from the not-even-couch-potatoes-are-safe dept.
A new attack on smart TVs allows a malicious actor to take over devices using rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users.
The attack, developed by Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, is unique and much more dangerous than previous smart TV hacks.
Until now, all smart TV exploits relied on attackers having physical access to the device, in order to plug in an USB that executes malicious code. Other attacks relied on social engineering, meaning attackers had to trick users into installing a malicious app on their TV.
Even the mighty CIA developed a hacking tool named "Weeping Angel," which could take over Samsung smart TVs and turn them into spying devices. But despite its considerable human and financial resources, the CIA and its operators needed physical access to install Weeping Angel, which made it less likely to be used in mass attacks, and was only feasible if deployed on one target at a time, during carefully-planned operations.
Because of the many constraints that come with physical and social engineering attacks, Scheel didn't consider any of them as truly dangerous, and decided to create his own.
Source: BleepingComputer
Related Stories
Apple fans, Android world scramble to patch Broadcom's nasty drive-by Wi-Fi security hole
Grab firmware updates ASAP
https://www.theregister.co.uk/2017/04/05/broadcom_wifi_chip_bugs/
-- submitted from IRC
More Detail about Broadcom Wi-Fi Security Problem
A Broadcom chip that handles WiFi connections has serious over-the-air security flaws that makes it possible to take over the chip wirelessly. This affects LG/Google Nexus 5, 6, 6P, most Samsung flagship devices, all iPhone 4 and later, newer iPods and iPads.
The wireless system-on-chip (SoC) firmware can with carefully crafted wireless frames using abnormal values in the metadata be tricked into overrunning its stack buffers. This in combination with the frequent timer firings makes it possible to gradually overwrite specific chunks of system-on-chip RAM until arbitrary code is executed. Details of the security flaw is described here.
Broadcom's hidden source code implementation is found to lag behind in modern security. Specifically, it lacks countermeasures like stack cookies, safe unlinking and access permission protection. Neglecting the security features in the microcontroller ARM Cortex R4. And once the system-on-chip is controlled. Escalation into the primary CPU can be attempted.
It seems the security flaw stems from the implementation of "Tunneled Direct Link Setup" (TDLS) or 802.11z, a seamless way to stream data directly between devices already on the same Wi-Fi network.
Lesson: Broadcom sucks, closed source sucks and new features may be just that and then some..
Kind of reminds of DVB over the air TV exploit. There sure are more wireless chips with clueless security.
(Score: 1, Funny) by Anonymous Coward on Thursday March 30 2017, @08:59PM (2 children)
Don't blink. Blink and you're dead. They are fast. Faster than you can believe. Don't turn your back. Don't look away. And don't blink. Good Luck.
(Score: 1) by DmT on Thursday March 30 2017, @09:09PM
Who? The CIA or enemies of the doctor?:)
(Score: 3, Funny) by maxwell demon on Thursday March 30 2017, @09:48PM
So that's the true reason why Mozilla disabled the blink tag!
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2, Insightful) by Anonymous Coward on Thursday March 30 2017, @09:01PM (11 children)
I long for the days when systems of any sort were not integrated messes of somebody else's poor design, but rather cobbled together through independent, discrete, replaceable components. THAT is how computing should be.
Now, you've got to stuff your life into some corporate bean-counter's Vogonic view of reality.
I hate you all. ALL OF YOU!!!!111
(Score: 4, Interesting) by bob_super on Thursday March 30 2017, @09:06PM (9 children)
They also had a real on/off switch, which was impossible to bypass remotely.
We can't have those anymore, because people can't wait 1 minute for the system to boot the excessively complex software stack...
I plug a lot of my stuff in extension cords with power switches, to reduce "off not off" power drain. That makes my toys pretty poor participants into botnets.
(Score: 4, Informative) by LoRdTAW on Thursday March 30 2017, @09:39PM (6 children)
Many have the option to disable the standby mode. My dumb Sony TV takes about 15 seconds to boot and my old dumb Westinghouse takes about 10 with standby turned off. Though, they still have a slight parasitic power draw at idle of a few watts. This is because the power supply is still on and supplying the circuitry for listening for the buttons/remote (I'm sure you knew that, just pointing it out for others).
Using my little kill-a-watt the older Westinghouse burned an inconceivable 16 watts at idle and my Sony less than 10 (I forget exactly). I would be paying a little over $2/month just to let my TV turn on in two seconds instead of 10. Completely absurd. At idle it still sucks down about two watts which like you, I tame with a power strip. Now a home with three or fours TV's, various appliances with clocks and electronics always ticking, phones chargers, I can see people throwing away $20 + per month on electric.
(Score: 2) by maxwell demon on Thursday March 30 2017, @09:53PM (4 children)
A true off switch has no circuitry that needs to be powered. That "listening to remote" mode formerly was called "standby" (and I continue to call it that, no matter how hard the industry tries to convince me that it is"off"). A true off switch physically cuts the power, and can only be operated mechanically.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Scruffy Beard 2 on Thursday March 30 2017, @10:01PM (3 children)
The old TVs also had tube heaters to let the tube come up faster. Without them, you are waiting like 10 minutes for full brightness (or maybe that is just for failing second-hand TVs).
(Score: 2) by maxwell demon on Thursday March 30 2017, @10:12PM (2 children)
Well, I've had experience with an old B/W TV with tubes from the early 70s (which for a while I used for my computer so I wouldn't block the family colour TV). While it took its time to switch on, it certainly wasn't anywhere near ten minutes (I plugged it in only for use, so there's no way it could have pre-heated the tubes).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by urza9814 on Friday March 31 2017, @06:20PM (1 child)
Probably a matter of build quality and cheap components. Ten minutes actually sounded a bit conservative to me, as I've seen more than one late 90s Sony CRT where you could almost watch (well, *hear*) a full 30 minute program before the picture reached full brightness! Although I definitely used some far older sets that didn't have that issue too. Probably because you could get a lifetime warranty on a TV in the 70s, but by the late 90s they were practically disposable...
(Score: 1) by toddestan on Saturday April 01 2017, @04:59AM
A modern CRT in good working order should be at full brightness in 15-30 seconds or so. Older TVs (those that have tubes besides the CRT itself) could take a couple of minutes which is why some of them had the "tube warmer" to reduce the power-on time to a few seconds, with the cost of the constant energy draw by the tube warmer. Though my guess is the tube warmers also reduced some of the thermal stress on the components which may have lengthened the life of the TV, which back then was a significant investment, so perhaps the cost isn't as bad as it might seem at first glance.
I remember those Sony TV's like you describe. I forgot the exact details as it's been a while, but you could restore them to working order by soldering in some new resistors on the circuit board attached to the neck on the CRT. It was more of a band-aid as the issue was a was a bit more complicated than that and the TV would eventually get wonky again, but the fix could potentially last a while and some of the TV's I fixed that way were still doing fine all the way up to when their owners decided to replace them with a LCD.
(Score: 2) by mcgrew on Friday March 31 2017, @05:57PM
I'm old enough to remember when every TV took a full minute to come on, because it took that long for the "picture tube" (as well as the other tubes) to warm up. So I'm in no hurry.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by fido_dogstoyevsky on Thursday March 30 2017, @10:29PM
...people can't wait 1 minute for the system to boot the excessively complex software stack...
I don't know... turn on TV, turn on DVD player, go make a cup of coffee and sit down - TV booted up, prefilm dross that you paid for on the DVD finished, watch movie (unless you've got a customised DVD without the crap - in which case you still need to make the coffee).
Or vote with your wallet, and refuse to buy a "smart" TV (and an encumbered DVD) - even if it means going without.
It's NOT a conspiracy... it's a plot.
(Score: 2) by mcgrew on Friday March 31 2017, @05:32PM
A TV without a wifi password or ethernet cable isn't easy to use in a botnet, either. I won't give my TV my wifi password, and make sure I shut off all my computers before watching Hulu or Netflix on it. I suppose the attacker could give it access to its own hotspot, but they'd have to be parked in my driveway to do it.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2, Interesting) by marknmel on Thursday March 30 2017, @10:39PM
Cobbled together? I think not. This is a system of an intentional design with plans to be abused by the manufacturer and by foreign government actors.
