Major players in the entertainment industry specified a standard that defines a way for connected Smart TVs to access additional content from the Internet. This so-called HbbTV standard (Hybrid broadcast broadband Television) uses portions of the DVB broadcast stream (DSM-CC) in order to embed references to online resources. As it turned out, many HbbTV-capable devices offer little or no protection against malicious content that is eventually loaded down from the Internet by Smart TVs. Possible attack vectors are shown in my earlier Blog post.
Protection from malicious content
The current situation necessitates actions to be taken. In order to protect their connected Smart TVs from malicious content, users only have a few options:
Force the manufacturers to implement security functions
Unfortunately, it is very difficult to force manufacturers to implement functions that help users to protect against attacks on their privacy and security. Even though it would be a selling-point to security aware people, manufacturers mostly react to things that cost them real money (e.g. a breach that directly relates to a user’s financial damage). But maybe there is manufacturers that go the extra mile to making their product secure - let’s not lose hope.
Permanently disconnect the TV from the data network
Disconnecting the device from the Internet could be a solution. But this means that the extra money spent for the more capable device does not pay off. So for technology savvy people, this is no option at all. Some devices also allow to deactivate the HbbTV feature, only. Funny tidbit: According to a recent survey, most users that bought a more expensive Smart TV do not connect it to the Internet.
Use a firewall that blocks undesired hosts
Placing a firewall in between TV and the Internet offers probably the best protection from malicious content. In this case, the user has to maintain a list of hosts that he/she wants to get content from. Besides having an extra device in the living room, this measure requires the user to continuously put effort in maintaining firewall rules. A good, inexpensive way to realize this could be a Raspberry Pi-based firewall.
DNS-block undesired hosts
Just because governments use it, doesn’t mean that this way of blocking undesired content isn’t an option in the HbbTV scenario. DNS-blocking is a method, where the names of defined hosts are not resolved to their respective IP addresses. This way, the content from these locations cannot be retrieved. Compared to the high effort related to running a firewall for a large number of users, DNS blocking does scale easily for a large number of users. Another advantage of this approach is, that the effort for maintaining the list of blocked/allowed hosts can be delegated to a small group of trusted people.
HAL - the HbbTV Access Limiter
HAL 2013 is the little brother of the villain HAL 9000 (known from 2001: A Space Odyssey) is a system that is supposed to ‘serve and protect’ users. HAL realizes the aforementioned DNS-blocking approach. By entering HAL’s IP to be used as DNS server for the connected TV, HAL is redirecting all traffic to its own HTTP server and answers all requests instead of the original server which is referred to in the DVB stream. This way, HAL is invoked instead of the respective station’s ‘Red Button’ application. This protects the privacy of the user and prevents eventual malicious content from being executed within the Smart TV. Additionally, this enables the opportunity to collect data about entertainment providers and to analyze the browsers on the different Smart TVs. Currently, this is all that HAL does in order to protect users. The following paragraphs describe, how HAL is planned to evolve over time.
Stage 1 - Collecting HbbTV application Data
At the time of writing this article, HAL is collecting data about as many HbbTV stations as possible. The HAL-button page which replaces the station’s red-button-page is collecting the exact station identification, the user’s TV manufacturer and the URL of the station’s red button page. Soon, there will be a page that allows users to have HAL analyze TV-specific information. This audit-page will check for TV features that are interesting from an IT security perspective.
Stage 2 - Define criteria for HbbTV applications
By analyzing different HbbTV applications, there will be things that are acceptable and things that are not acceptable to the privacy and security of Smart TV users. The result of this stage will be a list of criteria for HbbTV applications.
Stage 3 - Auditing HbbTV applications
Using the criteria from stage 2, there will be an auditing environment that generates lists of stations and servers that are safe to consume. The auditing process itself will have to be (semi-)automated so that it can deliver a reproducible outcome at any time.
Stage 4 - Running the HAL service
Once the lists are there, the HAL service is intended to be used on a regular basis in order to protect users from privacy and security loopholes in HbbTV applications. There will be iterations starting over with stage 2 over time.
More about HAL
HAL is hosted in a shared environment in Germany with constraints on CPU performance and data transfer. This is why the HAL web-application is implemented without the use of active server logic. Most of the computation needed is done within the browser component of the Smart TV. In order to reduce the transferred amount of data, all kinds of media objects that are used in the application are hosted within a free cloud service.
UPDATE: This service has been discontinued.
HAL Building Blocks
HAL consists out of a tinydns DNS Server which is operated in whitelist mode and a nginx web server with a catch-all configuration. For performance reasons, the HAL web-page is static and has no ‘moving parts’.
Different from firewall-based approaches, a DNS-based approach is only capable to block access to hosts that are accessed by name. If the application is accessing hosts by their IP address, DNS-blocking will not work. For that reason, HbbTV applications that turn out to use IP-based access will be blocked by HAL in future configurations (stage 4).
How to participate?
The more people attend, the more data can be gathered and the quicker the HAL project is able to advance. So please share this article with your friends! In the first stage of the HAL project it makes sense to activate HAL, switch through as many HbbTV enabled channels as possible and deactivate it again, as it is not suited for permanent use, yet.
So what’s the IP?
In order to see HAL, use the following IP address as DNS server for your connected TV:
I cannot see HAL!
In case it doesn’t work, please do not write e-mails. Please ask a friend to help you with this.
More information about the HAL project and other HbbTV related activities can be found on this page.