HDTVs Vulnerable to Hack Attacks

Tuesday, December 21, 2010 @ 10:12 AM gHale

This is the season to give gifts like big screen HDTVs, but hold on. Hackers can potentially use Internet-connected HDTVs to infiltrate malware into home networks, according to a new report.

Tests conducted on a range of inter-connected TVs found a security flaw in the kit of an unspecified manufacturer, according to Mocana, a maker of security software for smartphones. The firm does not elaborate on the firm involved or the security weakness, at least until the company releases a fix.

The security bug is a way to hack into consumers’ home network and potentially intercept and redirect internet traffic to and from the HDTV to mount phishing scams, gain access to backend services from third-party organizations (such as video streaming) or monitor and report on consumers’ private Internet usage habits, Mocana officials said.

“Internet connected HDTVs are huge sellers this holiday season,” said Adrian Turner, Mocana’s chief executive. “But a lot of manufacturers are rushing Internet-connected consumer electronics to market without bothering to secure them. I think this study demonstrates how risky it is to ‘connect first, worry later’, and suggests that consumer electronics companies that might lack internal security expertise should seek it out, before connecting their portfolio of consumer devices to the Internet.”

Mocana’s researchers managed to deploy hacking techniques familiar to the world of PC skullduggery (such as “rogue DNS”, “rogue DHCP server”, or TCP session hijacking techniques) to inject JavaScript onto a vulnerable device “allowing attackers script integrity before running code”.

As outlined in the report, Mocana’s research shows attackers may be able to leverage Internet-connected TVs to hack into consumers’ home network and potentially:

• Present fake credit card forms to fool consumers into giving up their private information.

• Intercept and redirect Internet traffic to and from the HDTV, which could fool consumers into thinking that “imposter” banking and commerce websites were legitimate.

• Steal and co-op the TV manufacturer’s digital “corporate credentials” to gain special VIP access to backend services from third-party organizations including popular search engine, video streaming and photo sharing sites.

• Monitor and report on consumers’ private Internet usage habits without their knowledge.

To give scale to the potential problem, research firm DisplaySearch predicted over 40 million Internet-accessible TVs will ship worldwide in 2010 and this number will grow to 118 million global shipments by 2014.

Mocana purchased and ran tests on several samples of a top selling brand Internet-connected HDTV set. They selected the television brand and model to be representative of its product type and class.

The flaws Mocana uncovered should raise questions about the security of consumer electronics in general, which manufacturers are scrambling to connect to the Internet, often with little or no security technology on board.