Internet TVs - The Latest Attack Vector: Researchers Hack Internet Enabled TVs, Discover Multiple Security Vulnerabilities

Was your home lucky enough to get a new Internet enabled TV over the holidays? If so, you’re probably quite excited and enjoying the features of your new digital media hub while you sit back and sip on some eggnog or hot chocolate from your couch – which you should. But you may also want to be careful, as Internet TVs could be the newest avenue for cybercriminals to infiltrate your home or business. (I know, more FUD from a security vendor, but this is actually interesting stuff and they were able to show us how it was done)

Security researchers have discovered several security flaws in one of the best-selling brands of Internet-connected HDTVs, and believe it’s likely that similar security flaws exist in other Internet TVs.

During the course of its research, Mocana, the security firm that discovered the flaws, demonstrated that the TV’s Internet interface failed to confirm script integrity before scripts were run. As a result, an attacker could intercept transmissions from the television to the network using common “rogue DNS”, “rogue DHCP server”, or TCP session hijacking techniques. Mocana was able to demonstrate that JavaScript could then be injected into the normal datastream, allowing attackers to obtain total control over the device's Internet functionality. This attack could render the product unusable at important times and extend or limit its functionality without the manufacturer’s permission. More importantly, however, this same mechanism could be used to extract sensitive credentials from the TV’s memory, or prompt the user to fill out fake online forms to capture credit card information. (Mocana did issue a technical report on the details of the security vulnerabilities which is available here - short registration required)

Additionally, researchers were able to recover the manufacturer’s private “third-party developer keys” from the television, because in many cases, these keys were transmitted unencrypted and “in the clear.” Many third-party search, music, video and photo-sharing services delivered over the Internet require such keys, and a big TV manufacturer often purchases high-volume “special” access privileges to these service provider’s networks. A hacker could potentially employ these keys, for example, to access these high-volume services at no charge (or at least, on the TV manufacturer’s bill).

The developer keys identified during their review, with the run- time ability to obtain other authenticators as described elsewhere in their report include:

Pandora Request - Key: dc7fb2c483dabd96d641e50676e49ec09d20fd3913543b088684ff488ec4 e82a

Pandora Sync Time - Key: e387bc2b437de156b999878a28be18389d20fd3913543b088684ff488ec 4e82a

Google YouTube - Key: AI39si7jB9CE4nuJ3u1PT0-XJwSjZJ3WwJWV2YVHwZxmKvI-2U7gMDc0cQCw0Nc7GOx CLObL3NSnY9AkJ5wKU_0KUmo_7BFMKA

The Weather Channel - Key: e88d2de8-a740-102c-bafd-001321203584

What can happen as a result of these vulnerabilities? Researchers from Mocana were able to show that attackers may be able to leverage the Internet-connected TVs to hack into a consumer’s home network and potentially:

• Present fake credit card forms to fool consumers into giving up their private information.

• Intercept and redirect Internet traffic to and from the HDTV, which could be used fool consumers into thinking that “imposter” banking and commerce websites were legitimate.

• Steal and co-op the TV manufacturer’s digital “corporate credentials” to gain special VIP access to backend services from third-party organizations including popular search engine, video streaming and photo sharing sites.

• Monitor and report on consumers’ private Internet usage habits without their knowledge.

Mocana said its researchers have met with the manufacturer to help them correct the security flaws and agreed not to disclose the manufacturer’s name until a fix is issued and have thus blocked out the manufacturer name from the vulnerability assessment details.

“Internet connected HDTVs are huge sellers this holiday season. But a lot of manufacturers are rushing Internet-connected consumer electronics to market without bothering to secure them. I think this study demonstrates how risky it is to ‘connect first, worry later’, and suggests that consumer electronics companies that might lack internal security expertise should seek it out, before connecting their portfolio of consumer devices to the Internet,” said Adrian Turner, Mocana’s CEO.

The flaws Mocana uncovered should raise questions about the security of consumer electronics in general—which manufacturers are scrambling to connect to the Internet, often with little or no security technology on board. Mocana’s researchers felt that while vulnerabilities may vary from brand to brand, it is reasonable to assume that many other IPTVs from many other manufacturers share similar problems.

“While much public discussion is currently focused on the recent explosion of smartphones, what’s not being talked about is that fact that the vast majority of new devices coming onto the Internet aren’t phones at all: they are devices like television sets, industrial machines, medical devices and automobiles – devices representing every conceivable industry. And the one thing that all these manufacturers have in common is that, unlike the computing industry, they don’t have deep experience in security technology,” added Turner.

Market research firm DisplaySearch, predicted that over 40 million Internet-accessible TVs were shipped worldwide in 2010 and that this number will grow to 118 million global shipments by 2014. Mocana recommends that consumers be careful, until such devices are tested and certified safe in a systematic way.

Related Security Research

• Vulnerability Assessment of Internet Connected HDTVs

• Mobile & Smart Device Security Survey 2010

• Security Focus on Consumer Electronics

• Mitigation of Security Vulnerabilities on Android & Other Open Handset Platforms w/ BONUS Free Software