DVB Fixes Smart TV Security
Preventing Man In The Middle Attacks On Smart TVs
Today's connected Smart TVs that support interactive services have more in common with the computer in your home than the television sets of yesterday. This means that they could be at risk of being manipulated via the broadband interface. In addition, academic research has demonstrated that such an attack can also be initiated via the terrestrial RF input. In demonstrated cases, 'man-in-the-middle attacks' were performed by overriding the terrestrial broadcast signal and placing malicious codes in the TV software which enabled the hijacker to control, for example, the webcam and then stream the pictures from the living room back to the internet.
Just a few years ago such an attack on the broadcast channel would have required a truckload of expensive broadcast equipment. Now, with ongoing miniaturization, the necessary devices have become inexpensive and are easily transported. It must be said, that for the time being, there is little real-world evidence of such attacks. However, acknowledging the potential risks, DVB has worked on a comprehensive and appropriate solution providing the necessary protection for consumers and industry.
On February 16th the DVB Steering Board approved updates to TS 102 809 "Signaling and carriage of interactive applications and services in Hybrid broadcast/broadband environments" adding an authentication mechanism to prevent 'man in the middle' attacks. The updated specification enables broadcasters to add authentication information to the signaling of their interactive services. In essence, the television receiver learns the legitimate transmission on each channel and will then identify and reject any subsequent tampering. This provides an extra layer of defense for TV sets and their owners in addition to manufacturers' activities to improve their products security.
It is now up to broadcasters and TV manufacturers to implement the new features of TS 102 809 (currently available as DVB BlueBook A137) to protect the privacy of the end-user.