research-article

Attacking the Internet Using Broadcast Digital Television

Authors:

Angelos D. KeromytisAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 17, Issue 4

Article No.: 16, Pages 1 - 27

https://doi.org/10.1145/2723159

Published: 13 April 2015 Publication History

Abstract

In the attempt to bring modern broadband Internet features to traditional broadcast television, the Digital Video Broadcasting (DVB) consortium introduced a specification called Hybrid Broadcast-Broadband Television (HbbTV), which allows broadcast streams to include embedded HTML content that is rendered by the television. This system is already in very wide deployment in Europe and has recently been adopted as part of the American digital television standard. Our analyses of the specifications, and of real systems implementing them, show that the broadband and broadcast systems are combined insecurely. This enables a large-scale exploitation technique with a localized geographical footprint based on Radio Frequency (RF) injection, which requires a minimal budget and infrastructure and is remarkably difficult to detect. In this article, we present the attack methodology and a number of follow-on exploitation techniques that provide significant flexibility to attackers. Furthermore, we demonstrate that the technical complexity and required budget are low, making this attack practical and realistic, especially in areas with high population density: In a dense urban area, an attacker with a budget of about 450 can target more than 20,000 devices in a single attack. A unique aspect of this attack is that, in contrast to most Internet of Things/Cyber-Physical System threat scenarios, where the attack comes from the data network side and affects the physical world, our attack uses the physical broadcast network to attack the data network.

References

[1]

Advanced Television Systems Committee. 2008. ATSC Recommended Practice: Transmission Measurement and Compliance for Digital Television. Retrieved from http://www.atsc.org/cms/standards/a&lowbar;64b.pdf.

[2]

Advanced Televi sion Systems Committee. 2014. A/105: ATSC Candidate Standard—Interactive Services Standard. (April 2014).

[3]

Avalpa Digital Engineering. 2014. OpenCaster: The Free Digital TV Software. Retrieved from http://www.avalpa.com/the-key-values/15-free-software/33-opencaster.

[4]

A merican Radio Relay League. 2013. 2014 ARRL Handbook for Radio Communications (91st ed.). American Radio Relay League. http://amazon.com/o/ASIN/1625950004/.

[5]

A. Barth. 2011. The Web Origin Concept. RFC 6454 (Proposed Standard). (Dec. 2011).

[6]

Adam Barth, Collin Jackson, and John C. Mitchell. 2008. Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS’08). ACM, New York, NY, 75--88.

Digital Library

[7]

Armin Büscher and Thorsten Holz. 2012. Tracking DDoS attacks: Insights into the business of disrupting the web. In Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats (LEET’12). 8--8.

Digital Library

[8]

BeEF development team. 2014. The Browser Exploitation Framework. Retrieved from http://beefproject.com.

[9]

Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, and Tadayoshi Kohno. 2011. Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of the 20th USENIX Conference on Security (SEC’11). 6--6.

Digital Library

[10]

European Broadcasting Union. 2011. Support for use of the DVB Scrambling Algorithm version 3 within digital broadcasting systems. ETSI TS 100 289 V1.1.1. (Sept. 2011).

[11]

European Broadcasting Union. 2012. Hybrid Broadcast Broadband TV. ETSI TS 102 796 V1.2.1. (Sept. 2012).

[12]

European Commision. 2013. Special Eurobarometer 396—e-Communications Household Survey. Retrieved from http://ec.europa.eu/digital-agenda/en/news/special-eurobarometer-396-e-communications-household-survey.

[13]

Edward Felten, Andrew Appel, and David Walker. 1996. DNS-Based Attack on Java. Retrieved from http://sip.cs.princeton.edu/news/dns-spoof.html.

[14]

Federal Communications Commission. 2001. Review of the Commission’s Rules and Policies Affecting the Conversion to Digital Television. Retrieved from http://fjallfoss.fcc.gov/edocs_public/attachmatch/FCC-01-24A1.pdf.

[15]

Marco Ghiglieri, Florian Oswald, and Erik Tews. 2013. HbbTV - I know what you are watching. In 13. Deutschen IT-Sicherheitskongresses. BSI, SecuMedia Verlags-GmbH.

[16]

Marco Ghiglieri and Erik Tews. 2014. A privacy protection system for HbbTV in smart TVs. In Proceedings of the Consumer Communications and Networking Conference (CCNC’14).

[17]

Google Inc. 2013. Google Inc. Announces Third Quarter 2013 Results. Retrieved from http://investor.google.com/pdf/2013Q3_google_earnings_release.pdf.

