1 EvilScreen Attack Smart TV Hijacking via Multi-channel Remote Control Mimicry
2025-04-28
0
0
528.18KB
13 页
10玖币
侵权投诉
1
EvilScreen Attack: Smart TV Hijacking via
Multi-channel Remote Control Mimicry
Yiwei Zhang, Siqi Ma, Tiancheng Chen, Juanru Li, Robert H. Deng, Elisa Bertino
Abstract—Modern smart TVs often communicate with their remote controls (including those smart phone simulated ones) using
multiple wireless channels (e.g., Infrared, Bluetooth, and Wi-Fi). However, this multi-channel remote control communication introduces
a new attack surface. An inherent security flaw is that remote controls of most smart TVs are designed to work in a benign environment
rather than an adversarial one, and thus wireless communications between a smart TV and its remote controls are not strongly
protected. Attackers could leverage such flaw to abuse the remote control communication and compromise smart TV systems.
In this paper, we propose EVILSCREEN, a novel attack that exploits ill-protected remote control communications to access protected
resources of a smart TV or even control the screen. EVILSCREEN exploits a multi-channel remote control mimicry vulnerability present
in today smart TVs. Unlike other attacks, which compromise the TV system by exploiting code vulnerabilities or malicious third-party
apps, EVILSCREEN directly reuses commands of different remote controls, combines them together to circumvent deployed
authentication and isolation policies, and finally accesses or controls TV resources remotely. We evaluated eight mainstream smart
TVs and found that they are all vulnerable to EVILSCREEN attacks, including a Samsung product adopting the ISO/IEC security
specification.
Index Terms—Smart TV, Remote Control, Multi-channel, Authentication and authorization, Security analysis
F
1 INTRODUCTION
SMART TVs present both privacy and security risks. Fea-
tures such as Internet-based media playing and third-
party app executing make modern TVs smarter and yet
more vulnerable to security attacks and privacy intrusions.
A variety of vulnerabilities have been exploited against
smart TVs in recent years [1], [2], [3], [4], [5], [6], [7], [8]. In
general, security threats against smart TVs can be classified
into two categories: threats from Internet, and threats from
programs running on smart TV OSes (e.g., Android TV
OS [9]). In response, smart TV manufacturers and TV OS
providers have deployed a variety of protection measures.
While security researchers and TV manufacturers are
making a concerted effort to strengthen smart TVs, we
observed that they often ignore a new attack surface —
multi-channel remote control communication. Figure 1 depicts
a typical application scenario: a smart TV simultaneously
supports three types of remote controls using different
signals, i.e., Consumer Infrared (IR) [10], Bluetooth Low
Energy (BLE) [11], and Wi-Fi. In addition to remote controls
provided by specialized TV accessories, a smart phone can
be used as a remote control when installing a companion app
developed by the TV manufacturer. By sending BLE and
Wi-Fi signals, users can interact with the TV. This companion
app simulated remote control is generally more powerful than
those classical remote controls since it can fully make use of
the resources of the host smart phone.
Although multi-channel remote control communication
enhances easy-of-use and flexibility for smart TV users, it
weakens security: a smart TV often treats its remote controls
as benign accessories, and neither effectively authenticates
their identities nor verifies data they send. Unfortunately,
most remote controls lack necessary protection, and thus
attackers could easily impersonate a remote control or tam-
per the wireless traffic. More seriously, to support enhanced
Wi-Fi
IR Remote Control
BLE Remote Control
Companion Apps
Smart TV Infrared
Bluetooth
Fig. 1. A common multi-channel remote control communication scenario
for popular smart TVs
features (e.g., playing video files from a companion app
simulated remote control), smart TV OSes add remote control
interfaces to handle sophisticated remote commands and
execute privileged operations. If the access control mech-
anisms of those interfaces are not well designed, attackers
could simply abuse them to hijack the TV (i.e., monitoring
the screen, displaying contents, and controlling the user
interface (UI) of the TV).
