Columbia University security researchers claims this vulnerability in the way interactive apps work on many so-called Smart TVs could allow teams of relatively unskilled hackers to attack thousands of devices at once.
Their analyses of the specifications, and of real systems implementing them, show that the broadband and broadcast systems are combined insecurely.
This system is already in very wide deployment in Europe, and has recently been adopted as part of the American digital television standard.
Broadcasters and advertisers have been eager to use the HbbTV to target ads more precisely and add interactive content, polls, shopping and apps, to home viewers.
Millions of TV sets would be vulnerable to hackers with the right gear, as long as the sets are receiving an over-the-air digital broadcast signal.
“Red Button” content, where applications are launched on a smart TV during a programme by pressing a red button on the remote, typically displayed on screen as an invitation to press said button. But the researchers write that applications can also run invisibly in the background.
TVs are wide open for business, connected to home networks and social sites and apps that can lead to a hacker deeper into homeowners’ Web presence and physical security.
Researchers demonstrate that the technical complexity and required budget are low, making this attack practical and realistic, especially in areas with high population density in a dense urban area, an attacker with a budget of about $450 can target more than 20,000 devices in a single attack.
In contrast to most Internet of Things/Cyber-Physical System threat scenarios where the attack comes from the data network side and affects the physical world, our attack uses the physical broadcast network to attack the data network.
