From the Aether to the Ethernet – Attacking the Internet using Broadcast Digital Television – Oren & Koremytis 2014
Before reading any further, please ensure you are in a carpeted area or other soft ground. Your jaw may hit the floor a few times when you hear what Oren & Koremytis have to tell us, and I’d hate to cause you injury. You may also find yourself experiencing a strong desire to disconnect your TV from the internet ;).
Here’s the short version: the standard that enables the ‘red button’ content on your TV also creates a startling security hole that can be exploited in a manner that is virtually undetectable. This is an extremely interesting result in its own right, but there are also some higher-level lessons we can draw:
- Security considerations in IoT are really important! When we connect the physical and digital worlds there can be a lot of unforeseen consequences. See for example Paul Fremantle’s excellent talk on this topic at this year’s QCon London conference, or the attack that uses your own car keys to open and start your car on your own drive, without ever having possession of your keys.
- We often hear about the threat of digital attacks that exploit connected devices to manipulate the physical world, but here is a reminder that when we connect the two, it also opens up attack vectors whereby manipulating the physical world can disrupt digital systems.
- At the root of this is something that Peter Alvaro has described as the next grand challenge: we can take systems or system components that have well-formed and well-understood properties, but when we compose them how can we reason about the properties of the combined entity? And do the guarantees that held for each component in isolation still hold in its new environment? This applies to safety and liveness properties, and of course to security considerations.
Several unique properties of HbbTV make it potentially prone to attack. These security weaknesses can all be considered emergent properties, which exist on the boundary between the broadband and broadcast systems, and stem from the different expectations and guarantees which exist in each system.
The vulnerabilities described in this paper were responsibly disclosed to the relevant standards bodies. At the time the paper was published (2014) no action had been taken in response.
HbbTV background
In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content which is rendered by the television. This system is already in very wide deployment in Europe, and has recently been adopted as part of the American digital television standard.
The content is commonly called ‘red button’ content since pressing the red button is the common convention for interacting with it. But it turns out you don’t need to press the red button to activate it…
While the specification proposes multiple ways in which web content can be used in a TV, this article will focus on the most common form of content, autostart broadcast-dependent applications. This form of content starts running automatically when the user tunes into a particular TV channel, and terminates when the user moves to another channel.
Yes, you read that right. The simple act of tuning your TV to a channel can cause web content associated with that channel to start executing. The ‘press the red button’ overlays that you see on many channels are produced by this content – but this is merely a convention.
Surely all this content is sandboxed though? What can it actually do?
Internet content is rendered by the TV using a specially-enhanced web run-time, described in the HbbTV standard as a Data Execution Environment (DAE).
You get an enhanced DOM with some extra information specific to television, you also get a lot of control over the display:
The DAE also allows programmatic access to the live TV broadcast window. Thus, it is possible for an HbbTV application to render content on top of the TV broadcast, resize the broadcast window or even completely replace the broadcast content with its own content. On the other extreme, it is also possible for an HbbTV application to run without displaying any indication to the user. Practically speaking, most “benign” applications typically display a small overlay inviting the user to press the Red Button, then disappear to run transparently in the background.
It turns out that ‘invisible’ applications that auto-start when you tune to a channel are often used to track your behaviours while watching TV without your knowledge or consent.
Where does this internet content come from? There are two mechanisms: you can provide a URL pointing to the server hosting the application, or you can provide the actual web content itself in an additional data stream that is carried over the broadcast transport.
I’m sure you’re familiar with the same-origin policy that prevents content from one web site interfering with content from another, and is a fundamental part of web security. If you provide content via a URL, then your origin is clearly the server that content came from. What’s the origin if you provide content over the broadcast transport though?
The HbbTV specification suggests that in this case the broadcast stream should explicitly define its own web origin by setting the simple_application_boundary_descriptor property in the AIT to any desired domain name.
Yes, you can be anyone you want to be.
Let’s recap so far: content starts executing simply through the act of tuning to a channel; there is no way for you to know that any application is executing; the content has complete control over what you see – including manipulation of the broadcast picture itself; and it can communicate over the internet using any origin of its choosing.
Crafting an attack
Suppose for a moment you could inject your own web content into a broadcast stream (you can, we’ll see how later), what kind of damage could you do?
- DDOS attacks – an automatically launched app that repeatedly accesses a target website
- Unauthenticated request forgery to skew the results of online polls, competitions etc.
This attack is a variant of traditional cross-site request forgery (CSRF) attacks, which are well-known to the security community [2]. However, one unique advantage of the HbbTV attack vector is that the attack is not “blind” – due to the unique way same-origin is implemented for HbbTV, the attack script can fully interact with the static and dynamic content of the page with the full permissions of a human user accessing the webpage.
- Authenticated request forgery – if the user has previously visited a site (e.g. logged into Facebook) and the TV holds a cookie or other authentication token, then an infected application can access the website with the full credentials of the logged-in user:
An infected application using this attack vector can, for example, post links to malware to the legitimate user’s friends over Twitter or Facebook, purchase DRM-protected content whose royalties are pocketed by the attacker, or call a premium number using a VoIP application.
- Intranet request forgery – scanning your home network for other devices and vulnerabilities:
For example, the attacker can identify a vulnerable wireless router and a Windows PC, then proceed to modify the DNS settings of the router so that the PC is directed to a phishing website when it attempts to connect to a banking website.
