sciencetech-blog

comments

A team of scientists at Columbia University claim hybrid smart TVs that blur the line between televisions and the internet are vulnerable to a simple hack.

Coined the 'red-button attack' - named after the red button used on modern smart TV remotes to access additional content - the flaw can be exploited with just a $250 (£150) transmitter.

In just minutes, someone using a smart TV could find their various internet accounts sending spam, printing coupons and writing fake reviews without their knowledge.

Hackers could, in theory, also use these accounts to harvest personal information.

Scroll down for video

Scientists at Columbia University have revealed how modern hyrbrid smart TVs (stock image shown) are vulnerable to an attack that was not previously known. Dubbed the 'red button attack', hackers could hijack broadcasts to access a viewer's various connected internet accounts, including Facebook

Yossi Oren and Angelos Keromytis from the Network Security Lab have outlined their research in a paper set to be released later this year.

The hack is apparently remarkably easy to perform.

According to Forbes, it would occur while someone is watching TV and would be over in just 12 minutes.

The attack works by exploiting a vulnerability in Hybrid Broadcast-Broadband Television (HbbTV).

This 'allows broadcast streams to include embedded HTML content which is rendered by the television,' the researchers wrote in their paper.

'This system is already in very wide deployment in Europe, and has recently been adopted as part of the American digital television standard.'

The hacker would then, in essence, take over the channel a viewer was watching for a short amount of time.

This would be done by using a simple amplifier, costing as little as £150 ($250) on a rooftop to hijack networks across an area of 0.5 square miles (1.4 square kilometres).

Alternatively, a transmitter could also be placed on a drone, which could hover outside the windows of houses to hijack TVs.

In doing so, the hacker would have access to any websites the viewer was logged into on their smart TV.

This could range from getting access to their Facebook accounts to writing fake reviews on websites for products.

The attack could be carried out by attaching a small and cheap transmitter to a drone (stock image shown) and then hovering outside a victim's window. The attackers could also set up a transmitter on a roof to potentially hijack tens of thousands of TVs across an entire city

HbbTVs broadcasts can be hijacked because they are not linked to a web server, which also makes attacks virtually untraceable.

'This enables a large-scale exploitation technique with a localised geographical footprint based on radio frequency (RF) injection,' the researchers continue.

This 'requires a minimal budget and infrastructure and is remarkably difficult to detect.'

'In a dense urban area, an attacker with a budget of about $450 (£270) can target more than 20,000 devices in a single attack.'

There are a number of possible solutions. The most drastic includes cutting all internet access to smart TVs.

Alternatively, broadcasters could begin to integrate smart TVs into a network that could see if they are being hijacked by monitoring for high spikes in signal strength.

Perhaps the most simple solution, though, would be to have a confirmation box pop-up on screen when a viewer's smart TV is trying to open an app such as Facebook.

This, however, would detract from the current seamless and smooth integration between TV and internet favoured by companies at the moment.