[18]

Google, Inc. 2014. Chrome Extensions -- Content Security Policy. Retrieved from http://developer.chrome.com/extensions/contentSecurityPolicy.html.

[19]

Aaron Grattafiori and Josh Yavor. 2013. The Outer Limits: Hacking the Samsung Smart TV. Retrieved from https://www.blackhat.com/us-13/briefings.html#Grattafiori.

[20]

Robert “RSnake” Hansen. 2007. Stealing Mouse Clicks for Banner Fraud. Retrieved from http://ha.ckers.org/blog/20070116/stealing-mouse-clicks-for-banner-fraud/.

[21]

Martin Herfurt. 2013a. Security Concerns with HbbTV. BerlinSides 0x04 Lightning Talks. Retrieved from http://mherfurt.wordpress.com/2013/06/01/security-concerns-with-hbbtv/.

[22]

Martin Herfurt. 2013b. Security Issues with Hybrid Broadcast Broadband TV. 30’th Chaos Computer Convention. Retrieved from https://events.ccc.de/congress/2013/Fahrplan/events/5398.html.

[23]

International Standards Institute. 2013. Information technology -- Generic coding of moving pictures and associated audio information—Part 1: Systems. ISO/IEC 13818-1. (May 2013).

[24]

International Telecommunication Union. 2014. Planning criteria, including protection ratios, for digital terrestrial television services in the VHF/UHF bands. ITU R-REC-BT.1368. (Feb. 2014).

[25]

Martin Johns, Sebastian Lekies, and Ben Stock. 2013. Eradicating DNS rebinding with the extended same-origin policy. In Proceedings of the 22nd USENIX Conference on Security (SEC’13). 621--636.

Digital Library

[26]

Martin Johns and Justus Winter. 2007. Protecting the intranet against javascript malware and related attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, Bernhard Hämmerli and Robin Sommer (Eds.). LNCS, Vol. 4579. Springer, Berlin, 40--59.

Digital Library

[27]

Hans-Joachim Kamp. 2013. 40 Jahre gfu. Retrieved from http://www.gfu.de/srv/easyedit/&lowbar;ts&lowbar;1373472398000/page:home/down load/insightstrends/sl&lowbar;1338454764893/args.link01/de&lowbar;kamp.pdf.

[28]

A. D. Keromytis. 2012. A comprehensive survey of voice over IP security research. IEEE Communications Surveys Tutorials 14, 2 (March 2012), 514--537.

[29]

V. T. Lam, S. Antonatos, P. Akritidis, and K. G. Anagnostakis. 2006. Puppetnets: Misusing web browsers as a distributed attack infrastructure. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06). ACM, New York, NY, 221--234.

Digital Library

[30]

Open IPTV Forum. 2012. OIPF Specification Volume 5—Declarative Application Environment. Retrieved from http://www.oipf.tv/specifications.

[31]

SeungJin’Beist’ Lee. 2013. Hacking, surveilling and deceiving victims on smart TV. Retrieved from https://www.blackhat.com/us-13/briefings.html#Lee.

[32]

Dan Margolies and Greg Reeves. 2006. New York man sentenced for casstel mail, wire fraud conspiracy. Online, The Kansas City Star January (2006). Retrieved from http://blogs.kansascity.com/crime_scene/2006/01/4_years_in_cass.html.

[33]

Mini-Circuits. 2010. ZHL-2010+ Low Noise Amplifier. Online. (December 2010). http://www.minicircuits.com/pdfs/ZHL-2010+.pdf.

[34]

National Vulnerability Database. 2011. CVE-2011-2107: Cross-site scripting (XSS) vulnerability in Adobe Flash Player. Retrieved from http://web.nvd.nist.gov/view/vuln/detail&quest;vulnId=CVE-2011-2107.

[35]

Tyler Nighswander, Brent Ledvina, Jonathan Diamond, Robert Brumley, and David Brumley. 2012. GPS software attacks. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 450--461.

Digital Library

[36]

Yossef Oren and Angelos D. Keromytis. 2014. From the aether to the ethernet—attacking the internet using broadcast digital television. In Proceedings of the 23rd USENIX Security Symposium, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 353--368. Retrieved from https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/oren.

Digital Library

[37]

QGIS Project. 2014. QGIS—A Free and Open Source Geographic Information System. Retrieved from http://qgis.org.

[38]

Theodore Reed, Joseph Geis, and Sven Dietrich. 2011. SkyNET: A 3G-enabled mobile attack drone and stealth botmaster. In Proceedings of the 5th USENIX Conference on Offensive Technologies (WOOT’11). 4--4.

