skip to main content
research-article

Attacking the Internet Using Broadcast Digital Television

Authors Info & Claims
Published:13 April 2015Publication History
Skip Abstract Section

Abstract

In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content that is rendered by the television. This system is already in very wide deployment in Europe and has recently been adopted as part of the American digital television standard. Our analyses of the specifications, and of real systems implementing them, show that the broadband and broadcast systems are combined insecurely. This enables a large-scale exploitation technique with a localized geographical footprint based on Radio Frequency (RF) injection, which requires a minimal budget and infrastructure and is remarkably difficult to detect. In this article, we present the attack methodology and a number of follow-on exploitation techniques that provide significant flexibility to attackers. Furthermore, we demonstrate that the technical complexity and required budget are low, making this attack practical and realistic, especially in areas with high population density: In a dense urban area, an attacker with a budget of about 450 can target more than 20,000 devices in a single attack. A unique aspect of this attack is that, in contrast to most Internet of Things/Cyber-Physical System threat scenarios, where the attack comes from the data network side and affects the physical world, our attack uses the physical broadcast network to attack the data network.

References

  1. Advanced Television Systems Committee. 2008. ATSC Recommended Practice: Transmission Measurement and Compliance for Digital Television. Retrieved from http://www.atsc.org/cms/standards/a_64b.pdf.Google ScholarGoogle Scholar
  2. Advanced Televi sion Systems Committee. 2014. A/105: ATSC Candidate Standard—Interactive Services Standard. (April 2014).Google ScholarGoogle Scholar
  3. Avalpa Digital Engineering. 2014. OpenCaster: The Free Digital TV Software. Retrieved from http://www.avalpa.com/the-key-values/15-free-software/33-opencaster.Google ScholarGoogle Scholar
  4. A merican Radio Relay League. 2013. 2014 ARRL Handbook for Radio Communications (91st ed.). American Radio Relay League. http://amazon.com/o/ASIN/1625950004/.Google ScholarGoogle Scholar
  5. A. Barth. 2011. The Web Origin Concept. RFC 6454 (Proposed Standard). (Dec. 2011).Google ScholarGoogle Scholar
  6. Adam Barth, Collin Jackson, and John C. Mitchell. 2008. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, New York, NY, 75--88. DOI:http://dx.doi.org/10.1145/1455770.1455782 Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Armin Büscher and Thorsten Holz. 2012. Tracking DDoS attacks: Insights into the business of disrupting the web. In Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats (LEET’12). 8--8. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. BeEF development team. 2014. The Browser Exploitation Framework. Retrieved from http://beefproject.com.Google ScholarGoogle Scholar
  9. Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. 2011. Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of the 20th USENIX Conference on Security (SEC’11). 6--6. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. European Broadcasting Union. 2011. Support for use of the DVB Scrambling Algorithm version 3 within digital broadcasting systems. ETSI TS 100 289 V1.1.1. (Sept. 2011).Google ScholarGoogle Scholar
  11. European Broadcasting Union. 2012. Hybrid Broadcast Broadband TV. ETSI TS 102 796 V1.2.1. (Sept. 2012).Google ScholarGoogle Scholar
  12. European Commision. 2013. Special Eurobarometer 396—e-Communications Household Survey. Retrieved from http://ec.europa.eu/digital-agenda/en/news/special-eurobarometer-396-e-communications-household-survey.Google ScholarGoogle Scholar
  13. Edward Felten, Andrew Appel, and David Walker. 1996. DNS-Based Attack on Java. Retrieved from http://sip.cs.princeton.edu/news/dns-spoof.html.Google ScholarGoogle Scholar
