TV channels and manufacturers need to put security centre-stage to stop hackers taking control of smart TVs and turning them into back doors to our home networks.
That’s the conclusion of a German researcher who turned the spotlight on Samsung smart TVs – the popular in Europe – and Europe’s smart TV standard HbbTV.
Martin Herfurt at Germany consultancy Nruns warns that smart TVs not only lack security, but are also being used to report viewing habits back to many broadcasters.
“Connecting HbbTV-capable Smart TVs to the home network is dangerous,” Herfurt blogged. “Clearly, TV manufacturers seem to lack IT security know-how and have to learn from other industries in order to succeed.
“The described attack scenarios are examples that help to show the severity of this topic. IMHO, it is just a matter of time before the attacks are spotted in the wild.”
HbbTV uses a similar ‘red button’ interactive system to the UK, but based on the web-standard HTML instead of the UK’s MHEG-based TV software. In effect, you’re watching TV with an invisible web browser on top.
When the HbbTV red button appears, many TV channels automatically instruct the TV to contact the broadcaster’s server for tracking in Google Analytics.
With very little use of security protocols like SSL for this connection, Herfurt and other researchers think it would be easy to hijack it and inject spoof red button content onto the TV screen, such as fake news tickers or video.
More significantly, your TV could be forced to look for other devices on your home network and order your router to drop its firewall or allow external access to network storage or security cameras.
In the UK, only Freeview HD TVs are equipped for broadband connections via the red button, and most red button applications still get their data from the broadcast stream.
The BBC, which makes most use of the red button, is keen to provide data like extra video streams via broadband, to overcome the lack of capacity on Freeview.
We’ve also seen the arrival of purely broadband TV channels like Connect TV, which use a red button-triggered interface to deliver TV channels via broadband.
As yet, there’s been no UK-based research into the security of Freeview HD and smart TVs, with standards managed by the TV industry through the Digital TV Group.
We’re looking forward to comment from Samsung and the DTG on the security of British smart TV and red button services.