HbbTV Security: OMG - my Smart TV got pr0wn3d

Presented at 30C3 (2013), Dec. 27, 2013, 11 p.m. (60 minutes)

HbbTV (Hybrid broadband broadcast TV) is an emerging standard that is implemented in a growing number of smart TV devices. The idea is to bundle broadcast media content with online content which can be retrieved by the TV set through an Internet connection.

Mechanisms that allow the online content to be accessed by the TV set can be attacked and might put the TV user’s privacy at stake. The presentation highlights possible attack vectors of HbbTV-capable TV sets and introduces possible mitigations.

The Hybrid Broadcast Broadband TV consortium aims to define a standardized way on how content from so-called entertainment providers (e.g. broadcast stations, online media providers) is delivered on connected TVs. Starting as a Pan-European effort, the HbbTV consortium wants to create a globally adopted standard for hybrid entertainment services. Especially within the so-called Declarative Application Environment (DAE) – the HbbTV browser – another standard for connected TVs is being adopted: The Open IPTV Forum standard for Internet protocol TVs (IPTV). This standard seems to cover the device-specific part for Internet functionality.

This new standard in the entertainment industry is currently rolled out in an increasing number of countries in- and outside of Europe. Besides concerns about privacy, this technology also raises concerns about security. Possible attack vectors and possible mitigations are introduced in this presentation.

Presenters:

• Martin Herfurt
  Martin Herfurt works as a security consultant with n.runs. Martin Herfurt has always been fascinated by information technology. Since 1998, he is a regular visitor of the Chaos Communication Congress. After an internship in a telecommunications engineering lab at Hayward University (CA, USA) in 2000, he started to work as a scientist at a Salzburg-based research facility. Specializing in IP-network qualification he participated in two EU projects: AQUILA and INTERMON. As Martin Herfurt was holding lectures at the Salzburg University of Applied Sciences and Technologies, he explored the (in-)security of various wireless technologies. After he discovered a major security vulnerability in the Bluetooth-stack implementation of various mobile devices, he founded a group specializing in Bluetooth security. In 2006, Martin Herfurt successfully applied for innovation funding helping to found an Austrian company realizing a Bluetooth-centered application featuring embedded and web technology. In March 2011, Martin Herfurt started to work as security consultant for n.runs.

Links:

• https://fahrplan.events.ccc.de/congress/2013/Fahrplan/events/5398.html

Similar Presentations:

• DEF CON 22 (2014) / NinjaTV - Increasing Your Smart TV's IQ Without Bricking It
• Black Hat USA 2013 / Hacking, Surveilling, and Deceiving victims on Smart TV
• DEF CON 21 (2013) / Google TV or: How I Learned to Stop Worrying and Exploit Secure Boot