Security Concerns with HbbTV - Sat, Jun 1, 2013

A large amount of the TV sets currently available for sale belong to the group of “Connected TVs” or “Smart TVs”. These devices have the capability to access the contents of online media libraries and allow users to access Internet-pages via an integrated web-browser. Mostly for the European market, the available devices have a feature called HbbTV. HbbTV stands for Hybrid Broadcast Broadband TV and defines a standard for TV sets to access station-specific online contents. Since April 2013, I am the proud owner of a SAMSUNG ES7000 – a device with HbbTV capabilities.

Introduction

Until now, most of the security researchers working with connected TVs focused on security vulnerabilities related to physical access to the device’s USB port or local network access ([ReVuln - The TV is watching you: Samsung 0-day](http://revuln.com/research.htm#videos “ReVuln Videos” target="_blank"), great CanSec Talk by SeungJin Lee and Seungjoo Kim). In the end of may, at the [13th German IT-Security Congress](https://www.bsi.bund.de/DE/Aktuelles/Veranstaltungen/IT-Sicherheitskongress/IT-Sicherheitskongress_node.html “IT Sicherheitskongress” target="_blank") (organized by the German BSI) the first security paper related to HbbTV got published. In the [paper published by the German TU Darmstadt (Marco Ghiglieri, Florian Oswald, Erik Tews)](https://s3-eu-west-1.amazonaws.com/media.cased.de/files/2013_CASED_HbbTV.pdf “CASED HbbTV” target="_blank"), mostly privacy-related issues with the HbbTV standard were addressed. Since I also had some time for SmartTV -research during the past two months, I will share my findings in this blog entry. These findings will confirm most of the findings of the aforementioned paper but also introduces attack vectors that become possible with HbbTV. During BerlinSides 0x04 (May 2013 in Berlin) I was giving a short lightning talk about this. This is the transcript of this presentation.

The HbbTV Standard

The [Hybrid Broadcast Broadband TV](http://hbbtv.org/ “HbbTV” target="_blank") consortium aims to define a standardized way on how content from so-called entertainment providers (e.g. broadcast stations, online media providers) is delivered on connected TVs. Starting as a Pan-European effort, the HbbTV consortium wants to create a globally adopted standard for hybrid entertainment services. Especially within the so-called Declarative Application Environment (DAE) – the HbbTV browser – another standard for connected TVs is being adopted: [The Open IPTV Forum standard for Internet protocol TVs (IPTV)](http://www.oipf.tv/ “Open IPTV Forum” target="_blank"). This standard seems to cover the device-specific part for Internet functionality.

The Red Button

In many countries, the use of the red button, which is found on many TV remote controllers, has already been used for accessing additional information years before the introduction of HbbTV. In the HbbTV standard, the red button defines the entry-point for the content offered by the respective entertainment provider. In case of broadcast providers, the red button will in most cases load a menu-structure that enable the user to access media contents when the user presses it. But here is the catch: In order to refer to the offered content, a small hint is displayed on the TV screen once the user switches to the respective channel. This hint is in the most cases implemented as semi-transparent HTML-layer that overlays the actual TV picture and is in the most cases retrieved from a specific web server. In these cases, the URL for the red button webpage is encoded within the DVB stream. So technically, the connected TV becomes visible to the broadcast station without notification of the user or the consent of the TV user. The moment the red button hint is displayed on the TV screen, the user’s privacy is possibly breached.

DAE Capabilities

The TV’s browser component is able to display HTML content and to execute Javascript-Code. In the case of the [SAMSUNG ES7000](http://www.amazon.de/gp/product/B007JURIGS/ref=as_li_tf_tl?ie=UTF8&camp=1638&creative=6742&creativeASIN=B007JURIGS&linkCode=as2&tag=toothrcom-21 “Affiliate Link” target="_blank"), the TV’s browser component is even WebKit 1.1 compatible. Additionally, the DAE offers certain OIPF-objects. Accessing the OIPF-objects from a Javascript context, information like the station list and other device specific information can be accessed. Possible attack vectors will be shown below.

