Presented by Martin Herfurt at CISO Platform Annual Summit, 2013.Martin did a lot of work in the field of Bluetooth Security when he founded the trifinite.group in 2004. Currently, he is working for the German IT-Security firm n.runs professionals along with managing his new venture, toothR.

1. Security Issues with Hybrid
Broadcast Broadband TV
(HbbTV)
Watching TV suddenly is fun again!
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

2. Who am I
•
•
•
•
•
Martin Herfurt
Security Consultant working with n.runs
Co-founder of trifinite.org
Bluetooth security expert
@mherfurt
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

3. SmartTV Security Overview
• December 2012: ReVuln - USB/Local attacks
on SAMSUNG Smart TV
• March 2013: CanSecWest – Smart TV
Security (great talk, but excluding HbbTV
stuff) (SeungJin Lee, Seungjoo Kim)
• May 2013: (TU Darmstadt) HbbTV Privacy
issues (Marco Ghiglieri, Florian Oswald, Erik
Tews)
• June 2013: Security Issues with HbbTV
• August 2013: Attacking Smart TVs via apps
(Aaron Grattafiori, Josh Yavor)
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

4. HbbTV Background
•
•
•
•
Pan-European effort
HbbTV = H4TV(fr) + HTML Profil(de)
ETSI TS 102796 (published in June 2010)
Adopts existing specifications
– HTML-CE (Web for Consumer Electronics)
– OIPF (Open IPTV Forum)
• Goal is to combine broadcast content
with online content
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

5. DVB Stream
Plain Old DVB
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

6. Augmented
DVB Stream
Hybrid Broadband Broadcast TV
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

7. The Red Button
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

8. SevenOne Media
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

9. What you think you see
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

10. What you are really seeing
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

11. How is the Red Button displayed?
•
•
•
•
TV has a DAE (Browser)
Content from URL within DVB-Stream
Overlay on actual TV image
Mostly transparent web page
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

12. Data Collection
• Extraction of channel list
• Transparent proxy setup
• Script for switching channels via IP
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

13. Stations with HbbTV on Astra
19.2E
List was generated on 9th of may 2013 with no CI-modules except HD+ in use (e.g. no SKY)
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

14. Subset of Stations using
Google Analytics
RTL2 uses a service called etracker.com
Sometimes mechanisms for periodical tracking in use (transparent page refresh)
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

15. Possible Injection Vectors
!
Augmented
DVB Stream
!
!
!
© 2013, n.runs professionals GmbH – Security Research Team
!
Martin Herfurt

16. What Would Dr. Evil Do?
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

17. Watering Hole Attacks –
sometimes very likely
Apache/1.3.27 (Unix) (Red-Hat/Linux)
mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3
PHP/4.1.2 mod_perl/1.26
mod_gzip/1.3.26.1a
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

18. Content Injection
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

19. Rogue Video Display
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

20. Spoofing News Tickers
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

21. Attacks on DNS
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

22. Possilbe Attacks (Javascript)
• OIPF Objects
– contain device specific (and maybe personal)
information (see Open IPTV Forum standard) like
channel lists etc. – not everything from standard
is implemented
• HTML/JavaScript
– time-based scan of home networks
– transmit information to arbitrary inet location
– You name it!
• Recycle known malicious javascript code!
– Google Dorks
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

23. © 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

24. Countermeasures
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

25. Unplug SmartTV
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

26. Use a Firewall
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

27. Block Domain Name Service
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

28. HAL – To Serve & Protect
© 2013, n.runs professionals GmbH – Security Research Team
Martin Herfurt

29. Thank You!
Find more on:
© 2013, n.runs professionals GmbH – Security Research Team
blog.nruns.com
Martin Herfurt