Posted by Kevin on June 9, 2014.
It might not be so smart to have a smart TV. Researchers at Columbia University have described a methodology by which attackers can take over, manipulate and infect other connected devices both remotely and undetectably.
This capability can be leveraged to perform “traditional” attack activities: perform clickfraud, insert comment or voting spam, conduct reconnaissance (within each home network or against a remote target), launch local or remote denial of service attacks, and compromise other devices within the home network or even elsewhere. Beyond these, the attacker can also control the content displayed on the TV, to craft phishing and other social engineering attacks that would be extremely convincing, especially for TV viewers who are educated to (and have no reason not to) trust their screens. Finally, the attacker can use the broadcast medium to effectively distribute exploits that completely take over the TV set’s hardware.
From the Aether to the Ethernet – Attacking the Internet using Broadcast Digital Television
Most software companies – such as Microsoft – would describe this as a ‘critical’ vulnerability since it can be exploited remotely and without any user interaction (beyond turning on the smart TV set). The vulnerability lies in the Hybrid Broadcast-Broadband Television (HbbTV) standard which is used for Smart TVs throughout Europe and now increasingly in the US. Alarmingly, however, when the researchers responsibly disclosed the flaw to the standards body back in December 2013, it was dismissed as being insufficiently severe and too costly to be used by attackers. Typical, would be the response from many security researchers.
But Yossef Oren and Angelos D. Keromytis from Columbia University have now published their research to demonstrate that the standards body is just plain wrong. “The attacks were crafted using low-cost hardware devices using opensource software, and they are extremely easy to replicate,” say the researchers. In a dense urban area, an attacker with a budget of about $450 can target more than 20,000 devices in a single attack, they claim. It is all possible because HbbTV’s security is primarily about protecting the DRM content for the rights owner, with little other concern for security. “None of the attacks described in this work are restricted in any way by HbbTV’s security mechanisms.”
The problem is that HbbTV breaks the basic ‘same origin’ principle of internet security. “The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number – to access each other’s DOM with no specific restrictions, but prevents access to DOM on different sites.” – Wikipedia. It’s what prevents the content from one source subverting the content from another source. But HbbTV doesn’t enforce this – it allows HTML code to be injected into the broadcast stream without interference.
The security implications of this design decision are staggering. Allowing the broadcast provider control over the purported origin of the embedded web content effectively lets a malicious broadcaster inject any script of his choice into any website of his choice.
This is the basis of the attack. The attacker simply injects a malicious application complete with malicious code into the broadcast stream. The effect is untraceable and unstoppable – and the attacks described in the paper include DDoS, unauthenticated request forgery, authenticated request forgery, intranet request forgery, phishing/social engineering, and exploit distribution.
The attacks described in this paper are of high significance, not only because of the very large amount of devices which are vulnerable to them, but because they exemplify the complexity of securing systems-of-systems which combine both Internet and non-Internet interfaces.
It is yet another warning on the rapidly evolving and changing threat landscape that comes with the internet of things. And if other developers take the same blind-eye approach to responsible disclosure, we are in for a torrid time.Submitted in: News, News_hacks |