Internet TVs: A New Way for Cybercriminals to Infiltrate Your Home

Wednesday, December 15th, 2010

Mocana Study Shows New Breed of TVs May Expose Consumers, Credit Card Companies and Manufacturers to Data Theft and Fraud

SAN FRANCISCO — Mocana, a company that focuses on securing the “Internet of Things”, today announced a new study that highlights several important digital security flaws discovered in one of the top best-selling brands of Internet-connected HDTVs. Researchers believe it’s likely that similar security flaws exist in other Internet TVs and recommend that consumers seek out third-party security tests of the appliances before they are purchased and installed in the home.

A copy of the report is available for download. Please note that the manufacturer’s name has been redacted from the report. Mocana researchers recently met with the manufacturer to help them correct the security flaws and agreed not to disclose the manufacturer’s name until a fix is issued.

As outlined in the report, Mocana’s research shows that attackers may be able to leverage Internet-connected TVs to hack into consumers’ home network and potentially:

  • Present fake credit card forms to fool consumers into giving up their private information.
  • Intercept and redirect Internet traffic to and from the HDTV, which could be used fool consumers into thinking that “imposter” banking and commerce websites were legitimate.
  • Steal and co-op the TV manufacturer’s digital “corporate credentials” to gain special VIP access to backend services from third-party organizations including popular search engine, video streaming and photo sharing sites.
  • Monitor and report on consumers’ private Internet usage habits without their knowledge.

To give scale to the potential problem, research firm DisplaySearch recently predicted that over 40 million Internet-accessible TVs will be shipped worldwide in 2010 and that this number will grow to 118 million global shipments by 2014.

Mocana purchased and ran tests on several samples of a top selling brand Internet-connected HDTV set. The television brand and model was selected to be representative of its product type and class. The flaws Mocana uncovered should raise questions about the security of consumer electronics in general–which manufacturers are scrambling to connect to the Internet, often with little or no security technology on board. Mocana’s researchers felt that while vulnerabilities may vary from brand to brand, it is reasonable to assume that many other IPTVs from many other manufacturers share similar problems. Therefore it might be prudent for consumers to be extra-careful, until such devices are tested and certified safe in a systematic way.

Mocana’s CEO Adrian Turner said: “Internet connected HDTVs are huge sellers this holiday season. But a lot of manufacturers are rushing Internet-connected consumer electronics to market without bothering to secure them. I think this study demonstrates how risky it is to ‘connect first, worry later’, and suggests that consumer electronics companies that might lack internal security expertise should seek it out, before connecting their portfolio of consumer devices to the Internet.”

These experiments were conducted on several examples of an Internet-Connected HDTV sold worldwide, which features Internet functionality and additional digital connectivity to other devices within the home. Researchers found that the Internet interface failed to confirm script integrity before those scripts were run. As a result, an attacker could intercept transmissions from the television to the network using common “rogue DNS”, “rogue DHCP server”, or TCP session hijacking techniques. Mocana was able to demonstrate that JavaScript could then be injected into the normal datastream, allowing attackers to obtain total control over the device’s Internet functionality.

This attack could render the product unusable at important times and extend or limit its functionality without the manufacturer’s permission. More importantly, however, this same mechanism could be used to extract sensitive credentials from the TV’s memory, or prompt the user to fill out fake online forms to capture credit card information.

During the course of the study, researchers also were able to recover the manufacturer’s private “third-party developer keys” from the television, because in many cases, these keys were transmitted unencrypted and “in the clear.” Many third-party search, music, video and photo-sharing services delivered over the Internet require such keys, and a big TV manufacturer often purchases high-volume “special” access privileges to these service provider’s networks. A hacker could potentially employ these keys, for example, to access these high-volume services at no charge (or at least, on the TV manufacturer’s bill).

Mocana’s CEO Adrian Turner continued: “While much public discussion is currently focused on the recent explosion of smartphones, what’s not being talked about is that fact that the vast majority of new devices coming onto the Internet aren’t phones at all: they are devices like television sets, industrial machines, medical devices and automobiles – devices representing every conceivable industry. And the one thing that all these manufacturers have in common is that, unlike the computing industry, they don’t have deep experience in security technology.”

More: Security Report