From the Aether to the Ethernet:

Attacking the Internet using Broadcast Digital Television

Usenix Security Symposium, 21/Aug/2014 Yossi Oren, yos@cs.columbia.edu

Joint work with Angelos D. Keromytis

Related Work

• Grattafiori and Yavor, Lee and Kim: Security issues in Smart TVs

• Herfurt, Tews et al.: Privacy-related problems (and possible solutions) in HbbTV advertising

• Nighswander et al., Checkoway et al.: RF-based attacks on embedded computers

Broadband Net

Broadcast TV

Smart TV!

Source: http://www.broadbandtvnews.com/2014/05/31/dutch-pubcasters-step-up-hbbtv-efforts/

Security Problems in the HbbTV Specification

Security Problems in the HbbTV Specification

• No user control over app life cycle

• Web Origin manually specified by app

• RF-based entry point into the Internet

Security Problems in the HbbTV Specification

• No user control over app life cycle

• Web Origin manually specified by app

• RF-based entry point into the Internet

KelpKelp

=👎

Why would this work?

Attack Setup

Radio Tower

Attack Injector

DVB Modulator

Power Amplifier

TV Under Attack

Receive Antenna

Transmit Antenna

DVB Tuner

Internet

Figure 3: Attack Setup

around the attacker the malicious modified signal will bestronger than the original signal transmitted by the tower.This will cause any televisions in the area to immediatelyfall victim to the attacks described below. We note thatsince in digital broadcasting multiple TV channels aresent from the radio tower using the same radio frequency,a single attack setup is capable of injecting attack codeinto several channels simultaneously.

The characteristics and estimated cost of each of thecomponents in Figure 3 are presented below:

Receive antenna and DVB tuner – a USB-poweredDVB tuner and a short passive antenna can be purchasedonline for about $15. The open-source VLC media player[33] is capable of interfacing with many of these tunersand sending the demodulated stream extracted from anentire RF channel to a file or a network socket.

Content modification – the demodulated stream ismodified to contain a malicious application (either as aURL, or as a full application delivered via data stream),and the PMTs of all TV channels in the demodulatedstream are modified to auto-start this application as soonas the user tunes into the channel. Since the video andaudio streams in the channel are forwarded without anymodification, this operation is not particularly computa-tion intensive, and any low-cost computer with USB 2.0support can be used for this purpose. A software suitenamed Avalpa OpenCaster [8] provides a set of open-source command-line tools which can be used to modifya multiplexed DVB stream in real time.

DVB modulator – this hardware component takes amultiplexed MPEG stream and converts it into an RF sig-nal suitable for transmission. While these devices wereonce massive and expensive, modern DVB modulators areremarkably small and easy to use – a full-featured USB-

powered modulator which can interface with OpenCastercan be purchased online for less than $200.

Power amplifier and transmit antenna – the attackerneeds to create a signal that is stronger than the originalTV tower’s signal and transmit it toward the target televi-sions. An attacker with a higher transmit power can affectmore television sets, but a high-power setup is generallyless portable, giving the attacker a higher probability ofbeing detected and arrested. In Section 5 we formallyanalyze the power requirements of the attacker and showthat, under the right conditions, a remarkably high amountof television sets can be affected with a moderate-to-lowpowered amplifier.

3.2 Additional Security Weaknesses3.2.1 Attacks are untraceable

In traditional Internet-borne attacks, it is always assumedthat the attacker is himself present on the Internet beforehe can deliver a malicious payload to his victims. The at-tacker’s IP and DNS entries can then be used by intrusionprotection services and law enforcement agencies to pro-tect against the attack as it occurs, and to trace and pros-ecute its perpetrators after it has concluded. In contrast,our attacker needs no such infrastructure to deliver its ma-licious payload. It is surprisingly simple and inexpensiveto build a digital terrestrial television (DTT) transmitterand use it to reach thousands of potential hosts. After theattack concludes, the attacker leaves no trace of his activ-ities in the form of IP or DNS transactions.

Operating an unlicensed TV transmitter is illegal inmany countries. Law enforcement agencies capture theseillegal transmitters by triangulation methods, which in-volve sending multiple car-mounted receivers to the vicin-ity of the attack, then using the differences in received sig-nal strengths between receivers to locate the rogue trans-mitter. A sensitive receiver can also “fingerprint” therogue transmitter’s RF envelope and help recognize it inthe future. While this defense mechanism can potentiallytrace our radio attacker, mobile triangulation is a reactivedefense step, which requires a considerable expense oftime and resources from the defender’s side. Consideringthat the attack we describe has a very limited geographi-cal signature, operates for a very limited time (potentiallyonly a few minutes), and causes no visible adverse effects

6

Attack Setup

Radio Tower

Attack Injector

DVB Modulator

Power Amplifier

TV Under Attack

Receive Antenna

Transmit Antenna

DVB Tuner

Internet

Figure 3: Attack Setup

around the attacker the malicious modified signal will bestronger than the original signal transmitted by the tower.This will cause any televisions in the area to immediatelyfall victim to the attacks described below. We note thatsince in digital broadcasting multiple TV channels aresent from the radio tower using the same radio frequency,a single attack setup is capable of injecting attack codeinto several channels simultaneously.