Digital Library

[39]

L. Seirup and G. Yetman. 2006. U.S. Census Grids (Summary File 3), 2000: Metropolitan Statistical Areas. Retrieved from http://sedac.ciesin.columbia.edu/data/set/usgrid-summary-file3-2000-msa.

[40]

Ofer Shezaf. 2007. The Universal XSS PDF Vulnerability. Retrieved from https://owasp.com/images/4/4b/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf.

[41]

Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009. Crying wolf: An empirical study of SSL warning effectiveness. In Proceedings of the 18th USENIX Conference on Security (SEC’09). 399--416.

Digital Library

[42]

The Diffusion Group. 2013. Connected TVs Now Present in Six of Ten US Broadband Households. Retrieved from http://tdgresearch.com/connected-tvs-now-present-in-six-of-ten-us-broadband-households.

[43]

The Nielsen Company. 2014. Local Television Market Universe Estimates. Retrieved from http://www.tvb.org/media/file/TVB&lowbar;Market&lowbar;Profiles&lowbar;Nielsen&lowbar;TVHH&lowbar;DMA&lowbar;Ranks&lowbar;2013-2014.pdf.

[44]

Kurt Thomas, Damon McCoy, Chris Grier, Alek Kolcz, and Vern Paxson. 2013. Trafficking fraudulent accounts: The role of the underground market in twitter spam and abuse. In Proceedings of the 22nd USENIX Conference on Security (SEC’13). 195--210.

Digital Library

[45]

Anne van Kesteren and Tantek Çelik. 2014. Fullscreen API Living Standard. Retrieved from http://fullscreen.spec.whatwg.org.

[46]

V ideoLAN Organization. 2014. VLC Media Player. Retrieved from http://www.videolan.org/vlc/index.html.

Cited By

Majors JBarsallo Yi EMaji AWu DBagchi SMachiry A(2023)Security Properties of Virtual Remotes and SPOOKing their violationsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3582834(841-854)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3582834
Allifah NZualkernan I(2022)Ranking Security of IoT-Based Smart Home Consumer DevicesIEEE Access10.1109/ACCESS.2022.314814010(18352-18369)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3148140
Michele BPena IAngueira P(2018)Threats and Limitations of Terrestrial Broadcast AttacksIEEE Transactions on Broadcasting10.1109/TBC.2017.270453864:1(105-118)Online publication date: Mar-2018
https://doi.org/10.1109/TBC.2017.2704538
Show More Cited By

Index Terms

Attacking the Internet Using Broadcast Digital Television
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks

Recommendations

Attacking NTP's Authenticated Broadcast Mode

We identify two attacks on the Network Time Protocol (NTP)'s cryptographically-authenticated broadcast mode. First, we present a replay attack that allows an on-path attacker to indefinitely stick a broadcast client to a specific time. Second, we ...
Attacking dynamic code
The Continuing Arms Race

Typically, code-reuse attacks exhibit unique characteristics in the control flow (and the data flow) that allow for generic protections, regardless of the language an application was programmed in. For example, if one can afford to monitor all return ...
Off-path attacking the web
WOOT'12: Proceedings of the 6th USENIX conference on Offensive Technologies

We show how an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), cross-site request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server, and circumventing known ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 17, Issue 4

April 2015

127 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/2756875

Editor:
Gene Tsudik
University of California at Irvine, USA

Issue’s Table of Contents

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 April 2015

Accepted: 01 January 2015

Revised: 01 January 2015

Received: 01 September 2014

Published in TISSEC Volume 17, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
616
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)1

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Majors JBarsallo Yi EMaji AWu DBagchi SMachiry A(2023)Security Properties of Virtual Remotes and SPOOKing their violationsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3582834(841-854)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3582834
Allifah NZualkernan I(2022)Ranking Security of IoT-Based Smart Home Consumer DevicesIEEE Access10.1109/ACCESS.2022.314814010(18352-18369)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3148140
Michele BPena IAngueira P(2018)Threats and Limitations of Terrestrial Broadcast AttacksIEEE Transactions on Broadcasting10.1109/TBC.2017.270453864:1(105-118)Online publication date: Mar-2018
https://doi.org/10.1109/TBC.2017.2704538
Schwenk JNiemietz MMainka C(2017)Same-origin policyProceedings of the 26th USENIX Conference on Security Symposium10.5555/3241189.3241245(713-727)Online publication date: 16-Aug-2017
https://dl.acm.org/doi/10.5555/3241189.3241245

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents