SoylentNews is people
SoylentNews
from the not-even-couch-potatoes-are-safe dept.
A new attack on smart TVs allows a malicious actor to take over devices using rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals, get root access on the smart TV, and use the device for all sorts of nasty actions, ranging from DDoS attacks to spying on end users.
The attack, developed by Rafael Scheel, a security researcher working for Swiss cyber security consulting company Oneconsult, is unique and much more dangerous than previous smart TV hacks.
Until now, all smart TV exploits relied on attackers having physical access to the device, in order to plug in an USB that executes malicious code. Other attacks relied on social engineering, meaning attackers had to trick users into installing a malicious app on their TV.
Even the mighty CIA developed a hacking tool named "Weeping Angel," which could take over Samsung smart TVs and turn them into spying devices. But despite its considerable human and financial resources, the CIA and its operators needed physical access to install Weeping Angel, which made it less likely to be used in mass attacks, and was only feasible if deployed on one target at a time, during carefully-planned operations.
Because of the many constraints that come with physical and social engineering attacks, Scheel didn't consider any of them as truly dangerous, and decided to create his own.
Source: BleepingComputer
(Score: 5, Informative) by kaszz on Thursday March 30 2017, @11:15PM
The exploit requires essentially only a DVB-T transmitter for circa 50-150 US$. Start the exploit server on the internet wait circa half a minute for the TV to start the services needed for the exploit to work, then broadcast the signal for circa a minute. Done!
The DVB video signal contains HbbTV [wikipedia.org] data which is meant to provide a interactive multimedia experience over the air. Thus a payload inside the DVB stream will then activate a function called "red button" that access a website prepared with a exploit.
The http website that is accessed contains the exploit which uses a memory bug "Array.prototype.sort() Webkit (Apple) sort JSArray::sort(...) in array_sort.cpp" that tricks the system to use free() on non-free objects and leave the user able to play with that data later. From there a root shell is generated on the TV that seems to run BusyBox [wikipedia.org].
Factory reset won't remove the exploit which offers juicy devices like microphone, camera, wireless network, wired network, private data etc to be used.
The suggested mitigation is to use certificates to authenticate the sender. Create a list of valid sites. And most of all distrust all incoming DVB data (don't forget HDMI 1.4 with builtin Ethernet..).
All this is mentioned [bleepingcomputer.com] in the presentation "Smart TV Hacking [youtube.com] (Oneconsult Talk at EBU Media Cyber Security Seminar)"
Some stop times in the video:
14:41 examples of standard TV connectors.
At 32:36-36:53 a standard http access exploit to root on a TV is shown.
Simple DVB-T over the air attack that show text overlay over picture is show 43:11-44:04.
45:41 credit is given to researchers at Columbia University that warned of the security weakness however no demonstration exploit were presented. But no reaction were had.
46:40-58:10 a in depth explanation of the exploit (sort function).
*Actual demonstration* of exploit sent over the air using DVB-T to get root shell is show at 1:01:23 - 1:05:27.
Photos of DVB-T drone delivery at 1:10:00 - 1:13:00.
Btw, How hard is it to install say some other OS of choice on the builtin computer? like one of those Berkeley variants. Leaves firmware and chip exploits remaining however.