Security Concerns with HbbTV - Sat, Jun 1, 2013
A large amount of the TV sets currently available for sale belong to the group of “Connected TVs” or “Smart TVs”. These devices have the capability to access the contents of online media libraries and allow users to access Internet-pages via an integrated web-browser. Mostly for the European market, the available devices have a feature called HbbTV. HbbTV stands for Hybrid Broadcast Broadband TV and defines a standard for TV sets to access station-specific online contents. Since April 2013, I am the proud owner of a SAMSUNG ES7000 – a device with HbbTV capabilities.
Until now, most of the security researchers working with connected TVs focused on security vulnerabilities related to physical access to the device’s USB port or local network access ([ReVuln - The TV is watching you: Samsung 0-day](http://revuln.com/research.htm#videos “ReVuln Videos” target="_blank"), great CanSec Talk by SeungJin Lee and Seungjoo Kim). In the end of may, at the [13th German IT-Security Congress](https://www.bsi.bund.de/DE/Aktuelles/Veranstaltungen/IT-Sicherheitskongress/IT-Sicherheitskongress_node.html “IT Sicherheitskongress” target="_blank") (organized by the German BSI) the first security paper related to HbbTV got published. In the [paper published by the German TU Darmstadt (Marco Ghiglieri, Florian Oswald, Erik Tews)](https://s3-eu-west-1.amazonaws.com/media.cased.de/files/2013_CASED_HbbTV.pdf “CASED HbbTV” target="_blank"), mostly privacy-related issues with the HbbTV standard were addressed. Since I also had some time for SmartTV -research during the past two months, I will share my findings in this blog entry. These findings will confirm most of the findings of the aforementioned paper but also introduces attack vectors that become possible with HbbTV. During BerlinSides 0x04 (May 2013 in Berlin) I was giving a short lightning talk about this. This is the transcript of this presentation.
The HbbTV Standard
The [Hybrid Broadcast Broadband TV](http://hbbtv.org/ “HbbTV” target="_blank") consortium aims to define a standardized way on how content from so-called entertainment providers (e.g. broadcast stations, online media providers) is delivered on connected TVs. Starting as a Pan-European effort, the HbbTV consortium wants to create a globally adopted standard for hybrid entertainment services. Especially within the so-called Declarative Application Environment (DAE) – the HbbTV browser – another standard for connected TVs is being adopted: [The Open IPTV Forum standard for Internet protocol TVs (IPTV)](http://www.oipf.tv/ “Open IPTV Forum” target="_blank"). This standard seems to cover the device-specific part for Internet functionality.
The Red Button
In many countries, the use of the red button, which is found on many TV remote controllers, has already been used for accessing additional information years before the introduction of HbbTV. In the HbbTV standard, the red button defines the entry-point for the content offered by the respective entertainment provider. In case of broadcast providers, the red button will in most cases load a menu-structure that enable the user to access media contents when the user presses it. But here is the catch: In order to refer to the offered content, a small hint is displayed on the TV screen once the user switches to the respective channel. This hint is in the most cases implemented as semi-transparent HTML-layer that overlays the actual TV picture and is in the most cases retrieved from a specific web server. In these cases, the URL for the red button webpage is encoded within the DVB stream. So technically, the connected TV becomes visible to the broadcast station without notification of the user or the consent of the TV user. The moment the red button hint is displayed on the TV screen, the user’s privacy is possibly breached.
In order to find out the different URLs that are either encoded within the DVB stream or accessed in order to display the red button, an observing approach was chosen. The data connection of the [Samsung ES7000 Smart TV](http://www.amazon.de/gp/product/B007JURIGS/ref=as_li_tf_tl?ie=UTF8&camp=1638&creative=6742&creativeASIN=B007JURIGS&linkCode=as2&tag=toothrcom-21 “Affiliate Link” target="_blank") (firmware release 002008) has been redirected through a transparent proxy (the ES7000 itself doesn’t support configuring a proxy). A set of scripts on the proxy server took care of switching through a previously acquired channel list and copying the different URLs from the proxy’s access log to one file per station. The URLs were acquired from stations transmitted via ASTRA 19.2E. The different channels were accessed using a HD+ subscription. Other subscription stations (e.g. SKY) are not included. The proxy logs were captured on the 9th of May 2013. Download the logs here: http://trifinite.org/hbbtv/hbbtv_proxy_logs-2013-05-09.zip
The logs show the URLs that the TV was accessing when the respective channel was switched to. In order to avoid caching effects, the channels were switched through in random order. The URLs captured in the files clearly show whether the respective station is directly or indirectly using an analytics service. Since the switching of channels was performed every 15 seconds, the aforementioned repeated tracking requests are not shown in the captured logs.
