Two security researchers from Columbia University have turned attentions on a spate of drive-by hacking attacks that could be launched on smart televisions through a red button feature on the remote control. The range of attack even extends to all devices connected to the smart TV.
Yossef Oren and Angelos Kerymytis found that bad actors could penetrate smart TVs embedded with the feature called Hybrid Broadcast Broadband Television, which has been around since 2010. The attacks could be perpetrated when viewers turn to a channel that has been compromised already, so the work is just being spread by attackers. The feature works to execute HTML code in smart TVs.
Smart TV users in Europe, where the feature is widely popular to a great number of users, the attacks have the tendency to take place in the background that there is no way for unsuspecting users to notice its operation. That is so because even a channel’s signal feed does not indicate any signs of interference of some sort.
So basically, users are already being victimized by the attack by just tuning on to a particular channel, making it easy for criminals to perpetrate their crime, which sends waves of distributed attacks that have varying levels of severity and scope, including phishing campaigns, distributed denial of service attacks or DDoS, unauthenticated and validated request forgeries, fake intranet request, and social engineering.
What are the risks from these attacks? A feigned intranet request leads to compromises on a users’ router or printer or any other external device tethered to the smart TV that is being under attack. Hackers could also gain unauthorized access to a users social network and email account through a fake unauthenticated request.
The flaw was beginning to take form and materialize from an unstable mix-up of broadband and broadcast technologies for the Hybrid Broadcast Broadband Television feature. The security researchers noted that the attacks could have serious impact on the victims because it could target large number of devices in one fell swoop and protecting systems-to-systems link is almost hard to achieve due to the heterogeneous combination of Internet and non-Internet interfaces.
Good thing for smart TV owners in the United States because the said red button feature has not yet gained traction in the country. There is also some form of barrier for hackers because they need to mount a stronger signal than that of the cable service provider in order to perpetrate the attack.
The recent findings shed light on the vulnerabilities that companies and users alike moving into the Internet of Things realm should take into serious consideration.