EVILSCREEN Attack. In this paper, we present a new type of
attack, EVILSCREEN, against multi-channel communication
between a smart TV and its remote controls. Unlike existing
attacks that need to install a malicious app on the TV or
exploit the TV OS, EVILSCREEN only reuses communica-
tions of remote controls to hijack the victim TV, making it
more difficult to detect and prevent the attack. We found
that the root cause of this attack is a multi-channel remote
control mimicry vulnerability (EVILSCREEN vulnerability
for short). In general, an EVILSCREEN vulnerability is a
smart TV access control bug which allows an attacker to
combine three types of wireless communications together
(i.e., IR, BLE, and Wi-Fi) to circumvent the authentication
arXiv:2210.03014v1 [cs.CR] 6 Oct 2022
2
and isolation policies of each single remote control. Then
the attacker could abuse corresponding remote control in-
terfaces to hijack the TV. In fact, exploiting single remote
control does not result in severe security threats. However,
by combining functionalities of multiple remote controls,
one can design complex attacks.
To exploit an EVILSCREEN vulnerability, three consecu-
tive steps are needed. First, the attack utilizes less secure
wireless channels (i.e., IR and BLE) to enforce a Wi-Fi
provisioning [12], a common procedure for smart TVs to
receive credentials of a protected WLAN (i.e., SSID and
password). When inside the same WLAN, as most smart
TVs would not check the remote control pairing requests,
the attack leverages this weakness to actively bind a fake
remote control to the TV. Once the fake remote control is
bound to the TV, the attacker then abuses the remote control
interfaces to access TV resources and control the screen.
In comparison with attacks relying on meticulously
crafted signals (e.g., leveraging inaudible voice commands
to control the TV [13], [14], [15]), the EVILSCREEN attack
only uses common wireless technologies and is more gen-
eral. We conducted an empirical study against eight popular
smart TVs from retail markets of the China, Japan, Korea
and United States. Our study showed all of them were
vulnerable to the EVILSCREEN attack. Unlike attacks, such
as BIAS [16] against Bluetooth and KRACK [17] against Wi-
Fi, the EVILSCREEN attack does not aim to break any of the
three wireless protocols used by remote controls. Instead,
it exploits the fact that during communications between
the remote controls and the smart TV, because of usabil-
ity considerations, simplified security controls, or even no
security controls at all, are applied. We present a case
study for the Samsung smart TV, which adopts the ISO/IEC
30118-1:2018 standard [18] to protect its remote control
communication. We show that a usability factor related
to the Samsung SmartThings companion app significantly
reduced the crypto key randomness, and we constructed a
practical brute-force attack to breach its DTLS-over-BLE and
WebSocket-over-Wi-Fi communication between the TV and
its companion app simulated remote control.
The main contributions of this paper are as follows:
•New Understandings. We systematically analyzed
how the use of remote controls affects the security
of popular smart TVs. We show that design flaws
of remote controls break the security assumptions of
protection solutions currently deployed on wireless
technologies such as BLE and Wi-Fi.
•New Attacks. We implemented the EVILSCREEN at-
tack that affected 200 millions of popular smart TVs
worldwide 1. Unlike attacks aiming at exploiting
code vulnerabilities of TV OSes or apps, EVILSCREEN
attack only utilizes legitimate protocols and ser-
vices. Therefore, current protections are less effective
against our attack. We also outline countermeasures
for smart TV manufacturers and developers to miti-
gate the EVILSCREEN attack.
1. According to the shipments data reported by each smart TV
manufacturer [19].
2 BACKGROUND
In this section, we first give an analysis of smart TV char-
acteristics by comparing them with other three types of
devices. Then, we describe common protection schemes of
smart TVs, especially those to protect app simulated remote
control communications.
2.1 Characteristics of Smart TVs
Smart TVs provide a variety of new features and functions
for users, and thus their user experiences greatly differ from
other devices, such as smartphones and laptops. A TV is
considered “smart” when it has the following features: 1)
it relies on an OS to manage the hardware to process the
displayed contents; 2) it can access online media resources
through Internet connections; 3) it supports multiple ac-
cessories that communicate through various transmission
channels. Compared with other widely used electronic de-
vices including traditional TVs, smartphones as well as
common IoT devices, smart TVs have the following major
differences (see Table 1 for a summary):
Systems Because of the limited resources (e.g. small mem-
ory, limited power), traditional TVs and IoT devices are
usually not configured with a fully functional OS but just
with a tailored embedded OS, or even a bare metal firmware
with simple structures and functionalities. Smartphones,
with more powerful hardware, are equipped with OSes
(Android or iOS) and support different types of apps.