The characteristics and estimated cost of each of thecomponents in Figure 3 are presented below:

Receive antenna and DVB tuner – a USB-poweredDVB tuner and a short passive antenna can be purchasedonline for about $15. The open-source VLC media player[33] is capable of interfacing with many of these tunersand sending the demodulated stream extracted from anentire RF channel to a file or a network socket.

Content modification – the demodulated stream ismodified to contain a malicious application (either as aURL, or as a full application delivered via data stream),and the PMTs of all TV channels in the demodulatedstream are modified to auto-start this application as soonas the user tunes into the channel. Since the video andaudio streams in the channel are forwarded without anymodification, this operation is not particularly computa-tion intensive, and any low-cost computer with USB 2.0support can be used for this purpose. A software suitenamed Avalpa OpenCaster [8] provides a set of open-source command-line tools which can be used to modifya multiplexed DVB stream in real time.

DVB modulator – this hardware component takes amultiplexed MPEG stream and converts it into an RF sig-nal suitable for transmission. While these devices wereonce massive and expensive, modern DVB modulators areremarkably small and easy to use – a full-featured USB-

powered modulator which can interface with OpenCastercan be purchased online for less than $200.

Power amplifier and transmit antenna – the attackerneeds to create a signal that is stronger than the originalTV tower’s signal and transmit it toward the target televi-sions. An attacker with a higher transmit power can affectmore television sets, but a high-power setup is generallyless portable, giving the attacker a higher probability ofbeing detected and arrested. In Section 5 we formallyanalyze the power requirements of the attacker and showthat, under the right conditions, a remarkably high amountof television sets can be affected with a moderate-to-lowpowered amplifier.

3.2 Additional Security Weaknesses3.2.1 Attacks are untraceable

In traditional Internet-borne attacks, it is always assumedthat the attacker is himself present on the Internet beforehe can deliver a malicious payload to his victims. The at-tacker’s IP and DNS entries can then be used by intrusionprotection services and law enforcement agencies to pro-tect against the attack as it occurs, and to trace and pros-ecute its perpetrators after it has concluded. In contrast,our attacker needs no such infrastructure to deliver its ma-licious payload. It is surprisingly simple and inexpensiveto build a digital terrestrial television (DTT) transmitterand use it to reach thousands of potential hosts. After theattack concludes, the attacker leaves no trace of his activ-ities in the form of IP or DNS transactions.

Operating an unlicensed TV transmitter is illegal inmany countries. Law enforcement agencies capture theseillegal transmitters by triangulation methods, which in-volve sending multiple car-mounted receivers to the vicin-ity of the attack, then using the differences in received sig-nal strengths between receivers to locate the rogue trans-mitter. A sensitive receiver can also “fingerprint” therogue transmitter’s RF envelope and help recognize it inthe future. While this defense mechanism can potentiallytrace our radio attacker, mobile triangulation is a reactivedefense step, which requires a considerable expense oftime and resources from the defender’s side. Consideringthat the attack we describe has a very limited geographi-cal signature, operates for a very limited time (potentiallyonly a few minutes), and causes no visible adverse effects

6

Total cost: $450

Total cost: $450

Total cost: $450

Countermeasures

• Give user explicit control over life cycle

• Fix implementation of Web Origin

• Isolate RF-sourced programs from the Internet

Countermeasures

• Give user explicit control over life cycle

• Fix implementation of Web Origin

• Isolate RF-sourced programs from the Internet

• Problem: countermeasures are bad for business

The big picture

The big picturehttp://www.google.com/url?

sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&d

ocid=LHp1VLLam2 http://www.google.com/url?

sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=LHp1VLLam25xmM&tbnid=yF2C_nbZhji7QM:&ved=0CAUQj

Rw&url=http%3A%2F%2Fwww.clipartsfree.net%2Fsvg

%2F1831-satellite-dish-icon-vector.html&ei=ljHDU5_vNI2ryASi

5oHwBw&bvm=bv.70810081,d.aWw&psig=AFQjCN

HFKOunqsabdI2oiJW-

The big picturehttp://www.google.com/url?

sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&d

ocid=LHp1VLLam2 http://www.google.com/url?

sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=LHp1VLLam25xmM&tbnid=yF2C_nbZhji7QM:&ved=0CAUQj

Rw&url=http%3A%2F%2Fwww.clipartsfree.net%2Fsvg

%2F1831-satellite-dish-icon-vector.html&ei=ljHDU5_vNI2ryASi

5oHwBw&bvm=bv.70810081,d.aWw&psig=AFQjCN

HFKOunqsabdI2oiJW-

Are there additional cyber-physical systems with these risks?

Can we create a more secure architecture for these devices?

Can the Internet be used to protect against sensor-side attacks?

For more information: http://iss.oy.ne.ro/Aether#Usenix

Thank You!