BACK IN 2014, before the great global purge of sanity, we reported on a theory that your smart TV could be attacked by simply flying a drone near enough to transmit a fake signal.
Then Brexit, Trump and Love Island happened and everything went weird. But now a demo at the Defcon hacker convention shows that the struggle is reald and demonstrates exactly what chaos its capable of causing.
In the proof-of-concept demo carried out live on stage, Pedro Cabrera, a security researcher, showed how he is able to take advantage of the lack of security implemented in most smart TVs to attack televisions using the HbbTV standard which has been designed to create an eventual international standard for smart TVs.
At present, the rollout in the UK has been largely experimental, with the BBC's red button offerings running simultaneously on MHEG and HbbTV at present. The system has already rolled out more fully in places like Spain and Germany. It's also the backbone of the Freeview Plus hybrid TV service, though not its biggest terrestrial rival YouView (which powers BT/TalkTalk/Plusnet).
The demo illustrates how a fly-by can be used to do everything from injecting code to extracting passwords all without anything beyond a basic ‘handshake'.
"The lack of security means we can broadcast with our own equipment anything we want, and any smart TV will accept it," Cabrera says, as per Wired. "The transmission hasn't been at all authenticated. So this fake transmission, this channel injection, will be a successful attack."
The issue seems to centre around an oversight. Most pages of interactive TV are actually specially designed and formatted web pages. As such, any vulnerabilities that a web page can dish out can be exploited by a rogue signal - only with a fraction of the protection that your PC will have.
What's more disturbing than anything here is that the fact that these are the same concerns floated in our 2014 report and a demonstration back in 2017 which used the same techniques to take full and permanent control over a Samsung TV set.
More worrying still, according to Rafael Scheel, who was responsible for that 2017 demo, the HbbTV Association has created an encryption method to put a stop to this kind of thing, but no manufacturer has incorporated it into their firmware. μ
Stop laughing at the back Iain iPhone
AI want to break free
Not making friends, but influencing people
But eager game streaming beavers will have to wait until 2020