  14. Federal Communications Commission. 2001. Review of the Commission’s Rules and Policies Affecting the Conversion to Digital Television. Retrieved from http://fjallfoss.fcc.gov/edocs_public/attachmatch/FCC-01-24A1.pdf.Google ScholarGoogle Scholar
  15. Marco Ghiglieri, Florian Oswald, and Erik Tews. 2013. HbbTV - I know what you are watching. In 13. Deutschen IT-Sicherheitskongresses. BSI, SecuMedia Verlags-GmbH.Google ScholarGoogle Scholar
  16. Marco Ghiglieri and Erik Tews. 2014. A privacy protection system for HbbTV in smart TVs. In Proceedings of the Consumer Communications and Networking Conference (CCNC’14).Google ScholarGoogle ScholarCross RefCross Ref
  17. Google Inc. 2013. Google Inc. Announces Third Quarter 2013 Results. Retrieved from http://investor.google.com/pdf/2013Q3_google_earnings_release.pdf.Google ScholarGoogle Scholar
  18. Google, Inc. 2014. Chrome Extensions -- Content Security Policy. Retrieved from http://developer.chrome.com/extensions/contentSecurityPolicy.html.Google ScholarGoogle Scholar
  19. Aaron Grattafiori and Josh Yavor. 2013. The Outer Limits: Hacking the Samsung Smart TV. Retrieved from https://www.blackhat.com/us-13/briefings.html#Grattafiori.Google ScholarGoogle Scholar
  20. Robert “RSnake” Hansen. 2007. Stealing Mouse Clicks for Banner Fraud. Retrieved from http://ha.ckers.org/blog/20070116/stealing-mouse-clicks-for-banner-fraud/.Google ScholarGoogle Scholar
  21. Martin Herfurt. 2013a. Security Concerns with HbbTV. BerlinSides 0x04 Lightning Talks. Retrieved from http://mherfurt.wordpress.com/2013/06/01/security-concerns-with-hbbtv/.Google ScholarGoogle Scholar
  22. Martin Herfurt. 2013b. Security Issues with Hybrid Broadcast Broadband TV. 30’th Chaos Computer Convention. Retrieved from https://events.ccc.de/congress/2013/Fahrplan/events/5398.html.Google ScholarGoogle Scholar
  23. International Standards Institute. 2013. Information technology -- Generic coding of moving pictures and associated audio information—Part 1: Systems. ISO/IEC 13818-1. (May 2013).Google ScholarGoogle Scholar
  24. International Telecommunication Union. 2014. Planning criteria, including protection ratios, for digital terrestrial television services in the VHF/UHF bands. ITU R-REC-BT.1368. (Feb. 2014).Google ScholarGoogle Scholar
  25. Martin Johns, Sebastian Lekies, and Ben Stock. 2013. Eradicating DNS rebinding with the extended same-origin policy. In Proceedings of the 22nd USENIX Conference on Security (SEC’13). 621--636. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Martin Johns and Justus Winter. 2007. Protecting the intranet against javascript malware and related attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, Bernhard Hämmerli and Robin Sommer (Eds.). LNCS, Vol. 4579. Springer, Berlin, 40--59. DOI:http://dx.doi.org/10.1007/978-3-540-73614-1_3 Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Hans-Joachim Kamp. 2013. 40 Jahre gfu. Retrieved from http://www.gfu.de/srv/easyedit/_ts_1373472398000/page:home/down load/insightstrends/sl_1338454764893/args.link01/de_kamp.pdf.Google ScholarGoogle Scholar
  28. A. D. Keromytis. 2012. A comprehensive survey of voice over IP security research. IEEE Communications Surveys Tutorials 14, 2 (March 2012), 514--537. DOI:http://dx.doi.org/10.1109/SURV.2011.031611.00112Google ScholarGoogle ScholarCross RefCross Ref
  29. V. T. Lam, S. Antonatos, P. Akritidis, and K. G. Anagnostakis. 2006. Puppetnets: Misusing web browsers as a distributed attack infrastructure. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06). ACM, New York, NY, 221--234. DOI:http://dx.doi.org/10.1145/1180405.1180434 Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Open IPTV Forum. 2012. OIPF Specification Volume 5—Declarative Application Environment. Retrieved from http://www.oipf.tv/specifications.Google ScholarGoogle Scholar
  31. SeungJin’Beist’ Lee. 2013. Hacking, surveilling and deceiving victims on smart TV. Retrieved from https://www.blackhat.com/us-13/briefings.html#Lee.Google ScholarGoogle Scholar
