A vulnerability in the way interactive apps work on many so-called Smart TVs could allow teams of relatively unskilled hackers to attack thousands of devices at once, a team of Columbia University researchers claims in a new paper.

“The technical complexity and required budget are low, making this attack practical and realistic,” the researchers write. “In a dense urban area, an attacker with a budget of about $450 can target more than 20,000 devices in a single attack.”

In a detailed analysis of the threat, Forbes magazine claims that the “rogue” broadcast could steal logins for sites such as Facebook and Yelp, hijack devices such as printers, and even sniff for weakly protected Wi-Fi networks.

“The only way for law enforcement to find a rogue broadcast is to send out multiple vehicle-mounted antennas to triangulate the signal. A hacker could be long gone before those trucks ever hit the streets,” Forbes writes.

Slashgear reports that the vulnerability relies on the HbbTV standard, used by advertisers to target users. Slashgear says that the standard is already widespread in Europe, but has recently been added to the NTSC standard for Smart TVs in America. “HbbTV notably allows advertisers to target users for advertising purposes (like watching a food show and getting coupons for a grocery store),” the site writes

“Our analyses of the specifications, and of real systems implementing them, show that the broadband and broadcast systems are combined insecurely,” the researchers write.

The paper refers specifically to so-called, “Red Button” content, where applications are launched on a smart TV during a programme by pressing a red button on the remote, typically displayed on screen as an invitation to press said button. But the researchers write that applications can also run invisibly in the background.

The researchers say that they presented the results of their research to the HbbTV Technical Group in January, but that their research was dismissed as insignificant.

They claim that the attack they describe is both possible and practical, with attackers intercepting and rebroadcasting a popular channel, after embedding malicious script into the channel.

“The best way to do so is to carry out a form of man-in-the-middle attack, in which the attacker transparently modifies a popular TV channel to include a malicious payload,” they write. The researchers say that there are ways for Smart TV manufacturers to block such attacks.
Slashgear writes, “The issue is that a Smart TV app is basically left without a point of origin when used, left “twisting in the wind” if you will. When used, it accesses both our network and the content we want, compromising both points.”