For all the focus on locking down laptops and smartphones, the biggest screen in millions of living rooms remains largely unsecured, even after years of warnings. Smart TVs today can fall prey to any number of hacker tricks—including one still-viable radio attack, stylishly demonstrated by a hovering drone.

At the Defcon hacker conference Sunday, independent security researcher Pedro Cabrera showed off, in a series of hacking proof of concept attacks, how modern TVs—and particularly smart TVs that use the internet-connected HbbTV standard implemented in his native Spain, across Europe, and much of the rest of the world—remain vulnerable to hackers. Those techniques can force TVs to show whatever video a hacker chooses, display phishing messages that ask for the viewer's passwords, inject keyloggers that capture the user's remote button presses, and run cryptomining software. All of those attacks stem from the general lack of authentication in TV networks' communications, even as they're increasingly integrated with internet services that can allow a hacker to interact with them in far more dangerous ways than in a simpler era of one-way broadcasting.

"The lack of security means we can broadcast with our own equipment anything we want, and any smart TV will accept it," Cabrera says. "The transmission hasn’t been at all authenticated. So this fake transmission, this channel injection, will be a successful attack."

"We could also design this attack to cover a whole town, or even a whole country." Pedro Cabrera, Security Researcher

In the video below, Cabrera shows the simplest form of that injection, albeit with a somewhat flashy implementation involving a DJI quadcopter drone. By simply hovering a drone equipped with a software-defined radio near a TV antenna, he can transmit a signal that's more powerful than the one broadcast by legitimate TV networks, overriding the legitimate signal and displaying his own video on the TV. But he says the same attack could be carried out with nothing more than a stronger amplifier on his radio. "If I want to target my neighbor, the easiest way is with an amplifier and a directional antenna, and then for sure my signal will be received much more than strongly than the original one, so my neighbor will get my channel," says Cabrera. "In this case the attack is just a mater of range and amplifiers."

A series of other attacks he demonstrated take advantage of HbbTV, or hybrid broadcast broadband TV standard, which allows TVs to connect to the internet and receive interactive content. Cabrera can, with the same radio-based signal override, trick HbbTV smart TVs into connecting to the URL of a web server he controls, so that his own code runs on the targeted television. He says he didn't test the ATSC standard used in the US, and that unlike HbbTV the US standard don't send or pull data from URLs, so his attacks wouldn't work there.