  32. Dan Margolies and Greg Reeves. 2006. New York man sentenced for casstel mail, wire fraud conspiracy. Online, The Kansas City Star January (2006). Retrieved from http://blogs.kansascity.com/crime_scene/2006/01/4_years_in_cass.html.Google ScholarGoogle Scholar
  33. Mini-Circuits. 2010. ZHL-2010+ Low Noise Amplifier. Online. (December 2010). http://www.minicircuits.com/pdfs/ZHL-2010+.pdf.Google ScholarGoogle Scholar
  34. National Vulnerability Database. 2011. CVE-2011-2107: Cross-site scripting (XSS) vulnerability in Adobe Flash Player. Retrieved from http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2107.Google ScholarGoogle Scholar
  35. Tyler Nighswander, Brent Ledvina, Jonathan Diamond, Robert Brumley, and David Brumley. 2012. GPS software attacks. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 450--461. DOI:http://dx.doi.org/10.1145/2382196.2382245 Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Yossef Oren and Angelos D. Keromytis. 2014. From the aether to the ethernet—attacking the internet using broadcast digital television. In Proceedings of the 23rd USENIX Security Symposium, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 353--368. Retrieved from https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/oren. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. QGIS Project. 2014. QGIS—A Free and Open Source Geographic Information System. Retrieved from http://qgis.org.Google ScholarGoogle Scholar
  38. Theodore Reed, Joseph Geis, and Sven Dietrich. 2011. SkyNET: A 3G-enabled mobile attack drone and stealth botmaster. In Proceedings of the 5th USENIX Conference on Offensive Technologies (WOOT’11). 4--4. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. L. Seirup and G. Yetman. 2006. U.S. Census Grids (Summary File 3), 2000: Metropolitan Statistical Areas. Retrieved from http://sedac.ciesin.columbia.edu/data/set/usgrid-summary-file3-2000-msa.Google ScholarGoogle Scholar
  40. Ofer Shezaf. 2007. The Universal XSS PDF Vulnerability. Retrieved from https://owasp.com/images/4/4b/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf.Google ScholarGoogle Scholar
  41. Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009. Crying wolf: An empirical study of SSL warning effectiveness. In Proceedings of the 18th USENIX Conference on Security (SEC’09). 399--416. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. The Diffusion Group. 2013. Connected TVs Now Present in Six of Ten US Broadband Households. Retrieved from http://tdgresearch.com/connected-tvs-now-present-in-six-of-ten-us-broadband-households.Google ScholarGoogle Scholar
  43. The Nielsen Company. 2014. Local Television Market Universe Estimates. Retrieved from http://www.tvb.org/media/file/TVB_Market_Profiles_Nielsen_TVHH_DMA_Ranks_2013-2014.pdf.Google ScholarGoogle Scholar
  44. Kurt Thomas, Damon McCoy, Chris Grier, Alek Kolcz, and Vern Paxson. 2013. Trafficking fraudulent accounts: The role of the underground market in twitter spam and abuse. In Proceedings of the 22nd USENIX Conference on Security (SEC’13). 195--210. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Anne van Kesteren and Tantek Çelik. 2014. Fullscreen API Living Standard. Retrieved from http://fullscreen.spec.whatwg.org.Google ScholarGoogle Scholar
  46. V ideoLAN Organization. 2014. VLC Media Player. Retrieved from http://www.videolan.org/vlc/index.html.Google ScholarGoogle Scholar

Index Terms

  1. Attacking the Internet Using Broadcast Digital Television

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Information and System Security
        ACM Transactions on Information and System Security  Volume 17, Issue 4
        April 2015
        127 pages
        ISSN:1094-9224
        EISSN:1557-7406
        DOI:10.1145/2756875
        • Editor:
        • Gene Tsudik
        Issue’s Table of Contents

        Copyright © 2015 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 13 April 2015
        • Revised: 1 January 2015
        • Accepted: 1 January 2015
        • Received: 1 September 2014
        Published in tissec Volume 17, Issue 4

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Research
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!