Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Researchers Hack Internet Enabled TVs, Discover Multiple Security Vulnerabilities

Internet TVs – The Latest Attack Vector: Researchers Hack Internet Enabled TVs, Discover Multiple Security Vulnerabilities

Internet TVs – The Latest Attack Vector: Researchers Hack Internet Enabled TVs, Discover Multiple Security Vulnerabilities

Was your home lucky enough to get a new Internet enabled TV over the holidays? If so, you’re probably quite excited and enjoying the features of your new digital media hub while you sit back and sip on some eggnog or hot chocolate from your couch – which you should. But you may also want to be careful, as Internet TVs could be the newest avenue for cybercriminals to infiltrate your home or business. (I know, more FUD from a security vendor, but this is actually interesting stuff and they were able to show us how it was done

Internet TV Security Threats

Security researchers have discovered several security flaws in one of the best-selling brands of Internet-connected HDTVs, and believe it’s likely that similar security flaws exist in other Internet TVs.

During the course of its research, Mocana, the security firm that discovered the flaws, demonstrated that the TV’s Internet interface failed to confirm script integrity before scripts were run. As a result, an attacker could intercept transmissions from the television to the network using common “rogue DNS”, “rogue DHCP server”, or TCP session hijacking techniques. Mocana was able to demonstrate that JavaScript could then be injected into the normal datastream, allowing attackers to obtain total control over the device’s Internet functionality. This attack could render the product unusable at important times and extend or limit its functionality without the manufacturer’s permission. More importantly, however, this same mechanism could be used to extract sensitive credentials from the TV’s memory, or prompt the user to fill out fake online forms to capture credit card information. (Mocana did issue a technical report on the details of the security vulnerabilities which is available here – short registration required)

Additionally, researchers were able to recover the manufacturer’s private “third-party developer keys” from the television, because in many cases, these keys were transmitted unencrypted and “in the clear.” Many third-party search, music, video and photo-sharing services delivered over the Internet require such keys, and a big TV manufacturer often purchases high-volume “special” access privileges to these service provider’s networks. A hacker could potentially employ these keys, for example, to access these high-volume services at no charge (or at least, on the TV manufacturer’s bill).

The developer keys identified during their review, with the run- time ability to obtain other authenticators as described elsewhere in their report include:

Pandora Request – Key: dc7fb2c483dabd96d641e50676e49ec09d20fd3913543b088684ff488ec4 e82a

Pandora Sync Time – Key: e387bc2b437de156b999878a28be18389d20fd3913543b088684ff488ec 4e82a

Google YouTube – Key: AI39si7jB9CE4nuJ3u1PT0-XJwSjZJ3WwJWV2YVHwZxmKvI-2U7gMDc0cQCw0Nc7GOx CLObL3NSnY9AkJ5wKU_0KUmo_7BFMKA

The Weather Channel – Key: e88d2de8-a740-102c-bafd-001321203584

What can happen as a result of these vulnerabilities? Researchers from Mocana were able to show that attackers may be able to leverage the Internet-connected TVs to hack into a consumer’s home network and potentially:

• Present fake credit card forms to fool consumers into giving up their private information.

• Intercept and redirect Internet traffic to and from the HDTV, which could be used fool consumers into thinking that “imposter” banking and commerce websites were legitimate.

• Steal and co-op the TV manufacturer’s digital “corporate credentials” to gain special VIP access to backend services from third-party organizations including popular search engine, video streaming and photo sharing sites.

• Monitor and report on consumers’ private Internet usage habits without their knowledge.

Mocana said its researchers have met with the manufacturer to help them correct the security flaws and agreed not to disclose the manufacturer’s name until a fix is issued and have thus blocked out the manufacturer name from the vulnerability assessment details.

“Internet connected HDTVs are huge sellers this holiday season. But a lot of manufacturers are rushing Internet-connected consumer electronics to market without bothering to secure them. I think this study demonstrates how risky it is to ‘connect first, worry later’, and suggests that consumer electronics companies that might lack internal security expertise should seek it out, before connecting their portfolio of consumer devices to the Internet,” said Adrian Turner, Mocana’s CEO.

The flaws Mocana uncovered should raise questions about the security of consumer electronics in general—which manufacturers are scrambling to connect to the Internet, often with little or no security technology on board. Mocana’s researchers felt that while vulnerabilities may vary from brand to brand, it is reasonable to assume that many other IPTVs from many other manufacturers share similar problems.

“While much public discussion is currently focused on the recent explosion of smartphones, what’s not being talked about is that fact that the vast majority of new devices coming onto the Internet aren’t phones at all: they are devices like television sets, industrial machines, medical devices and automobiles – devices representing every conceivable industry. And the one thing that all these manufacturers have in common is that, unlike the computing industry, they don’t have deep experience in security technology,” added Turner.

Market research firm DisplaySearch, predicted that over 40 million Internet-accessible TVs were shipped worldwide in 2010 and that this number will grow to 118 million global shipments by 2014. Mocana recommends that consumers be careful, until such devices are tested and certified safe in a systematic way.

Related Security Research

Vulnerability Assessment of Internet Connected HDTVs

• Mobile & Smart Device Security Survey 2010

Security Focus on Consumer Electronics

Mitigation of Security Vulnerabilities on Android & Other Open Handset Platforms w/ BONUS Free Software

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.