WIXLIB

SDR Against Smart TVs;URL and channel injectionattacksDefCON 27, Pedro CabreraDefCON27, Pedro Cabrera@PCabreraCamara

About MeIndustrial engineer, UAV professional pilot, Radio Ham (EA4HCF)Ethon Shield, Founder2018 RSA: “Parrot Drones Hijacking”2017 BH Asia Trainings ( Simon Roses):“Attacking 2G/3G mobile networks, smartphones and apps”RogueBTS, IMSICatchers, FakeStations: www.fakebts.com@PCabreraCamaraDefCON 27, Pedro Cabrera

This.Presentation:I. HbbTV 101. Digital TV introductionII. Hacking TV & HbbTV.III. HbbTV RX stations.IV. Targeting the Smart TV browser.V. ConclusionsDefCON 27, Pedro Cabrera

[I] Hybrid Broadcast Broadband TelevisonThe HbbTV specification extends DVB-T by introducing additional metadata formats that mix broadband Internetcontent into the digital television channel.H4TVprojectHbbTV(2009)HTML profitprojectHybrid television because itmerges digital televisioncontent and web content.DefCON 27, Pedro CabreraSPAENG

[I] TV Distribution NetworkGeneric TV NetworkDefCON 27, Pedro Cabrera

[I] DVB-TDVB-T characteristics (Spain): 8 MHz bandwidth Transmission mode: 8k (6,817 carriers). Modulation schemes: 64 Quadrature Amplitude Modulation(OFDM) Code Rate for internal error protection: 2/3. Length of guard interval: 1/4.DefCON 27, Pedro Cabrera

[I] DVB-TDVB-T characteristics (Spain): 8 MHz bandwidth Transmission mode: 8k (6,817 carriers). Modulation schemes: 64 Quadrature Amplitude Modulation(OFDM) Code Rate for internal error protection: 2/3. Length of guard interval: 1/4.DefCON 27, Pedro Cabrera

[I] Generic DVB-T receiverRadioFrequencyVideo :Rafael 820T2RTL-SDR:Realtek RTL2832uDefCON 27, Pedro CabreraDeMultiplexerAudio DecoderMetadataDecoder

[I] DVB-T demodulatorRadioFrequencyFast ChannelEstimator&ChannelEqualizerInner N 27, Pedro CabreraReedSolomonDecoderDeScramblerMPEG-2MUX

[I] DVB-T linux demodulator Bogdan Diaconescu(YO3IIU)gr-dvbt(USRP N210) GNU Radio:gr-dtv (USRP) Ron Economos (W6RZ)dtv-utils (BladeRF)DefCON 27, Pedro Cabrera

[I] DVB-T linux demodulatorDVB-T Modulation:- 8 MHz Bandwidth (SR)- Transmission mode: 8k- Modulation scheme:64 QAM- Code Rate: 2/3.- Length of guard interval:1/4DefCON 27, Pedro Cabrera

[I] TV Channels & FrequenciesD ig ita l M u tip le xCha nnelFreq uencyD ig ita l M u tip le xCha nnelFreq uencyM P E5a t r e s e r ie s H D4 8 2 .0 0 0 .0 0 0M P E3T e le c in c o6 9 8 .0 0 0 .0 0 0M P E5B e M a d tv H D4 8 2 .0 0 0 .0 0 0M P E3T e le c in c o H D6 9 8 .0 0 0 .0 0 0M P E5R e a lm a d r id T V H D4 8 2 .0 0 0 .0 0 0M P E3C u a tro6 9 8 .0 0 0 .0 0 0M P E4TREC E5 1 4 .0 0 0 .0 0 0M P E3C u a tro H D6 9 8 .0 0 0 .0 0 0M P E4E n e rg y5 1 4 .0 0 0 .0 0 0M P E3FDF6 9 8 .0 0 0 .0 0 0M P E4m e ga5 1 4 .0 0 0 .0 0 0M P E3D iv in it y6 9 8 .0 0 0 .0 0 0M P E4B o in g5 1 4 .0 0 0 .0 0 0M AU TT e le m a d r id H D7 4 6 .0 0 0 .0 0 0M P E1P A RA M O U N T C H A N N EL5 7 0 .0 0 0 .0 0 0M AU TT e le m a d r id7 4 6 .0 0 0 .0 0 0M P E1GO L5 7 0 .0 0 0 .0 0 0M AU TLA O TR A7 4 6 .0 0 0 .0 0 0M P E1DM AX5 7 0 .0 0 0 .0 0 0M AU TBO M7 4 6 .0 0 0 .0 0 0M P E1D is n e y C h a n n e l5 7 0 .0 0 0 .0 0 0RGE1La 2 H D7 7 0 .0 0 0 .0 0 0TL06MTREC E6 1 8 .0 0 0 .0 0 0RGE1La 27 7 0 .0 0 0 .0 0 0TL06MI n t e r e c o n o m ia T V6 1 8 .0 0 0 .0 0 0RGE1La 1 H D7 7 0 .0 0 0 .0 0 0TL06MH IT T V6 1 8 .0 0 0 .0 0 0RGE1La 17 7 0 .0 0 0 .0 0 0TL06MM e g a S ta r6 1 8 .0 0 0 .0 0 0RGE1C la n7 7 0 .0 0 0 .0 0 0TL06MC GTN -Esp a ñ o l6 1 8 .0 0 0 .0 0 0RGE124h7 7 0 .0 0 0 .0 0 0TL06MC a n a l G a le r ía6 1 8 .0 0 0 .0 0 0M P E2nova7 7 8 .0 0 0 .0 0 0TL06MB u s in e s s T V6 1 8 .0 0 0 .0 0 0M P E2n eo x7 7 8 .0 0 0 .0 0 0TL06M8 m a d r id6 1 8 .0 0 0 .0 0 0M P E2la S e x t a H D7 7 8 .0 0 0 .0 0 0RGE2td p H D6 3 4 .0 0 0 .0 0 0M P E2la S e x t a7 7 8 .0 0 0 .0 0 0RGE2TEN6 3 4 .0 0 0 .0 0 0M P E2a n te n a 3 H D7 7 8 .0 0 0 .0 0 0RGE2D K IS S6 3 4 .0 0 0 .0 0 0M P E2a n te n a 37 7 8 .0 0 0 .0 0 0RGE2td p6 3 4 .0 0 0 .0 0 0RGE2C lan H D6 3 4 .0 0 0 .0 0 0DefCON 27, Pedro Cabrera