I had the opportunity to purchase smart TV'a when I replaced the tubes a few years ago. My friends thought I was foolish for buying "last year's models". I figured I would make my dumb TV's smart by adding my own Ethernet connected box, sans microphone and camera.
Clearly these shenanigans were foreseen.
There is nothing that can't be solved with one more layer of indirection.
(Score: 1, Insightful) by Anonymous Coward on Thursday March 30 2017, @09:21PM
... are dumb. Now if only it wasn't impossible to find new dumb televisions these days...
(Score: 2) by NotSanguine on Thursday March 30 2017, @09:38PM (23 children)
And given that I don't use the networking capabilities of the device (I bought it because it was inexpensive, not for its prodigious -- it's a Vizio -- spying capabilities) block its access to the internet.
It works quite nicely, displaying the HDMI video signals I send to it.
It has no other purpose, so I don't give it any additional access.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Thursday March 30 2017, @09:43PM (16 children)
If you don't use its networking capabilities, why connect it to a network at all?
(Score: 2) by NotSanguine on Thursday March 30 2017, @10:14PM (15 children)
Why I (or anyone else) do anything, is a great question. One that's intrigued humanity since before the dawn of recorded history.
For example, I have no idea why you bothered to post that drivel at all. Your "question" didn't really add to the discussion, nor did it elucidate anything.
Perhaps you'll share with us? You may help to answer an ages-old question, friend. Do you even know?
Beyond that, where did I say I connected it to a network? I said I blocked its access to the Internet.
Granted, there are a variety of ways to do so. The best is not to connect it to a network at all. Although it is fun to run port scans and various exploits against any new toy.
Actually, when i first got it, I did connect it to my network. Since I'd never used one of those fancy talking picture boxes before, I even tested some of the network functionalitly, as I'm interested in all kinds of newfangled gizmos.
Then I monitored the traffic coming out of it to see what sort of crap was emanating from it. And there was a bunch of crap emanating from it, too.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by takyon on Thursday March 30 2017, @10:23PM (14 children)
At least, that's what your TV, router, ISP, CIA, and NSA would have you believe.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by NotSanguine on Thursday March 30 2017, @10:32PM (13 children)
I said I blocked its access to the Internet.
At least, that's what your TV, router, ISP, CIA, and NSA would have you believe.
No route, no traffic. RFC 791 [ietf.org] is my friend.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by maxwell demon on Thursday March 30 2017, @10:35PM (11 children)
Which raises the question how you know there's no route.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by NotSanguine on Thursday March 30 2017, @10:47PM (10 children)
Given that I built this network myself, including the routers and firewalls and a variety of monitoring tools, along with 25 years of professional experience building and securing networks, I have a pretty good idea as to what traffic can and cannot do.
If you're really that interested in how my network is configured, feel free to hack it. Or at least try to do so. Good luck with that.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by maxwell demon on Thursday March 30 2017, @11:04PM (9 children)
Who says that the route goes through your network?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by NotSanguine on Thursday March 30 2017, @11:25PM (8 children)
And so tell me, oh wise one. Is the disabled wireless on the smart tv hacking my neighbors' wifi now?
Or is it invisible gnomes sneaking in to my house and connecting invisible cat 5 cables?
Or perhaps the MIB are busting down the door and then zapping me with their forget-what-just-happened rays?
Since you clearly have no idea what you're blathering on about, please do continue. If I didn't despise popcorn, I'd make some.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by takyon on Thursday March 30 2017, @11:26PM (1 child)
Your smart TV - it has cell service! All you have to do is give it electricity and you're already compromised!
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by kaszz on Thursday March 30 2017, @11:31PM
Better cover the TV in insect net of metal. Or one has to open it..
(Score: 3, Informative) by maxwell demon on Friday March 31 2017, @06:07AM (3 children)
So how is your phone keeping connection when you're not at home (and possibly even if you are)? Does it hack into WiFis you pass by? Are invisible gnomes connecting cables to it? Do MiB constantly follow you?
