Worries that someone could hijack your TV with a broadcast have been present for decades (ever see The Outer Limits?), and it’s clear that they’re not going away any time soon. Oneconsult security researcher Rafael Scheel has outlined an attack that can control smart TVs by embedding code into digital (specifically, DVB-T) over-the-air broadcasts. The intrusion takes advantage of flaws in a set’s web browser to get root-level access and issue virtually any command. You only need to have a transmission powerful enough to reach compatible TVs, and at least one attack will work without revealing that something is wrong.
The technique is known to work on at least two recent Samsung models, and it’s possible to alter the code to compromise other web-enabled TVs.
If there’s a saving grace, it’s the specificity of the attack. Only some countries use DVB-T, and fewer still support the hybrid broadcast broadband TV format (HbbTV) needed to make this work. The victim also needs to both be tuned into a DVB-T channel and have the TV connected to the internet. North Americans watching ATSC broadcasts have nothing to worry about right now, in other words, and you’re also safe if you use a game console or media hub for your living room entertainment.
The discovery nonetheless underscores the importance of locking down smart TVs, which don’t usually receive security updates as frequently as phones or PCs. It’s one thing when hackers compromise individual TVs through conventional internet-only attacks, but it’s that much more sinister when they can compromise multiple TVs within a certain range. Manufacturers will need to treat security as a higher priority if they’re going to prevent attacks like this from happening in the real world.