Like for smartphones, smart TV manufacturers often
customize OSes (TV OSes) to adapt to the smart TV hard-
ware and “smart” user interfaces. Most smart TV manufac-
turers build their TV OSes on top of an existing OS, such as
Android TV [9] developed by Google or tvOS [21] developed
by Apple. In addition, smart TV apps, like smartphone apps,
are provided to facilitate the use of smart TVs by users.
Smart TV apps are mostly provided as pre-installed apps by
smart TV manufacturers. Some of TV OSes, however, also
support the installation of third-party TV apps (often with
proprietary TV app stores).
User Interface (UI) Generally, a traditional TV consists of a
screen and a cable to display analog signals decoded media.
To support user interaction, traditional TVs usually display
menus on the screen for users to select. User interactive
inputs are limited to simple operations, such as switch-
on/off and channel/volume tuning, and such operations
are often conducted by the user with a remote control.
IoT devices, on the other hand, often lack a visible UI for
operations. Therefore, they usually rely on a remote web or
smartphone based user interface to handle user inputs. For
smartphones, the UIs are much more complex. With the help
of touchscreen, users can simply operate the smartphones
with different multi-touch gestures.
The UIs of smart TVs combine the features of UIs of
traditional TVs and smartphones. For usability consistency,
most smart TVs still support a menu based operation style,
but also support the use of TV apps (e.g., a media player
app) to enhance the functionalities as well.
Interaction Regarding the input styles, the interactions be-
tween users and the four types of devices differ significantly.
Traditionally, users operate the TV screen with a remote
3
TABLE 1
Comparison of implementation features among four types of consumer electronic devices
Traditional TVs IoT Devices Smartphones Smart TVs
System - Embedded OS/Bare Android/iOS Metal TV OSes [20]
User Interface Menu Web/Smartphone Touchscreen Desktop (Menu+TV app)
Interaction Remote Control Companion App Screen-based Input Remote Control + Companion App
Communication IR BLE/WiFi BLE+WiFi IR+BLE+WiFi
control, which only sends commands to the TV. When
using an IoT device, users usually rely on a companion
app on a smartphone to send and receive messages. With
respect to smartphones, the typical interaction approach
is touchscreen-based, while some smartphones also receive
voice commands to fulfil certain functions.
Since users of smart TVs seldom touch the screen, most
recent smart TVs still rely on the remote controls as their
main accessories. However, the remote control of a smart
TV is “smarter” compared to that of a traditional TV. It
supports not only sending button-pressing commands but
also sending voice commands via a short-range wireless
communication channel. In addition to the smart remote
control, many manufacturers also provide companion apps
that can be installed on smartphones, by which users can
control the smart TVs from their smartphones. In particular,
some companion apps not only allow the user to operate
the TV remotely, but also allow the user to play the contents
stored on the smartphone on the smart TV.
Wireless Communication A distinct feature of smart TVs
is the use of multiple wireless communication channels. As
Figure 1 shows, the communication between a smart TV and
its accessories (including remote controls and smartphones)
utilizes three widely used wireless signals, i.e., Consumer
Infrared [10] (IR), Bluetooth Low Energy [11] (BLE), and Wi-
Fi [22]. Commonly employed in traditional remote controls,
IR based short-range TV-Accessory communication is still
supported by most smart TVs due to user experience consid-
erations and compatibility issues. Specifically, when a user
presses a button on a remote control, the remote control
sends the corresponding IR signal to the smart TV. The IR
receiver on the TV then decodes the IR signal into instruc-
tions that the TV OS can understand. Many smart remote
controls (especially those with microphones to receive voice
commands) use BLE, which has a higher data transmission
rate, to communicate.
Unlike remote controls, companion apps on smart-
phones tend to control the smart TV and access TV resources
via Wi-Fi. Wi-Fi transmission not only has a high data
rate but also adopts well-designed security specifications
(e.g., WPA2 and WPA3 [23]), and therefore is suitable for
data transmission with strong protection requirements. In
comparison, IR and BLE lack strong authentication mecha-
nisms. IR communication does not need to authenticate the
involved devices [24], and BLE authentication suffered from
pairing issues such as Man-in-the-Middle, Brute-force and
Method Confusion attacks [25], [26], [27], [28], [29], [30], [31].
As a result, IR and BLE based remote controls are restricted
to fulfil a limited number of operations requiring privileges.