No, it has a small integrated antenna that keeps contact to the closest cell tower. Unless you've opened your TV and thoroughly checked, or actively searched for emissions of your TV for prolonged time, or you put our TV in a Faraday cage, or you're in one of those rare spots where absolutely no cell service is available, you cannot be sure that there's no connection.
Not to mention that if you'd be targeted directly, there may be other ways to use the normal TV hardware to generate signals that can be received from a receiver placed near your house. As this article shows, all they need is to send you specially prepared TV signals.
And no, it is not that likely that you personally are a target (at least as far as I can tell; I don't know you, so maybe you're actually a prime target for some reason). But the probability is high that someone somewhere is targeted in exactly that way. It's as with the lottery: For each individual the probability of winning is extremely small. Yet in most weeks someone wins the lottery.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by NotSanguine on Friday March 31 2017, @12:05PM (2 children)
And no, it is not that likely that you personally are a target (at least as far as I can tell; I don't know you, so maybe you're actually a prime target for some reason). But the probability is high that someone somewhere is targeted in exactly that way. It's as with the lottery: For each individual the probability of winning is extremely small. Yet in most weeks someone wins the lottery.
You're generalizing from my specific use case. However, I was being quite specific.
I don't care about anyone else being targeted, unless they're paying me to secure their environments. Which I've done many times. Perhaps I could help you? Although, given your bad attitude, I would likely triple my hourly rate and mark up expenses at least 500% just for you. Let me know if you'd like to engage my services, friend.
And by the way, there are a variety of tools which allow one to quite easily identify both Wifi and cellular signals. Which I use with some regularity. How often do you do so?
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Interesting) by Hyperturtle on Friday March 31 2017, @04:51PM (1 child)
I think he is being difficult to prove a point to others, not to irritate you
The point is, many people think they need only turn a feature off; much of the thread covered how the tvs and appliances nowadays are in a standby and not off mode, despite marketing calling standby modes a mode when the appliance is off.
He appears to be saying that to the common person, be certain it is doing as you expressed intent for it to do (not rat you out) because it may do what the marketing says on the tin it will do (no config no talking!) but that may not be what you (the general consumer) actually intended.
A good example is that android OSes, such as those on smart tvs, will still talk to 8.8.8.8 and 8.8.4.4 to report dns queries even if a specifically chosen alternate DNS is provided via static IP or dhcp assignment. It will go to your chosen DNS server IP -- but also report to google anyway even if it isn't intending to get a query response from those IPs--it's intending to report the query.
Not having a gateway will prevent that, or having a route further upstream to black hole it, or an access list, etc. But a non-adminstrative controllable connection will defeat IoT fencing.
And, to his point, a device like a cell phone has no such precaution available since administrative control of he network protocol on the ISP side is not easily managed by the consumer, nor filtered by the expert. It's like trying to block a cable modem from looking at what you let through your firewall to it--once it is vendor managed, it is no longer consumer configurable except for appearances if even that much is permissible.
Anyway, the last time I posted about this, a few people laughed at my tl;dr and that it wasn't feasible for this to happen; now there is an article on the front page. At least the discussion now is the right way to do it rather than denounce it as a liberal plot to deny capitalists their rightful income because of some paranoid lunatic with nothing better to do than fear advertising.
(Score: 2) by NotSanguine on Friday March 31 2017, @06:08PM
Your points are both valid and insightful, turtle. Thank you.
You seem to be reading between the lines quite a bit as far as maxwell_daemon's comments. Perhaps further than is warranted.
As I pointed out, even cellular signals can be easily detected, even if they are not so easily blocked.
I suppose it's possible that some smart tv manufacturers are surreptitiously including cellular transceivers into their products on the off chance that someone will block access via their own networks. That seems rather unlikely, however, since most people will just plug their device in and, through ignorance (willful or otherwise), let the device transmit whatever it wants over their internet connection.
Given that few have the knowledge, skills and presence of mind to even consider how their data may be exfiltrated, I'm not so concerned about large-scale secret back channels being integrated into smart tvs. At least not yet.
