Report Says Internet TV’s Could be Hacked

Several Internet TV’s currently on the market may have digital security flaws that could allow cybercriminals to hack into a user’s personal data.

Mocana, a San Francisco-based provider of the type of IP security technology that could protect such devices, released a report, which can be downloaded at www.mocana.com/tv.pdf that outlines the security flaws found in an unidentified Internet TV. The company said it recently met with the company to help them fix the flaws and agreed not to identify the manufacturer’s name until the system is fixed.

The flaws are similar to those that threaten consumers in their daily use of the Internet. In its report, Mocana research showed that attackers could leverage Internet TV’s to hack into a consumer’s home network and potentially present fake credit card forms to fool consumers into giving up private information; intercept and redirect Internet traffic to and from the HDTV, which could fool consumers into thinking that “imposter” banking and commerce websites were legitimate; steal and co-op the TV manufacturer’s digital “corporate credentials” to gain special VIP access to backend services from third party organizations, including popular search engine, video streaming and photo sharing sites; and monitor and report on consumers’ private Internet usage habits without their knowledge.

Researchers found that the Internet interface failed to confirm script integrity before those scripts were run. As a result, an attacker could intercept transmissions from the television to the network using common “rogue DNS”, rogue “DHCP server”, or TCP session hijacking techniques. Mocana said it was able to demonstrate that JavaScript could then be injected into the normal datastream, allowing attackers to obtain total control over the device’s Internet functionality. The attack could render the product unusable at important times and extend or limit its functionality without the manufacturer’s permission. The same mechanism could be used to extract sensitive credentials from the TV’s memory, or prompt the user to fill out fake online forms to capture credit card information.

Researchers were also able to recover the manufacturer’s private “third party developer keys" from the television, because, in many cases, there keys were transmitted unencrypted and “in the clear.” Many third party search, music, video and photo sharing services delivered over the Internet require such keys, and TV manufacturers frequently purchase high-volume “special” access privileges to these service provider’s networks. A hacker could potentially use these keys to access these high-volume services at no charge.

Internet connected TVs are expected to be a hot consumer product during the holiday buying season with DisplaySearch estimating over 40 million Internet TVs shipping in 2010 worldwide, growing to 118 million by 2014. Although security could differ among brands, Mocana said it ran tests on several samples of what it considered representative of current IP-connected TVs on the market.

“Internet connected HDTVs are huge sellers this holiday season,” said Mocana CEO Adrian Turner. “But a lot of manufacturers are rushing Internet-connected consumer electronics to market without bothering to secure them. I think this study demonstrates how risky it is to ‘connect first, worry later’, and suggests that consumer electronics companies that might lack internal security expertise should seek it out, before connecting their portfolio of consumer devices to the Internet.”