Data Collection

In order to find out the different URLs that are either encoded within the DVB stream or accessed in order to display the red button, an observing approach was chosen. The data connection of the [Samsung ES7000 Smart TV](http://www.amazon.de/gp/product/B007JURIGS/ref=as_li_tf_tl?ie=UTF8&camp=1638&creative=6742&creativeASIN=B007JURIGS&linkCode=as2&tag=toothrcom-21 “Affiliate Link” target="_blank") (firmware release 002008) has been redirected through a transparent proxy (the ES7000 itself doesn’t support configuring a proxy). A set of scripts on the proxy server took care of switching through a previously acquired channel list and copying the different URLs from the proxy’s access log to one file per station. The URLs were acquired from stations transmitted via ASTRA 19.2E. The different channels were accessed using a HD+ subscription. Other subscription stations (e.g. SKY) are not included. The proxy logs were captured on the 9th of May 2013. Download the logs here: http://trifinite.org/hbbtv/hbbtv_proxy_logs-2013-05-09.zip

Logs

The logs show the URLs that the TV was accessing when the respective channel was switched to. In order to avoid caching effects, the channels were switched through in random order. The URLs captured in the files clearly show whether the respective station is directly or indirectly using an analytics service. Since the switching of channels was performed every 15 seconds, the aforementioned repeated tracking requests are not shown in the captured logs.

Stations on ASTRA 19.2E using HbbTV

Here is a list of stations that are currently using HbbTV. Due to caching effects some of the stations which are using HbbTV might not be in this list of 66 stations:

Use of Third-Party tracking services

As the logs show, the following stations are using Google Analytics. One station is using a service called etracker (https://www.etracker.com/). Whether any of the stations (including the stations not mentioned below) have implemented their own tracking functionality – as the [ProSiebenSat.1 group](http://www.prosiebensat1.com/ “ProSieben Sat1” target="_blank") obviously has – cannot entirely be determined using the proxy approach, since this functionality would be visible mostly in server-side code. ANIXE HD (Google Analytics) ARTE HD (Google Analytics) DAS VIERTE (Google Analytics) kabel eins HD (Google Analytics) kabel eins Österreich (Google Analytics) ProSieben HD (Google Analytics) ProSieben Österreich (Google Analytics) RTL HD (Google Analytics) RTL2 HD (etracker) SAT.1 Bayern (Google Analytics) SAT.1 HD (Google Analytics) SAT.1 NRW (Google Analytics) SAT.1 Österreich (Google Analytics)

Possible attacks

WiFi eavesdropping

The [TU Darmstadt paper](https://s3-eu-west-1.amazonaws.com/media.cased.de/files/2013_CASED_HbbTV.pdf “CASED HbbTV” target="_blank") describes an attack where it is possible to find out the neighbors’ TV watching preferences by monitoring wireless network traffic. Based on the lengths of the packets and the MAC addresses of the different devices, attackers are able to gather this kind of information even if the WiFi access point uses WPA encryption.

Fake Analytics

Presumed the stations using analytics services will use eventual results for strategic TV programming, this could probably go wrong. Attackers are able to generate fake requests via proxy networks simulating real TV watchers. Many coordinated fake requests based on the TV schedule probably could affect the broadcast network’s strategic decisions to e.g. discontinue a certain show. (Credits to Michael Schäfer)

Content attacks

This group of attacks will take advantage of the fact that content is requested by the Smart TV at the time the user changes the channel. Here, the attacker will provide the content that is going to be displayed on the TV. There are several possibilities on how attackers could become entertainment providers:

Once attackers managed to redirect the HTTP requests of the TV to controlled sources, many different HTML-/Javascript-based attacks become possible:

Fake News Tickers

Especially news stations are using inserts in the lower third of the screen in order to display news headlines and stock tickers. Similar to the partly transparent page used to deliver the red button hint, attackers can use a partly transparent page to overlay the actual news ticker with an equally looking fake news ticker featuring misinformation. (Credits to Roger Klose)

Bitcoin Mining

Exemplarily for abusing foreign CPU power, attackers could use the TVs of many people for Bitcoin mining using the Javascript-based [BitcoinPlus](http://www.bitcoinplus.com/miner/embeddable “Embeddable Bitcoin Miner” target="_blank") miner for websites. (Credits to Matthias Zeitler)

Arbitrary Video Display

The DAE’s capabilty to stream video from any location on the Internet might coin a new term: Now attackers could not only 0wn or p0wn your Smart TV, now they can also pr0wn it. (by streaming rouge content)

OIPF Objects

As defined in the OIPF standard, certain Javascript objects are provided within the DAE. These objects allow Javascript programs to access device specific information such as channel lists, recording capabilities, parental control settings and probably personal information such as the user’s favorite channel list (on my SAMSUNG TV, only very few information was accessible through Javascript within the DAE).