2.2 Protections against Wireless Attacks
Since complex hardware and software stacks are introduced
into smart TVs, a variety of vulnerabilities have been ex-
ploited against different components of the smart TV, such
as the firmware and the browser [1], [2], [5], [6], [8]. In re-
sponse, manufacturers and TV OS developers have built on
techniques designed for smartphones protection and have
adopted several well known defenses, such as Mandatory
Access Control (MAC) and Address Space Layout Random-
ization (ASLR). Nonetheless, a remarkable attack surface for
smart TVs is their TV-Accessory wireless communication.
To protect smart TVs against remote wireless signals based
attacks, the following measures are often employed.
Protection I: Network Isolation. When a user initially
launches a smart TV, the user typically configures the TV to
connect to a Wi-Fi network. At this stage, the smart TV often
relies on the user to send the Wi-Fi credentials (i.e., the SSID
and password of the WLAN) via its remote controls. Those
credentials are often sent from remote controls to TVs via
IR or Bluetooth, since at that time the Wi-Fi connection has
not yet been established. After the network connection, the
smart TV is under the protection of WLAN isolation. Thus,
only authenticated devices are allowed to join the (WLAN)
network and access TV resources.
Protection II: TV-Accessory Binding. In addition, the smart
TV and its accessories (a remote control or a smartphone
with a companion app) in the same WLAN need to complete
a binding process before further remote interactions. Con-
ventionally, a binding process involves a mutual authentica-
tion between the smart TV and the accessory, which ensures
the smart TV to be bound with the permitted accessories
only. Otherwise, attackers might be able to exploit the smart
TVs by compromising other vulnerable smart devices (e.g.,
smart routers) in the same WLAN.
Protection III: Remote Interaction Validation. Finally, the
remote user is not allowed to use resources of the smart
TV arbitrarily. Since a variety of remote user interactions
supported by the smart TV require to access to sensitive
resources (e.g., screen contents, system settings) or modify
these resources, the smart TV applies access control to all
remote operations to check whether a request is allowed.
Specifically, the TV OS introduces new interfaces to handle
different remote operations sent by the user and perform
permission checks. The permissions are granted to acces-
sories after the binding phase, and when a resource interface
摘要:
展开>>
收起<<
1EvilScreenAttack:SmartTVHijackingviaMulti-channelRemoteControlMimicryYiweiZhang,SiqiMa,TianchengChen,JuanruLi,RobertH.Deng,ElisaBertinoAbstractModernsmartTVsoftencommunicatewiththeirremotecontrols(includingthosesmartphonesimulatedones)usingmultiplewirelesschannels(e.g.,Infrared,Bluetooth,andWi-Fi)...
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
相关推荐
-
【词汇变形总汇】2025高考词汇变形总汇 - 教师版VIP免费
2024-12-06 3 -
【超简37页】新课标高考英语考纲3500词汇VIP免费
2024-12-06 4 -
《高考英语3500词详解》(WORD版)VIP免费
2024-12-06 18 -
《高考英语3500词详解》VIP免费
2024-12-06 14 -
高中英语-[教师版]80天通关高考3500词汇VIP免费
2024-12-06 16 -
高中人教选修7课文逐句翻译VIP免费
2024-12-06 8 -
高中人教选修7课文原文及翻译VIP免费
2024-12-06 19 -
高中人教必修4课文逐句翻译VIP免费
2024-12-06 8 -
高中人教必修4课文原文及翻译VIP免费
2024-12-06 22 -
高考英语核心高频688词汇VIP免费
2024-12-06 11
分类:图书资源
价格:10玖币
属性:13 页
大小:528.18KB
格式:PDF
时间:2025-04-28
作者详情
相关内容
-
主题班会:责任与我同行(1)
分类:中学教育
时间:2025-06-01
标签:无
格式:PPT
价格:10 玖币
-
主题班会:责任——我们共同的需要ppt
分类:中学教育
时间:2025-06-01
标签:无
格式:PPT
价格:10 玖币
-
主题班会:预防爱滋病
分类:中学教育
时间:2025-06-01
标签:无
格式:PPT
价格:10 玖币
-
主题班会:远离毒品,珍爱生命ppt1
分类:中学教育
时间:2025-06-01
标签:无
格式:PPT
价格:10 玖币
-
韶关市2024届高三综合测试(一)英语答案
分类:中学教育
时间:2025-06-05
标签:无
格式:PDF
价格:10 玖币
渝公网安备50010702506394
