inexpensive shouldn’t be all surprising. Despite the fact that it’s cliche, all it really takes to “hack” something is indeed often just a computer. In this case, it takes a bit more as a device is needed to be built in order to transmit the signal but all in all, an inexpensive hack. So once built, what can the hack do? A lot, it seems.

 According to Scheel, the problem is that the HbbTV standard, carried by DVB-T signals and supported by all smart TVS, allows the sending of commands that tell smart TVs to access and load a website in the background.

Knowing this, Scheel developed two exploits he hosted on his own website, which when loaded in the TV’s built-in browser would execute malicious code, gain root access, and effectively take over the device. 

While I’m not big into the tinfoil hat scene where I don’t use public Wi-Fi at Starbucks in case there’s somebody sitting in the shadowy corner with a hoodie on, attempting to steal my info, I take privacy quite seriously and it’s a shame to see products like our TVs so vulnerable. Add on top of that the new US government which is basically stripping away all the privacy laws ISP’s had to adhere by and the distant future doesn’t start to look so good. Now don’t take this as me suggesting you shut down the Wi-Fi connected to your TV, but this is also something to consider the next time an app asks for permission to access your account and in turn, gain access to a host of information.