Using the TV to attack further components in user LAN

Since the well-known Javascript object [XmlHttpRequest](http://www.w3.org/TR/XMLHttpRequest/ “XmlHttpRequest” target="_blank") is available within the DAE, not only the TV is the target of possible attacks but also other networked devices in the user’s home network. Using a timing-based approach, attackers are able to scan the user’s home network from the TV for other devices that are behind the user’s firewall and would not directly be visible from the internet. This could be used for user profiling and for finding further attack targets. The next step for the attackers could be the reconfiguration of components in the local area network in order to facilitate further attacks via different vectors. For example the home router – which in many cases has no password protection when accessed from the LAN - could be reconfigured by the attacker to have no protection against attacks from the internet. In order to gain personal information, attackers could access well-known services like UPnP or http in the user’s network via the connected TV. For example IP cameras or printers could be compromised using this technique. Also using the XmlHttpRequest object, attackers can transfer all of the gained information to arbitrary Internet drop-zones, which would also expose the victim’s IP address. As a lot of these attacks have been publicized in the context of browser hacking, there is a lot of available code on the Internet that might be used for also compromising Smart TVs.

Possible Mitigation

The software of currently available HbbTV devices lacks the possibility to configure security settings as this might be done in decent browsers. At the moment, the TV user has to trust the entertainment provider/broadcast station a lot. In order to mitigate the risks described above, the TV manufacturers have to implement mechanisms that allow the user to control the TV’s HbbTV functionality. Allowing users to whitelist trusted channels would solve at least some of the issues. A legislative approach could be to force entertainment providers to embed the red button content in the DSM-CC, so that the Smart TV wouldn’t have to request information from a web server before the red button can be displayed.

Conclusions

As shown before, connecting HbbTV-capable Smart TVs to the home network is dangerous. Possibly malicious content is accessed and executed by the television when a user switches to an HbbTV enabled channel. So-called entertainment providers which provide content via HbbTV can be compromised by attackers or could be providing malicious content themselves that might lead to various attacks which are described in this blog post. Possible measures are mentioned that might help to mitigate the addressed privacy and security issues. Even though these measures cover the majority of the attack scenarios, not all of the risks can be mitigated. Still, the user has no means to tell whether the HbbTV content is authentic or not. Clearly, TV manufacturers seem to lack IT security know-how and have to learn from other industries in order to succeed. This blog post is an effort to draw attention to this issue. The described attack scenarios are examples that help to show the severity of this topic. IMHO, it is just a matter of time before the attacks are spotted in the wild. At the time of writing, a few broadcast channels are already using IP geolocation services to target banner-like on-screen inserts. In this early stage of adoption, HbbTV is used by broadcast stations in many creative ways that might not only put the privacy of the users at stake but also raises security issues. Press articles covering this article: http://www.scmagazine.com.au/News/345632,hbbtv-holes-make-tellys-hackable.aspx http://www.xakep.ru/post/60743/ http://www.theregister.co.uk/2013/06/06/smart_tvs_riddled_with_dumb_security_holes/ http://business.chip.de/news/Smart-TV-Uni-Forscher-hackt-sich-in-die-Kanaele_62389705.html http://www.net-security.org/secworld.php?id=15014/ http://www.broadbandtvnews.de/2013/06/07/it-spezialist-demontiert-smarttv-sicherheit/ http://www.infosecurity-magazine.com/view/32805/connected-tvs-open-up-a-host-of-threat-vectors/ http://www.spiegel.de/netzwelt/netzpolitik/hbbtv-sicherheitsluecke-in-smart-tvs-entdeckt-a-904086.html

Back to Home