Perhaps I'm not sufficiently paranoid. Then again, I haven't detected any cellular transmissions emanating from my smart tv.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by urza9814 on Friday March 31 2017, @07:20PM (1 child)
So how exactly do you get a signal to that nice new TV of yours? Obviously it's not ethernet or wifi as you've said...is there cable or satellite service connected? Because as shown in TFA, that can be used to get the data through your network.
Maybe you're using HDMI? Well, they can use that to hack into your network:
http://www.ehacking.net/2016/07/exploring-vulnerabilities-in-hdmi.html [ehacking.net]
So maybe you use DVI? I've found rumors of possible exploits through HDCP code. Can't find any proof at the moment, but there's a data channel there so an attacker with sufficient resources could make it work.
https://security.stackexchange.com/questions/19007/vga-hdmi-based-attack [stackexchange.com]
Perhaps go all the way back to VGA? There's no known exploits that I can find, but there IS still an I2C bus that can certainly be used to transmit and receive arbitrary data, so it's possible in theory:
http://hackaday.com/2014/06/18/i2c-from-your-vga-port/ [hackaday.com]
Maybe your PC isn't listening to any of those channels...or maybe that's what the binary blob firmware is telling you at least. If you're truly paranoid, you'd better connect that TV via RCA jacks only...
(Score: 2) by NotSanguine on Friday March 31 2017, @08:01PM
Yes, there are security risks associated with just about every technology.
Given the petabytes of extremely sensitive data I store in my home, I put a faraday cage around my town.
What's more, my property is patrolled by M1 tanks and riddled with anti-personnel mines [wikipedia.org].
Just in case, my air-gapped toaster has an extra air gap.
In an attempt to dispel any negative impact to victims of Poe's law, the above is snark.
Nobody except me cares what data I have. A determined hacker with a big enough beef against me (what that might be, I have no idea) could gain physical access to my home and do all kinds of nasty things. Given the actual physical barriers to that, it would be difficult, however.
State level actors (again, why they might target me I have no idea) have numerous other means to gain information about me, and don't really need to bug my house.
Script kiddies are pretty well handled already, IMHO.
And if any of the above really wants to gain access to my data, social engineering would be the best bet for success.
As for the TV, I don't want Vizio collecting data about my viewing habits, so I keep them from obtaining any information -- the steps I took to do so have pretty much immunized me from the hack discussed in TFA.
And if you're so concerned about it, go live completely off the grid. Don't forget to encrypt any letters you might send, and never, ever talk on a telephone! They're listening! What's more, those batteries you bought may be emitting low-level EM radiation to exfiltrate your precious data. So it's best not to use electricity at all. Let's be careful out there!
In the meantime, I'll go on with my life.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by kaszz on Thursday March 30 2017, @11:29PM
There's always the neighbor WiFi, RF energy modulation backchannel, IR sensor, microphone modem over ultrasonic etc.
(Score: 4, Interesting) by Scruffy Beard 2 on Thursday March 30 2017, @10:05PM (1 child)
Careful: HDMI 1.4 [hdmi.org] includes an Ethernet connection. Presumably because nobody wants to bother hooking their console, TV, Blu-Ray Player, etc all to the network separately. But for some reason all of those devices need updates in the field.
(Score: 2) by kaszz on Thursday March 30 2017, @11:22PM
Cut pin 14 in the HDMI connector ?
If audio return is a problem rewire it to a converter box, ie HDMI-to-Toslink etc.
This perhaps also mean that otherwise the audio amplifier could be infected by the TV via HDMI and the TV via the game console which is networked..
(Score: 2) by mcgrew on Friday March 31 2017, @05:44PM (3 children)
RTFS, it can hack your TV through your antenna or cable or satellite.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by NotSanguine on Friday March 31 2017, @06:23PM (2 children)
RTFS, it can hack your TV through your antenna or cable or satellite.
RTFA [bleepingcomputer.com], the exploit requires internet access to complete. No internet access, no download of malicious code:
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by mcgrew on Saturday April 01 2017, @04:49PM
I think you need to read it again. Like I said elsewhere, even though I won't put my TV on the internet, someone parked in my driveway could infect the TV via antenna and supply its own wifi hotspot to furnish the web page. Once in, he could drive away and I'd be none the wiser.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by kaszz on Wednesday April 05 2017, @02:16PM
If the firmware can be exploited via the DVB interface. One might as well write an exploit that ex-filtrate using all kinds of non-standard means.
