This hack shows that smart TVs can be easily exploited through rogue TV signals
Smart TVs may actually be not smart, as hackers can easily hijack your smart TVs in your home through over-the-air (OTA) signals and use them as spying tools on end users or for DDoS attacks.
Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, has developed an attack that allows a hacker to take over devices using rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals and gain root access on the smart TV. According to Scheel, this attack is not only unique but also much more dangerous than previous smart TV hacks.
Scheel says that “about 90% of the TVs sold in the last years are potential victims of similar attacks,” emphasizing a major weakness in the infrastructure surrounding smart TVs around the world.
“Once a hacker has control over the TV of an end user, he can harm the user in a variety of ways,” Scheel who publicly demonstrated how TV stream signals could be used to hack smart TVs, told Ars. “Among many others, the TV could be used to attack further devices in the home network or to spy on the user with the TV’s camera and microphone.”
The new hack shows that the attacker does not need to have physical proximity to the smart TV. All that is needed to hack a smart TV is a low-cost transmitter, which the hacker can use to embed malicious commands into a rogue TV signal that can be then transmitted to nearby smart TVs. The technique is known to work against two fully updated TV models made by Samsung. It would also likely work on a much wider range of TVs if the attack is revised to target similar browser bugs found in other web enabled TV sets.
Scheel says that the center of this attack is Hybrid Broadcast Broadband TV (HbbTV), which is supported by several smart TV manufacturers and cable providers. It “harmonizes” classic broadcast, IPTV, and broadband delivery systems. TV transmission signal tools like DVB-T, DVB-C, or IPTV all support HbbTV.
The discovery of attack is tough due to the fact that DVB-T, the transmission method for HbbTV commands, is a uni-directional signal, which means data flows from the attacker to the victim only, says Scheel. As a result, the attacker can only be caught transmitting the signals in real-time.
Also, any backdoor created using this method is almost impossible to remove. In Scheel’s testing, a factory reset of the TV didn’t remove his access to it.
Since, the new hack does not require physical proximity to the device; it is much more advanced than recent one such as the “Weeping Angel“. This hack was revealed by WikiLeaks in March and supposedly developed by the CIA’s Embedded Devices, which could take over Samsung smart TVs and turn them into spying devices.
Check out the video below that includes demonstrations for both DVB-T attacks and proposed mitigations.