There are times when it may be extremely unwise for a “standards body” to label an attack as “too expensive,” adding that it would result in “limited pay-off to the attackers” because security researchers who bothered to responsibly disclose the flaws might plow right ahead with their research to prove that “in a dense urban area, an attacker with a budget of about $450 can target more than 20,000 devices in a single attack.” When you toss in the potential to make $15,000 per “untraceable” attack, then shady characters might think that’s $450 well spent.
It’s increasingly common for households to have at least one TV that is connected to the Internet either directly, via a console or set-top box. The Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV) and created a global industry standard for hybrid entertainment services. HbbTV “allows broadcast streams to include embedded HTML content which is rendered by the television.” For example, you may have used the Red Button on your TV remote control to vote in a poll or control other interactive TV features. As often happens, this “feature” can also be a flaw exploitable via a man-in-the-middle “Red Button attack.”
At the upcoming 23rd USENIX Security Symposium, Columbia University’s Yossef Oren and Angelos D. Keromytis will present “From the Aether to the Ethernet – Attacking the Internet using Broadcast Digital Television” (pdf). They explained that unlike most “Internet of Things/Cyber-Physical System threat scenarios where the attack comes from the data network side and affects the physical world, our attack uses the physical broadcast network to attack the data network.”
The essence of the problem we address lies in that the hybrid TV now connects the broadcast domain, which has no authentication or protection infrastructure, to the broadband Internet domain. This allows the attacker to craft a set of attacks which uniquely do not attack the TV itself, but instead attack through the TV.
After responsibly disclosing the vulnerabilities, their concerns were basically blown off as too expensive. Yet according to their analysis, an attack setup cost would be about $450 and each attack would cost another $50 per hour – but that includes compensation for risk taken by the attacker – to conservatively impact 10,000 hosts.
Invisible and unstoppable attacks
A Distributed Denial of Service (DDoS) attack, for example, could involve more than 20,000 hosts for $5 per hour. An attacker could make about $2,500 per unauthenticated request forgery attack. For an authenticated request forgery, an attacker could potentially make $15,000 per attack.
Other attacks include intranet request forgery, exploit distribution and phishing/social engineering. All attacks except for social engineering “take place without the user’s knowledge or consent, requiring the user to do nothing more than keep his TV turned on and tuned to his favorite channel.”
In fact, the researchers explained, “The unique physical characteristics of the broadcast TV medium allow these attacks to be easily amplified to target tens of thousands of users, while remaining completely undetectable. Remarkably, the attacker does not even require a source IP address.”
The attacks were repeatedly described as “untraceable” or “invisible and unstoppable.” None of the attacks “are restricted in any way by HbbTV’s security mechanisms” and “the security implications of this design decision are staggering.”
This research is “the first to present and evaluate a cost-effective method of injecting malicious content into HbbTV systems, by using an RF-based man-in-the-middle attack.” It is also the “first to call attention to the flawed specification of the same-origin policy for embedded HTML content, and to the devastating cross-domain attacks made possible by this flaw. It is the combination of a feasible attack model and a faulty security model which makes the attacks described in this paper so practical and so dangerous.”
After describing the security flaws, a series of novel attacks and potential countermeasures, the researchers concluded:
The key enabling factor of this attack was the fact that the device can render Internet content whose source is outside the Internet. This makes it possible for a physical attacker to cause a large-scale compromise of the Internet. We qualitatively and quantitatively demonstrated that the attacks we described can be cost-effectively distributed to many thousands of users, and that they have a large damage potential. The attacks described in this paper are of high significance, not only because of the very large amount of devices which are vulnerable to them, but because they exemplify the complexity of securing systems-of-systems which combine both Internet and non-Internet interfaces. Similar cyber-physical systems will become increasingly more prevalent in the future Internet of Things, making it especially important to analyze the weaknesses in this system, as well as the limitations of its proposed countermeasures.
If you are fascinated by new types of attacks, then I highly recommend for you to read the very interesting research paper, “From the Aether to the Ethernet – Attacking the Internet using Broadcast Digital Television” (pdf).