The basic problem is that DVB data is assumed to friendly..
(Score: 2) by KilroySmith on Thursday March 30 2017, @09:43PM (5 children)
I bought a TV this winter which was unfortunately a "Smart" TV. Not trusting it, I never connected it to the internet or gave it my WiFi password, thinking this would keep it offline.
With this hack, the TV can be hacked anyway, and has nothing to do all day other than sit there and hack at my WiFi password to try to get Internet access.
If I were a high-value target, my TV could setup an adhoc WiFi connection to any WiFi device it could hear, or set itself up as a WAP. Now the attacker only has to be within a half-mile or so, with a high-gain antenna, to use the TV as a spy device.
I hate technology. Bummer of a career choice I made.
(Score: 2) by Unixnut on Thursday March 30 2017, @11:16PM (2 children)
> Now the attacker only has to be within a half-mile or so, with a high-gain antenna, to use the TV as a spy device.
Half mile at worst. Back when the homebrew "Community wifi" networks were all the rage (always on internet was slow, and very rare), we could get reliable 11mbit/s links across 4km using home built biquad antennas. If we used re-purposed old satellite dishes we could do a good 10km.
If we only used a single biquad, and we had to go through your walls to get to the TV, it might limit us to 1-1.5km. With fancier setups we could probably do better.
I believe the record stood at 120km done by a university team, but they used off the shelf signal amplifiers as well.
So yes, an issue, not to mention that if they compromised multiple TVs within that half a mile, they could essentially build a mesh network, and have multi-hops to get to your TV. In fact in urban areas you could build an entire mesh of compromised smart TVs, and then just siphon of what you want from where.
(Score: 2) by kaszz on Thursday March 30 2017, @11:26PM (1 child)
Once the TV is had it may perhaps contact the dishwasher for extra water filling on the floor and defrost the fridge.
(Score: 1, Funny) by Anonymous Coward on Friday March 31 2017, @12:57AM
Display a video feed from the microwave?
(Score: 2, Interesting) by anotherblackhat on Thursday March 30 2017, @11:26PM (1 child)
The hack as stated requires that the "smart" tv have access to the internet (it needs to download the crack)
But I bet it'd be easy enough to supply a wifi access point at the same time as you transmit the hack.
You could even mirror the local wifi node/name but using the easy to WEP encryption.
(Score: 2) by KilroySmith on Friday March 31 2017, @02:40AM
Good point - I'd forgotten that the OTA was just a website link.
(Score: 5, Informative) by kaszz on Thursday March 30 2017, @11:15PM
The exploit requires essentially only a DVB-T transmitter for circa 50-150 US$. Start the exploit server on the internet wait circa half a minute for the TV to start the services needed for the exploit to work, then broadcast the signal for circa a minute. Done!
The DVB video signal contains HbbTV [wikipedia.org] data which is meant to provide a interactive multimedia experience over the air. Thus a payload inside the DVB stream will then activate a function called "red button" that access a website prepared with a exploit.
The http website that is accessed contains the exploit which uses a memory bug "Array.prototype.sort() Webkit (Apple) sort JSArray::sort(...) in array_sort.cpp" that tricks the system to use free() on non-free objects and leave the user able to play with that data later. From there a root shell is generated on the TV that seems to run BusyBox [wikipedia.org].
Factory reset won't remove the exploit which offers juicy devices like microphone, camera, wireless network, wired network, private data etc to be used.
The suggested mitigation is to use certificates to authenticate the sender. Create a list of valid sites. And most of all distrust all incoming DVB data (don't forget HDMI 1.4 with builtin Ethernet..).
All this is mentioned [bleepingcomputer.com] in the presentation "Smart TV Hacking [youtube.com] (Oneconsult Talk at EBU Media Cyber Security Seminar)"
Some stop times in the video:
14:41 examples of standard TV connectors.
At 32:36-36:53 a standard http access exploit to root on a TV is shown.
