Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Vulnerabilities Expose Popular DVB-T2 Set-Top Boxes to Botnets: Researchers

Avast security researchers have identified vulnerabilities in DVB-T2 devices that could allow attackers to ensnare them in botnets.

Avast security researchers have identified vulnerabilities in DVB-T2 devices that could allow attackers to ensnare them in botnets.

An extension of the DVB consortium standard for the broadcast transmission of digital terrestrial television, DVB-T2 (Digital Video Broadcasting — Second Generation Terrestrial) can transmit compressed digital audio, video, and other data.

There is a push for the adoption of DVB-T2, following the European Union’s decision to auction the 700 MHz band to telecommunications operators, but, given that not all TVs support the new standard, set-top boxes that support it are required.

Many such set-top boxes are primitive, consisting of a TV tuner and an output device, some packing Internet support, and many are highly insecure, Avast’s security researchers reveal.

Analysis of two popular devices, namely Thomson THT741FTA and Philips DTR3502BFTA, revealed a series of vulnerabilities that could be exploited to inject malware and create botnets of set-top boxes.

One of the first discoveries the security researchers made was the lack of Telnet protections, with the device allowing them to connect without prompting for a login. Furthermore, the devices allowed for the transmission of data over FTP, courtesy of ftpput and ftpget.

The boxes were found to use the MIPS architecture and run Linux kernel 3.10.23, which stopped receiving support in November 2017.

The researchers also discovered that they could tamper with the content displayed to the user through weather and RSS feed applications on the device, due to the use of unencrypted communication. Both MiTM and DNS hijack attacks can be used for that, they say.

“Consequently, intruders could show a user a ransomware message telling them their TV has been hijacked and demanding a ransom to free the device,” Avast notes.

Furthermore, the researchers discovered that it was possible to move the DNS hijack attack to the device, and that persistent storage on the device was also available, which could essentially allow an attacker to store malware payloads or other tools, thus persisting through reboots and resets.

“And as a bonus, when we added something to /config and performed a factory-reset, the files remained. So even if a user performed a factory reset, the files added to this directory would be left untouched,” Avast explains.

On top of that, the security researchers discovered that the firmware has a wget utility built-in, which allows for the fetching of data from HTTP servers, meaning that adversaries could easily download malicious binaries within the telnet session.

The researchers successfully downloaded a Mirai version onto the set-top box, which, they discovered, closed the telnet daemon, thus preventing other malware from infecting the same device, and started scanning the Internet for additional devices to infect.

“Do not use your set-top box’s network functionality unless it’s absolutely necessary. You are probably better off checking the weather forecast or news on your phone,” Avast notes.

Users are advised to scan their devices for open ports, in the event they do want to connect the device to the network, disable Universal Plug and Play (UPnP) if it is enabled, and check port forwarding configuration and disable it unless absolutely necessary.

Two CVE identifiers were issued for the discovered vulnerabilities, namely CVE-2020-11617, which impacts the RSS application on Thomson THT741FTA 2.2.1 and Philips DTR3502BFTA DVB-T2 2.2.1 set-top boxes, and CVE-2020-116180, for the telnet services hardcoded to start on boot, on both devices.

The researchers contacted the affected vendors, but the issues remain unpatched. While Philips did respond, it said that the subcontractor it uses for new set-top boxes won’t fix the vulnerabilities, and Thomson never replied, the researchers say.

“It is unfortunate that companies continue to push products to the market with no intention of releasing firmware updates and no way for the average customer to secure their box, which in this case is simply disabling Telnet and updating the RSS/Weather apps to use TLS. This negligence affects customers who either cannot afford a new TV or see no need to replace a TV that’s in perfect working order,” Avast concludes.

Related: FritzFrog Botnet Uses Proprietary P2P Protocol

Related: New ‘Kaiji’ Botnet Attacks Linux, IoT Devices via SSH Brute Force

Related: Botnet Targets Critical Vulnerability in Grandstream Appliance

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.