Abstract
In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content that is rendered by the television. This system is already in very wide deployment in Europe and has recently been adopted as part of the American digital television standard. Our analyses of the specifications, and of real systems implementing them, show that the broadband and broadcast systems are combined insecurely. This enables a large-scale exploitation technique with a localized geographical footprint based on Radio Frequency (RF) injection, which requires a minimal budget and infrastructure and is remarkably difficult to detect. In this article, we present the attack methodology and a number of follow-on exploitation techniques that provide significant flexibility to attackers. Furthermore, we demonstrate that the technical complexity and required budget are low, making this attack practical and realistic, especially in areas with high population density: In a dense urban area, an attacker with a budget of about 450 can target more than 20,000 devices in a single attack. A unique aspect of this attack is that, in contrast to most Internet of Things/Cyber-Physical System threat scenarios, where the attack comes from the data network side and affects the physical world, our attack uses the physical broadcast network to attack the data network.
- Advanced Television Systems Committee. 2008. ATSC Recommended Practice: Transmission Measurement and Compliance for Digital Television. Retrieved from http://www.atsc.org/cms/standards/a_64b.pdf.Google Scholar
- Advanced Televi sion Systems Committee. 2014. A/105: ATSC Candidate Standard—Interactive Services Standard. (April 2014).Google Scholar
- Avalpa Digital Engineering. 2014. OpenCaster: The Free Digital TV Software. Retrieved from http://www.avalpa.com/the-key-values/15-free-software/33-opencaster.Google Scholar
- A merican Radio Relay League. 2013. 2014 ARRL Handbook for Radio Communications (91st ed.). American Radio Relay League. http://amazon.com/o/ASIN/1625950004/.Google Scholar
- A. Barth. 2011. The Web Origin Concept. RFC 6454 (Proposed Standard). (Dec. 2011).Google Scholar
- Adam Barth, Collin Jackson, and John C. Mitchell. 2008. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, New York, NY, 75--88. DOI:http://dx.doi.org/10.1145/1455770.1455782 Google Scholar
Digital Library
- Armin Büscher and Thorsten Holz. 2012. Tracking DDoS attacks: Insights into the business of disrupting the web. In Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats (LEET’12). 8--8. Google Scholar
Digital Library
- BeEF development team. 2014. The Browser Exploitation Framework. Retrieved from http://beefproject.com.Google Scholar
- Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. 2011. Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of the 20th USENIX Conference on Security (SEC’11). 6--6. Google Scholar
Digital Library
- European Broadcasting Union. 2011. Support for use of the DVB Scrambling Algorithm version 3 within digital broadcasting systems. ETSI TS 100 289 V1.1.1. (Sept. 2011).Google Scholar
- European Broadcasting Union. 2012. Hybrid Broadcast Broadband TV. ETSI TS 102 796 V1.2.1. (Sept. 2012).Google Scholar
- European Commision. 2013. Special Eurobarometer 396—e-Communications Household Survey. Retrieved from http://ec.europa.eu/digital-agenda/en/news/special-eurobarometer-396-e-communications-household-survey.Google Scholar
- Edward Felten, Andrew Appel, and David Walker. 1996. DNS-Based Attack on Java. Retrieved from http://sip.cs.princeton.edu/news/dns-spoof.html.Google Scholar
- Federal Communications Commission. 2001. Review of the Commission’s Rules and Policies Affecting the Conversion to Digital Television. Retrieved from http://fjallfoss.fcc.gov/edocs_public/attachmatch/FCC-01-24A1.pdf.Google Scholar