Stations on ASTRA 19.2E using HbbTV
Here is a list of stations that are currently using HbbTV. Due to caching effects some of the stations which are using HbbTV might not be in this list of 66 stations:
Use of Third-Party tracking services
As the logs show, the following stations are using Google Analytics. One station is using a service called etracker (https://www.etracker.com/). Whether any of the stations (including the stations not mentioned below) have implemented their own tracking functionality – as the [ProSiebenSat.1 group](http://www.prosiebensat1.com/ “ProSieben Sat1” target="_blank") obviously has – cannot entirely be determined using the proxy approach, since this functionality would be visible mostly in server-side code. ANIXE HD (Google Analytics) ARTE HD (Google Analytics) DAS VIERTE (Google Analytics) kabel eins HD (Google Analytics) kabel eins Österreich (Google Analytics) ProSieben HD (Google Analytics) ProSieben Österreich (Google Analytics) RTL HD (Google Analytics) RTL2 HD (etracker) SAT.1 Bayern (Google Analytics) SAT.1 HD (Google Analytics) SAT.1 NRW (Google Analytics) SAT.1 Österreich (Google Analytics)
The [TU Darmstadt paper](https://s3-eu-west-1.amazonaws.com/media.cased.de/files/2013_CASED_HbbTV.pdf “CASED HbbTV” target="_blank") describes an attack where it is possible to find out the neighbors’ TV watching preferences by monitoring wireless network traffic. Based on the lengths of the packets and the MAC addresses of the different devices, attackers are able to gather this kind of information even if the WiFi access point uses WPA encryption.
Presumed the stations using analytics services will use eventual results for strategic TV programming, this could probably go wrong. Attackers are able to generate fake requests via proxy networks simulating real TV watchers. Many coordinated fake requests based on the TV schedule probably could affect the broadcast network’s strategic decisions to e.g. discontinue a certain show. (Credits to Michael Schäfer)
This group of attacks will take advantage of the fact that content is requested by the Smart TV at the time the user changes the channel. Here, the attacker will provide the content that is going to be displayed on the TV. There are several possibilities on how attackers could become entertainment providers:
- DVB/DSM-CC Injection being able to inject content into a streams content carousel, attackers could specify URLs referring to their content which is then accessed by the TV.
- DNS Spoofing/Poisoning attackers are manipulating DNS servers in order to make the URLs within the DVB stream resolve to servers with their content.
- Content Spoofing since none of the observed stations is using a SSL secured connections, attackers can perform man-in-the-middle attacks and replace the original content by their content. Even if SSL was in use, not all TVs would prevent the user from accessing the content.
- Watering Hole Attacks attackers can compromise the original source of the delivered content in order to replace the original content with their content. In the process of scanning some of the station’s servers, poorly configured servers using outdated software versions were identified.
Fake News Tickers
Especially news stations are using inserts in the lower third of the screen in order to display news headlines and stock tickers. Similar to the partly transparent page used to deliver the red button hint, attackers can use a partly transparent page to overlay the actual news ticker with an equally looking fake news ticker featuring misinformation. (Credits to Roger Klose)
Arbitrary Video Display
The DAE’s capabilty to stream video from any location on the Internet might coin a new term: Now attackers could not only 0wn or p0wn your Smart TV, now they can also pr0wn it. (by streaming rouge content)
Using the TV to attack further components in user LAN
The software of currently available HbbTV devices lacks the possibility to configure security settings as this might be done in decent browsers. At the moment, the TV user has to trust the entertainment provider/broadcast station a lot. In order to mitigate the risks described above, the TV manufacturers have to implement mechanisms that allow the user to control the TV’s HbbTV functionality. Allowing users to whitelist trusted channels would solve at least some of the issues. A legislative approach could be to force entertainment providers to embed the red button content in the DSM-CC, so that the Smart TV wouldn’t have to request information from a web server before the red button can be displayed.
As shown before, connecting HbbTV-capable Smart TVs to the home network is dangerous. Possibly malicious content is accessed and executed by the television when a user switches to an HbbTV enabled channel. So-called entertainment providers which provide content via HbbTV can be compromised by attackers or could be providing malicious content themselves that might lead to various attacks which are described in this blog post. Possible measures are mentioned that might help to mitigate the addressed privacy and security issues. Even though these measures cover the majority of the attack scenarios, not all of the risks can be mitigated. Still, the user has no means to tell whether the HbbTV content is authentic or not. Clearly, TV manufacturers seem to lack IT security know-how and have to learn from other industries in order to succeed. This blog post is an effort to draw attention to this issue. The described attack scenarios are examples that help to show the severity of this topic. IMHO, it is just a matter of time before the attacks are spotted in the wild. At the time of writing, a few broadcast channels are already using IP geolocation services to target banner-like on-screen inserts. In this early stage of adoption, HbbTV is used by broadcast stations in many creative ways that might not only put the privacy of the users at stake but also raises security issues. Press articles covering this article: http://www.scmagazine.com.au/News/345632,hbbtv-holes-make-tellys-hackable.aspx http://www.xakep.ru/post/60743/ http://www.theregister.co.uk/2013/06/06/smart_tvs_riddled_with_dumb_security_holes/ http://business.chip.de/news/Smart-TV-Uni-Forscher-hackt-sich-in-die-Kanaele_62389705.html http://www.net-security.org/secworld.php?id=15014/ http://www.broadbandtvnews.de/2013/06/07/it-spezialist-demontiert-smarttv-sicherheit/ http://www.infosecurity-magazine.com/view/32805/connected-tvs-open-up-a-host-of-threat-vectors/ http://www.spiegel.de/netzwelt/netzpolitik/hbbtv-sicherheitsluecke-in-smart-tvs-entdeckt-a-904086.html