A new exploit in Smart TVs has been discovered, which affects various smart TVs and allows a would-be hacker to potentially exploit your entire system. The threat lasts as long as you use an affected app, but once the malware is placed, the app itself is compromised. Called a “Red Button Attack”, the vulnerability is already widespread in Europe, and could be working its way to the US and other territories.
The Red Button Attack (so named because of the red button on your TV remote that accesses web content, like “On Demand” and the like) affects a TV that uses the new Hybrid Broadcast Broadband TV (HbbTV) standard for smart TVs, which currently exists on a number of TVs in Europe. Forbes reports about 90% of German Smart TVs use the standard, and HbbTV has recently been added to the NTSC standard for connected TVs in the US.
HbbTV notably allows advertisers to target users for advertising purposes (like watching a food show and getting coupons for a grocery store). The flaw was firs discovered by Yossi Oren and Angelos Keromytis at the Columbia University Network Security Lab, with a paper on the subject being published in August. The duo presented their findings to the HbbTV standards panel in December, but were told the exploit wasn’t significant enough to warrant attention.
The exploit is a traditional “Man In The Middle” hack, wherein a hacker essentially interjects themselves between a user and the server they’re accessing. The malware is placed in the apps on a Smart TV once the connection is established, even when securely downloaded from an approved app store. Once your app is used on the TV to broadcast a stream, it’s open to the hack. Once placed in the app, malware can potentially access your network (if your router is unsecured) and even gain entry into your social media profiles, cloud storage, or any other account you stay signed into.
You might be wondering how this happens, with web security such a point of interest to us all. The issue is that a Smart TV app is basically left without a point of origin when used, left “twisting in the wind” if you will. When used, it accesses both our network and the content we want, compromising both points.
There are ways we can avoid being compromised (at least to a greater extent), says Yossi Oren, one of the discoverers of the issue. Short of denying Internet service to anything that uses HTML, we could monitor the smart TV as a network. Signal anomalies would be noticed, and possibly even find the compromised TV if multiple ones were used.