- Marco Ghiglieri, Florian Oswald, and Erik Tews. 2013. HbbTV - I know what you are watching. In 13. Deutschen IT-Sicherheitskongresses. BSI, SecuMedia Verlags-GmbH.Google Scholar
- Marco Ghiglieri and Erik Tews. 2014. A privacy protection system for HbbTV in smart TVs. In Proceedings of the Consumer Communications and Networking Conference (CCNC’14).Google Scholar
Cross Ref
- Google Inc. 2013. Google Inc. Announces Third Quarter 2013 Results. Retrieved from http://investor.google.com/pdf/2013Q3_google_earnings_release.pdf.Google Scholar
- Google, Inc. 2014. Chrome Extensions -- Content Security Policy. Retrieved from http://developer.chrome.com/extensions/contentSecurityPolicy.html.Google Scholar
- Aaron Grattafiori and Josh Yavor. 2013. The Outer Limits: Hacking the Samsung Smart TV. Retrieved from https://www.blackhat.com/us-13/briefings.html#Grattafiori.Google Scholar
- Robert “RSnake” Hansen. 2007. Stealing Mouse Clicks for Banner Fraud. Retrieved from http://ha.ckers.org/blog/20070116/stealing-mouse-clicks-for-banner-fraud/.Google Scholar
- Martin Herfurt. 2013a. Security Concerns with HbbTV. BerlinSides 0x04 Lightning Talks. Retrieved from http://mherfurt.wordpress.com/2013/06/01/security-concerns-with-hbbtv/.Google Scholar
- Martin Herfurt. 2013b. Security Issues with Hybrid Broadcast Broadband TV. 30’th Chaos Computer Convention. Retrieved from https://events.ccc.de/congress/2013/Fahrplan/events/5398.html.Google Scholar
- International Standards Institute. 2013. Information technology -- Generic coding of moving pictures and associated audio information—Part 1: Systems. ISO/IEC 13818-1. (May 2013).Google Scholar
- International Telecommunication Union. 2014. Planning criteria, including protection ratios, for digital terrestrial television services in the VHF/UHF bands. ITU R-REC-BT.1368. (Feb. 2014).Google Scholar
- Martin Johns, Sebastian Lekies, and Ben Stock. 2013. Eradicating DNS rebinding with the extended same-origin policy. In Proceedings of the 22nd USENIX Conference on Security (SEC’13). 621--636. Google Scholar
Digital Library
- Martin Johns and Justus Winter. 2007. Protecting the intranet against javascript malware and related attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, Bernhard Hämmerli and Robin Sommer (Eds.). LNCS, Vol. 4579. Springer, Berlin, 40--59. DOI:http://dx.doi.org/10.1007/978-3-540-73614-1_3 Google Scholar
Digital Library
- Hans-Joachim Kamp. 2013. 40 Jahre gfu. Retrieved from http://www.gfu.de/srv/easyedit/_ts_1373472398000/page:home/down load/insightstrends/sl_1338454764893/args.link01/de_kamp.pdf.Google Scholar
- A. D. Keromytis. 2012. A comprehensive survey of voice over IP security research. IEEE Communications Surveys Tutorials 14, 2 (March 2012), 514--537. DOI:http://dx.doi.org/10.1109/SURV.2011.031611.00112Google Scholar
Cross Ref
- V. T. Lam, S. Antonatos, P. Akritidis, and K. G. Anagnostakis. 2006. Puppetnets: Misusing web browsers as a distributed attack infrastructure. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06). ACM, New York, NY, 221--234. DOI:http://dx.doi.org/10.1145/1180405.1180434 Google Scholar
Digital Library
- Open IPTV Forum. 2012. OIPF Specification Volume 5—Declarative Application Environment. Retrieved from http://www.oipf.tv/specifications.Google Scholar
- SeungJin’Beist’ Lee. 2013. Hacking, surveilling and deceiving victims on smart TV. Retrieved from https://www.blackhat.com/us-13/briefings.html#Lee.Google Scholar
- Dan Margolies and Greg Reeves. 2006. New York man sentenced for casstel mail, wire fraud conspiracy. Online, The Kansas City Star January (2006). Retrieved from http://blogs.kansascity.com/crime_scene/2006/01/4_years_in_cass.html.Google Scholar