- Phishing or social engineering – the attacker has full control over the display.
-
Using exploits to take over the TV itself (and maybe the microphone, camera, …):
… the vulnerability-to-patch cycle for these devices is typically much longer than that of a desktop operating system, due to the additional steps required by the equipment vendor to implement, test and deploy security updates for this nonstandard platform. Whenever an exploit is discovered for a Smart TV platform, the combination of HbbTV’s invisibility and undetectability make it a remarkably efficient method of distributing this exploit and compromising the TVs.
Not much fun at all! But it gets worse when you consider that it’s easy to attack thousands of TVs all at once…
We now describe how an attacker can use the vulnerability described above to launch a series of large-scale attacks. Our setup targets digital terrestrial television (DTT), which is the most common way in which television is received in many parts of the world. In Subsection 7.2 we discuss how this attack can also be applied to other delivery methods such as cable or satellite. Our attack works by creating a television broadcast which includes, together with the normal audio and video streams, a malicious HbbTV application.
For this you need some open source software and about $450 worth of equipment:
The best way … is to carry out a form of man-in-the-middle attack, in which the attacker transparently modifies a popular TV channel to include a malicious payload…. The attacker uses a receive antenna connected to a DVB tuner to intercept a legitimate television signal, modifies the content of the DVB stream to add its malicious payload, and finally uses a DVB modulator connected through a power amplifier to a transmit antenna to re-transmit the modified signal to the TV under attack using the same frequency as the original broadcast. The TV under attack is, in turn, connected to the Internet.
In the geographic area around the attacker, the modified signal will be stronger than the original, causing TVs to pick it up. A USB-powered tuner and antenna is about $15. The VLC media player can interface with this and send the stream to a socket. Since the video and audio streams will not be modified, injecting the web content is computationally cheap and the open source Avalpa OpenCastor software can be used to modify the stream. A USB DVB modulator turns this modified stream back into a broadcast signal (costs about $200). Finally you’ll need a power amplifier and transmit antenna.
with a 1 W (30 dBm) amplifier, whose cost is approximately $250, the attacker will be able to cover a region with radius of 477 m, or an area of 1.4 square kilometres. With a more powerful 25 W (44 dBm) amplifier, whose cost is approximately $1500, the attack can cover a region with radius 2385 m, or an area of 35 square kilometres. The attacker might have an incentive to use a lower-powered amplifier to reduce his risk of being detected by mobile triangulation methods.
Fortunately for the attacker, there are open data sets that can tell the best places to attack – high concentrations of TV sets in areas with low original broadcast signal level.
Our analysis was based on the NASA SEDAC Metropolitan Statistical Areas dataset, which records demographic and socioeconomic data for 50 US cities, with a spatial resolution of approximately 250 square meters. We cross-correlated this dataset with the FCC database of digital TV towers in the United States and with station coverage maps supplied by TV Fool [13]. The TV Fool maps use 3D propagation modelling algorithms, and consider transmitter power, terrain obstructions and Earth curvature…. In certain locations in the Inwood area, where the population density is 50,000 persons per square km, the attacker can infect 10 different stations, including CBS, NBC, Fox and the Spanish language Telemundo.
The attack would need to be carried out from the roof of an appropriately located tall building, or alternatively just install the relay equipment on a remote controlled drone and fly it to the appropriate location.
In summary, with about $450 worth of equipment, you can easily attack tens of thousands of hosts. Spend a little more, and you can attack hundreds of thousands of hosts.
Risk and Reward
So the capital outlay is certainly pretty low. But it is of course illegal to tamper with the broadcast signal. What’s the risk of getting caught?
In traditional Internet-borne attacks, it is always assumed that the attacker is himself present on the Internet before he can deliver a malicious payload to his victims. The attacker’s IP and DNS entries can then be used by intrusion protection services and law enforcement agencies to protect against the attack as it occurs, and to trace and prosecute its perpetrators after it has concluded. In contrast, our attacker needs no such infrastructure to deliver its malicious payload. It is surprisingly simple and inexpensive to build a digital terrestrial television (DTT) transmitter and use it to reach thousands of potential hosts. After the attack concludes, the attacker leaves no trace of his activities in the form of IP or DNS transactions.
Law enforcement agencies track unlicensed transmitters by triangulation methods, sending multiple car-mounted receivers to the vicinity of the attack.
Considering that the attack we describe has a very limited geographical signature, operates for a very limited time (potentially only a few minutes), and causes no visible adverse effects to the user, it is highly unlikely that the attacker will be caught by these methods.
Section 7 of the paper has an interesting breakdown of the economic costs and benefits of different attacks assuming conservatively that the attack compromises 10,000 hosts.
- DDOS probably isn’t cost effective – you can already rent 20,000 hosts for a DDOS attack for about $5/hour.
- Unauthenticated request forgery can be used for advertising click fraud, netting an estimate $2500 per attack even if each compromised host clicks on only a single ad.
- Authenticated request forgery is even more valuable:
..according to [38] a verified Facebook account can retail for as much as $1.50, giving the attacker a potential income of $15,000 per attack. Once users begin using their Smart TVs for additional activities such as shopping the impact of this attack will only grow…
Still here? Shouldn’t you be off disconnecting your TV from the internet… ? 🙂