Using a Drone and HackRF to Inject URLs, Phish For Passwords on Internet Connected TVs by Hijacking Over the Air Transmissions

There is nothing wrong with your television set. Do not attempt to adjust the picture. We are controlling transmission.

At this years Defcon conference security researcher Pedro Cabrera held a talk titled  "SDR Against Smart TVs; URL and channel injection attacks" that showed how easy it is to take over a modern internet connected smart TV with a transmit capable SDR and drone. The concept he demonstrated is conceptually simple - just broadcast a more powerful signal so that the TV will begin receiving the fake signal instead. However, instead of transmitting with extremely high power, he makes use of a drone that brings a HackRF SDR right in front of the targets TV antenna. The HackRF is a low cost $100-$300 software defined radio that can transmit.

Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.
Title Slide from the Defcon 27 Talk: SDR Against Smart TVs; URL and channel injection attacks.

While the hijacking of TV broadcasts is not a new idea, Pedro's talk highlights the fact that smart TVs now expose significantly more security risks to this type of attack. In most of Europe, Australia, New Zealand and some places in Western Asia and the Middle East they use smart TV's with the HbbTV standard. This allows for features like enhanced teletext, catch-up services, video-on-demand, EPG, interactive advertising, personalisation, voting, games, social networking, and other multimedia applications to be downloaded or activated on your TV over the air via the DVB-T signal.

The HbbTV standard carries no authentication. By controlling the transmission, it's possible to display fake phishing messages that ask for passwords and transmit the information back over the internet. A hacker could also inject key loggers and install cryptominers.

Recorded talks from the Defcon conference are not up on YouTube yet, but Wired recently ran a full story on Pedros talk, and it's worth checking out here. The slides from his presentation can be found on the Defcon server, and below are two videos that show the attack in action, one showing the ability to phish out a password. His YouTube channel shows off several other hijacking videos too.

SDR Against Smart TVs: Drones carrying SDRs

SDR Against Smart TVs: Social engineering

 

8 comments

  1. None

    lol… Sry hat might work when:
    a) the DVB-T(2) Station is far away and the Signal is weark. Why? Thats simple because the Signal normal is x Time more Powerfull than any SDR.
    b) How to Hack the Signal Encryption? Your DVB-T2 Stream is Encrypt. So that will not work…
    c) How to Hack a full Transponder with X Channel on them? The must Hack ALL Channel at ALL Transponder to MIGHT Injeckt something to Someone!

    I would do it with an Sat Transponder and a Cable TV Receiving Station.

    • tech_skilled

      Doubt aswell. To make this attack anyhow useful, attacker would have to replace complete DVB-T mux (like None said) with same content, only replaced HbbTV descriptor inside. Cannot inject anything without replacing complete MUX because in DVB there are multiple ways of checking for stream consistency and continuity. Even with replaced descriptor not all TV’s are connected to web. Even if TV is connected – not all TV have HbbTV enabled by default (many have not, eg. in Samsung it have to be installed separately from their app store). And even then to make something harmful attacker would have to find any vulnerability in HbbTV stack in TV or phish user to make any harmful action. Additionally like None said – signal is in most cases much stronger, too strong for HackRF to be drowned/replaced with fake mux on the same freq. In most cases it won’t do nothing, eventually bring down a little bit signal of legitimate mux.
      Possible only in theory. In real life science-fiction. And the same issues for DVB-C/C2 and DVB-S/S2.

      • None

        Well DVB-S2 is a better option because:
        a) the signal is WAY lower and many people use it.
        b) When you inject it into a Apartment Block on Primetime the chance to catch some People is high(er).

        The point is you need just a view seconds to replace the URL after that the TV Stick to the URL and you can do what ever you want to.
        It maybe COULD work when the Inject the Signal into a Channel who is watched currently like when a Socker Match or F1 Race is.

        • tech_skilled

          It won’t work. Main reason is that HackRF max bandwidth is 20 MHz, where most of satellite transponders broadcasting MCPC transmissions – are around 33-36 MHz each.
          Also HackRF won’t be able to disrupt signal between satellite and LNB, because it is working up to 6 GHz, where satellite signals are mostly in Ku-band, above 10,7 GHz (only C-band would be eventually feasible).
          Even if we will talk about C-band – Hack RF operator, potential attacket would have to know what exactly user is watching, because it won’t be able to disrupt all possible C-band transmission. And even if he would try – satellite signal is received by LNB not from everywhere, but by precisely pointed satellite dish. HackRF would have to spot precise beam right beside dish or get between dish and LNB.
          Alternative to this is to do an attempt to disrupt signal between LNB and receiver, which is converted to L-band (9750 – 2150 MHz). But again – as we don’t know what exactly user is watching, we won’t be able to disrupt signal and additionally even if we could – signal at this point is going through (in most cases) solid cables with solid isolation, doubt if HackRF would be able to be strong enough to make any distuption bigger than making noise which will lower legitimate signal – we have to keep in mind that legitimate signal is still broadcasted as in DVB-T so HackRF would habe to be extremelly powerfull.
          Basically I see no such possibility to satellite aswell.

          • None

            C Band here is that death.
            And why use (just) a HackRF when tere are other SDR Out there? There are also some propper DVB-S Modulator Out there.

            • tech_skilled

              Still plenty of other issues will make this impossible. 99,9% SDR are not capable to reach such bandwidth for TX. DVB-S/S2 modulators like Dektec or Alitronika won’t work without PC, you won’t take them with drone. And still because attacker doesn’t know what user is watching and it’s hard to hijack sat signal (you would have to be somewhere at signal line, SAT dish is pointed precisely) I feel this is even more non-realistic than DVB-T (with is non-realistic too 😉 ). Also still like for DVB-T: not all satellite STB/TV have got HbbTV at all, even if – not many of them will load it automatically, etc.
              That attack is really very, very theoretical without practical adoption possibilities.

  2. kenny_c

    looks like i will be tossing my smart TV in to the dumpster, right after i smash it with a hammer, IoT devices are too vulnerable to allow on your home network

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.