Simple DVB-T over the air attack that show text overlay over picture is show 43:11-44:04.
45:41 credit is given to researchers at Columbia University that warned of the security weakness however no demonstration exploit were presented. But no reaction were had.
46:40-58:10 a in depth explanation of the exploit (sort function).
*Actual demonstration* of exploit sent over the air using DVB-T to get root shell is show at 1:01:23 - 1:05:27.
Photos of DVB-T drone delivery at 1:10:00 - 1:13:00.
Btw, How hard is it to install say some other OS of choice on the builtin computer? like one of those Berkeley variants. Leaves firmware and chip exploits remaining however.
(Score: 2) by Appalbarry on Friday March 31 2017, @12:10AM (1 child)
At least our Sony "Smart" TV gets a software update at least every six months, a significant improvement on my LG Android "Smart" phone.
The entire OS and interface is still crap, but at least it's up to date crap.
(Score: 2) by mcgrew on Friday March 31 2017, @05:50PM
I bought one [mcgrew.info] last winter, too. Screwed up and bought a Sony after swearing NEVER to buy Sony anything after they hacked (vandalized) my PC over a decade ago with their XCP evilware. Didn't realize what I'd bought until the delivery guys left.
Never shop when you have the flu!
mcgrewbooks.com mcgrew.info nooze.org
(Score: 3, Interesting) by butthurt on Friday March 31 2017, @01:25AM (6 children)
According to Scheel, the problem is that the HbbTV standard, carried by DVB-T signals and supported by all smart TVS, allows the sending of commands that tell smart TVs to access and load a website in the background.
A television broadcast can have millions of viewers. If a command to load a page were embedded, the target site would receive a huge number of requests all at once, a DDOS.
(Score: 1) by tftp on Friday March 31 2017, @04:16AM (2 children)
It's trivial to randomize the attempts in time; there will be no DDOS. Also, the server may issue the second stage hack only to some TVs, not to all of them - the rest will become dormant and invisible, but available for reactivation within a few days, if necessary.
(Score: 2) by butthurt on Friday March 31 2017, @04:56AM (1 child)
I wasn't commenting about the attack, but about the Hybrid Broadcast Broadband TV standard. Perhaps I misconstrued the meaning, but the sentence I quoted seems to imply that it was intended that a legitimate broadcast could command television sets to load a legitimate Web page. That would have the potential to put a great load on the site.
> It's trivial to randomize the attempts in time
Yes, but if the delay caused the page to load during the next programme or the next advert, and the viewer was supposed to interact with it, the interaction might not happen.
(Score: 2, Insightful) by tftp on Friday March 31 2017, @05:13AM
The page may be preloaded during the short break (a.k.a. "content") between ads. Amazon's servers are perfect for such spikes. Ad networks are already pretty robust, I presume, if they survive on major news sites like CNN during significant events. The local TV audience may count in millions, but cnn.com can be hit by a billion users from all over the world.
(Score: 2) by mcgrew on Friday March 31 2017, @05:54PM (2 children)
Interesting, but a local cable company doesn't have enough customers to DDoS a large site. Neither does a broadcast, with a radius of only about 75 miles. CNN won't be sending those signals, your local broadcasters will.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by butthurt on Sunday April 02 2017, @04:38AM (1 child)
Metropolitan Tokyo has a population of around 38 million. I would assume that most could be reached by a single transmitter.
https://en.wikipedia.org/wiki/List_of_metropolitan_areas_by_population [wikipedia.org]
My knowledge of the HbbTV standard is very slight--just what was in the article and a little bit of what was said in the video. Where did you learn that these commands are inserted at each transmitter rather than centrally for a broadcasting network (e.g. the CNN uplink)?
(Score: 2) by mcgrew on Monday April 03 2017, @06:19PM
I don;t remember, it's been over a year since I read about it. But a large web site could easily handle that many visitors, especially if they landed on a light site. Some Indian and Chinese cities may have that problem, I don't know.
As to how to target individual TVs, Radio Shack sold low power TV transmitters for years. Very limited range.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 0) by Anonymous Coward on Friday March 31 2017, @11:03AM
There was a Defcon talk about this three or four years ago.