- Mini-Circuits. 2010. ZHL-2010+ Low Noise Amplifier. Online. (December 2010). http://www.minicircuits.com/pdfs/ZHL-2010+.pdf.Google Scholar
- National Vulnerability Database. 2011. CVE-2011-2107: Cross-site scripting (XSS) vulnerability in Adobe Flash Player. Retrieved from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2107.Google Scholar
- Tyler Nighswander, Brent Ledvina, Jonathan Diamond, Robert Brumley, and David Brumley. 2012. GPS software attacks. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 450--461. DOI:http://dx.doi.org/10.1145/2382196.2382245 Google Scholar
Digital Library
- Yossef Oren and Angelos D. Keromytis. 2014. From the aether to the ethernet—attacking the internet using broadcast digital television. In Proceedings of the 23rd USENIX Security Symposium, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 353--368. Retrieved from https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/oren. Google Scholar
Digital Library
- QGIS Project. 2014. QGIS—A Free and Open Source Geographic Information System. Retrieved from http://qgis.org.Google Scholar
- Theodore Reed, Joseph Geis, and Sven Dietrich. 2011. SkyNET: A 3G-enabled mobile attack drone and stealth botmaster. In Proceedings of the 5th USENIX Conference on Offensive Technologies (WOOT’11). 4--4. Google Scholar
Digital Library
- L. Seirup and G. Yetman. 2006. U.S. Census Grids (Summary File 3), 2000: Metropolitan Statistical Areas. Retrieved from http://sedac.ciesin.columbia.edu/data/set/usgrid-summary-file3-2000-msa.Google Scholar
- Ofer Shezaf. 2007. The Universal XSS PDF Vulnerability. Retrieved from https://owasp.com/images/4/4b/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf.Google Scholar
- Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009. Crying wolf: An empirical study of SSL warning effectiveness. In Proceedings of the 18th USENIX Conference on Security (SEC’09). 399--416. Google Scholar
Digital Library
- The Diffusion Group. 2013. Connected TVs Now Present in Six of Ten US Broadband Households. Retrieved from http://tdgresearch.com/connected-tvs-now-present-in-six-of-ten-us-broadband-households.Google Scholar
- The Nielsen Company. 2014. Local Television Market Universe Estimates. Retrieved from http://www.tvb.org/media/file/TVB_Market_Profiles_Nielsen_TVHH_DMA_Ranks_2013-2014.pdf.Google Scholar
- Kurt Thomas, Damon McCoy, Chris Grier, Alek Kolcz, and Vern Paxson. 2013. Trafficking fraudulent accounts: The role of the underground market in twitter spam and abuse. In Proceedings of the 22nd USENIX Conference on Security (SEC’13). 195--210. Google Scholar
Digital Library
- Anne van Kesteren and Tantek Çelik. 2014. Fullscreen API Living Standard. Retrieved from http://fullscreen.spec.whatwg.org.Google Scholar
- V ideoLAN Organization. 2014. VLC Media Player. Retrieved from http://www.videolan.org/vlc/index.html.Google Scholar
Index Terms
Attacking the Internet Using Broadcast Digital Television
Recommendations
Attacking NTP's Authenticated Broadcast Mode
We identify two attacks on the Network Time Protocol (NTP)'s cryptographically-authenticated broadcast mode. First, we present a replay attack that allows an on-path attacker to indefinitely stick a broadcast client to a specific time. Second, we ...
Attacking dynamic code
The Continuing Arms RaceTypically, code-reuse attacks exhibit unique characteristics in the control flow (and the data flow) that allow for generic protections, regardless of the language an application was programmed in. For example, if one can afford to monitor all return ...
Off-path attacking the web
WOOT'12: Proceedings of the 6th USENIX conference on Offensive TechnologiesWe show how an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), cross-site request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server, and circumventing known ...






Comments