Smart TVs are the latest product to be exposed to dangerous vulnerabilities that can be exploited by burying malicious code in signals sent to the connected devices and even able to attack other devices in the home.
Researchers have found a loophole in the technology used in the advanced sets that allows attackers to hijack TVs in a straightforward way, leave no trace, and do anything that the owner of the TV can do.
The attack exploits the Hybrid Broadcast Broadband TV [HbbTV] standard that is supported by all TV sets sold across Europe and is implemented to allow advertisers to do a better job at targeting users by sending tailored adverts to the sets.
"For this attack you do not need an Internet address, you do not need a server," Yossef Oren, from the Network Security Lab at Colombia University, explained to Forbes. "You just need a roof and an antenna and once you are done with your attack, there's completely no trace of you".
Oren, and his fellow researcher Angelos Keromytis, added that detecting and subsequently halting such an attack is a difficult proposition and once the set is hijacked it can be used to find other vulnerable devices in the home or launch attacks across the Internet.
The researchers told the BBC that one example of how the vulnerability could be used involves owners that have logged into Facebook and the attackers can post messages to the social network on the user’s behalf.
More concerning is the researchers’ belief that it could be used to scan devices on a home network for vulnerabilities and then display messages on the screens requesting credit card details or other sensitive information.
Attackers would only need to buy a $250 antenna to reach thousands of sets in an area where many people own them and a larger antenna would allow the attack area to be considerably larger.
Over 60 broadcasters in Europe have signed up to use the HbbTV technology and millions of sets on the continent have the potential to be exploited, though Oren did add that he doesn’t think the technology’s security needs an entire rewrite.
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.