For all the focus on locking down laptops and smartphones, the biggest screen in millions of living rooms remains largely unsecured, even after years of warnings. Smart TVs today can fall prey to any number of hacker tricks—including one still-viable radio attack, stylishly demonstrated by a hovering drone.
At the Defcon hacker conference Sunday, independent security researcher Pedro Cabrera showed off, in a series of hacking proof of concept attacks, how modern TVs—and particularly smart TVs that use the internet-connected HbbTV standard implemented in his native Spain, across Europe, and much of the rest of the world—remain vulnerable to hackers. Those techniques can force TVs to show whatever video a hacker chooses, display phishing messages that ask for the viewer’s passwords, inject keyloggers that capture the user’s remote button presses, and run cryptomining software. All of those attacks stem from the general lack of authentication in TV networks’ communications, even as they’re increasingly integrated with internet services that can allow a hacker to interact with them in far more dangerous ways than in a simpler era of one-way broadcasting.
“The lack of security means we can broadcast with our own equipment anything we want, and any smart TV will accept it,” Cabrera says. “The transmission hasn’t been at all authenticated. So this fake transmission, this channel injection, will be a successful attack.”
In the video below, Cabrera shows the simplest form of that injection, albeit with a somewhat flashy implementation involving a DJI quadcopter drone. By simply hovering a drone equipped with a software-defined radio near a TV antenna, he can transmit a signal that’s more powerful than the one broadcast by legitimate TV networks, overriding the legitimate signal and displaying his own video on the TV. But he says the same attack could be carried out with nothing more than a stronger amplifier on his radio. “If I want to target my neighbor, the easiest way is with an amplifier and a directional antenna, and then for sure my signal will be received much more than strongly than the original one, so my neighbor will get my channel,” says Cabrera. “In this case the attack is just a mater of range and amplifiers.”
A series of other attacks he demonstrated take advantage of HbbTV, or hybrid broadcast broadband TV standard, which allows TVs to connect to the internet and receive interactive content. Cabrera can, with the same radio-based signal override, trick HbbTV smart TVs into connecting to the URL of a web server he controls, so that his own code runs on the targeted television. He says he didn’t test the ATSC standard used in the US, and that unlike HbbTV the US standard don’t send or pull data from URLs, so his attacks wouldn’t work there.
The video below demonstrates a phishing prompt that tricks the user into entering a password.
That sort of TV-based phishing may be even more effective than email phishing, Cabrera argues, given that users have become more wary after years of suspicious emails. “No one expects to have this kind of social engineering attack on their smart TV,” he adds.
Cabrera is hardly the first to show that smart TVs are vulnerable to these sort of attacks. Security researchers have been warning of the vulnerability of the HbbTV standard for more than five years. Two years ago, Rafael Scheel, a security researcher with the firm Oneconsult, showed that attacks against HbbTV sets could be combined with vulnerabilities in Samsung smart TV browsers to gain full remote access to the television sets that persisted even after they were turned on and off again.
In his Defcon talk, Cabrera went so far as to argue that hackers could compromise a TV station or its radio-signal repeater equipment, enabling a malicious signal could be broadcast out to thousands of millions of TVs. “This could have a very huge dimension,” Cabrera says. “You can attack just one TV, your neighbor, for example, but we could also design this attack to cover a whole town, or even a whole country.” Yet he hasn’t tested those attacks; unsurprisingly, the Spanish government denied his request to try them.
The HbbTV Association, which governs that international smart TV standard, didn’t respond to WIRED’s request for comment ahead of his talk.
A fix does exist for the attacks that Cabrera and Scheel have described. Around the time of Scheel’s 2017 talk, the Digital Video Broadcasting industry body created a protocol cryptographically signing transmissions so that attacks like Scheel’s and Cabrera’s would be blocked. But Scheel says he’s not aware of any TV network or TV manufacturer that has implemented it. “I’ve had a lot of discussions with TV stations, and It’s very difficult to get them change anything,” he reports. “They’re very set in their technologies.”
Until they do, millions of HbbTV compatible sets around the world will remain vulnerable to all-too-simple attacks. Channel surf with care.