Millions of smart TVs could be hijacked code buried in signals broadcast to the connected devices, security experts warn. The attack exploits loopholes in widely used technology that helps smart TVs receive tailored adverts.
Once hijacked, the TVs could be made to send messages on behalf of attackers, find other vulnerable devices in a home or launch other attacks across the net. The attack uses the Hybrid Broadcast Broadband TV (HbbTV) standard that is widely supported in smart television sets sold in Europe.
Yossef Oren and Angelos Keromytis, from the Network Security Lab, at Columbia University, told Forbes magazine they have found a way to hijack HbbTV using a cheap antenna and carefully crafted broadcast messages. For this attack you do not need an internet address…..You just need a roof and an antenna and once you are done with your attack, there’s completely no trace of you.”
The attacker can then mimic the real user, the researchers said; if owners had logged in to Facebook via a TV app, the attack could be used to post messages on the social network on that person’s behalf.
Alternatively, wrote the researchers in a paper, the loopholes could be used to bombard a target website with data or to log spurious votes or clicks.
In areas where lots of people owned smart TVs, a $250 antenna could reach thousands of people, said Oren. A bigger antenna could extend the reach of the attack considerably, he added.
Millions of smart TVs use HbbTV across Europe, and more than 60 broadcasters in the region have signed up to use the technology.
Oren said the standards body that oversaw HbbTV had been told about the security loophole. However, he added, the body did not think the threat from the attack was serious enough to require a re-write of the technology’s security.