The Internet of Things is growing at a rapid pace, but along with it grows the cyberthreat possibilities for connected devices. Security researcher Rafael Scheel of Oneconsult has developed a proof-of-concept exploit for attacking a wide range of Smart TVs without having any sort of physical access to them.
The PoC uses rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals, embedding them with malicious code using a low-cost transmitter. The rogue signals are then broadcast to nearby devices to compromise them and force them to carry out DDoS attacks, spy on the compromised Smart TVs’ users and so on.
Scheel demonstrated a live attack at the European Broadcasting Union (EBU) Media Cyber Security Seminar recently, and noted that almost 90 percent of Smart TVs sold over the past few years were susceptible to such an attack.
DVB-T-based transmitters are used by most Smart TV models to connect to the Internet, and this is what the exploit relies on to work. Basically, the exploits make use of two known privilege escalation vulnerabilities in the web browser of these TVs, which is constantly running in the background. Once attacked, the hacker pretty much gains control over these connected devices in a way that even a factory reset or a reboot can get rid of the infection.
The attack described and demonstrated by Scheel is even more dangerous that the Weeping Angel attack revealed by the WikiLeaks exposure of CIA documents because it eliminates the need for physical access to the devices themselves.
To say that this new exploit is dangerous would be a gross understatement. According to eMarketer, as of 2016 it was estimated that there were 181.6 million users of connected TVs in the United States alone. This includes users of streaming devices connected to their TV sets, like Google Chromecast, Amazon Fire TV and Roku, but a significant portion of them are Smart TVs that rely onDVB-T technology.
Although this particular hack requires the attacker to be ‘nearby’, the amount of damage that can be done within that limited area is mind-numbing, especially if it’s carried out in a highly populated metro.
Technology companies like Google and Amazon, as well as Smart TV majors like Sony, LG and Samsung, will need to work together to fight such threats, which can only get worse as the user base grows. By 2020 that user base is expected to cross 202 million.
It’s bad, and it’s in your home. And what can you do about it? Nothing, other than disconnect your Smart TV from the Internet, which defeats the purpose of buying them in the first place. But, unfortunately, until these vulnerabilities are quickly patched, users will continue to be at risk.
Thanks for reading our work! If you enjoyed it and found value, please share it using the social media share buttons on this page. If you have something to tell us, there’s a comments section right below, or you can contact@1redDrop.com us.