RGE2MPE5 MPE4482514MPE1570TL06M618 634DefCON 27, Pedro CabreraRGE1 & MPE2MPE3698MAUT746 770 & 778

DefCON 27, Pedro Cabrera

[II] Background: TV hijacking attacks East Coast USA 1986. At 12:32, HBO (Home Box Office) received its satellite signal from itsoperations center on Long Island in New York interrupted by a man who calls himself "CaptainMidnight". The interruption occurred during a presentation by The Falcon and the Snowman. CHICAGO 1987 WGN (Channel 9) sportscast is hijacked at 9:14 pm on November 22. Someonewearing a Max Headroom mask and wearing a yellow blazer interrupted a recorded segment ofthe "Chicago Bears" for about 25 seconds. At 23:15 the broadcast of an episode of "Dr. Who" onthe WTTW network was interrupted by the same character, this time with strange audio, anappearance of another person and a longer time in the air. Lebanon war 2006. During the Lebanon War of 2006, Israel overloaded the satellite broadcast ofAl Manar TV of Hezbollah to broadcast anti-Hezbollah propaganda.DefCON 27, Pedro Cabrerahttps://en.wikipedia.org/wiki/Broadcast signal intrusion

[II] Smart TV attacks state of the art June 2014 - Weeping Angel (CIA) - WikiLeaks. It shows exactly what an agent must do to turn a Samsung SmartTV into a microphone. Attack requires local access to the Smart TV. April 2015 - Yossef Oren and Angelos D. Keromytis "Attacking the Internet using Broadcast Digital Television".Theoretical study on the potential attacks on the HbbTV System. February 2017 - Rafael Scheel "Hacking a Smart TV". It presents two vulnerabilities to two Samsung Smart TV webbrowsers: Flash and Javascript, which it exploits by creating its own HbbTV application, broadcasting it through itsown DVB-T channel. For this, it uses a low-cost proprietary device and an unpublished SW. In no case does it useSDR or OpenSource tools.DefCON 27, Pedro Cabrera

[II] DVB-T Channel HijackingChannel injectionURL injectionDefCON 27, Pedro Cabrera

[II] DVB-T Channel HijackingUsing the same frequency and channel metadata as in the original channel, we will transmit our video file usingBladeRF, HackRF or any capable SDR supported by GNURadio:Video filegr-dtv(gr-dvbt)HbbTVChannelmetadaDefCON 27, Pedro Cabrera

[II] DVB-T Channel HijackingWe must generate a "Transport Stream" (TS file) with the same parameters of the legitimate channel and the new A/Vcontent:Video fileffmpegoriginal network id XXXXtransport stream id YYservice id [ZZZ]pmt pid [VV]DefCON 27, Pedro CabreraTransportstream file

[II] DVB-T Channel HijackingWe must generate a "Transport Stream" (TS file) with the same parameters of the legitimate channel and the new A/Vcontent:Video TSVideo file1. ffmpeg(hbbtv-dvbstream)2. OpenCasterAudio TSHbbTVMetadataoriginal network id XXXXtransport stream id YYservice id [ZZZ]pmt pid [VV]DefCON 27, Pedro CabreraTransportstream file

[II] DVB-T Channel ParametersDefCON 27, Pedro Cabrera

[II] DVB-T Channel ParametersLinux command line:dvbv5-scan (DVBv5 Tools)DefCON 27, Pedro Cabrera

[II] DVB-T Channel HijackingDefCON 27, Pedro Cabrera

[III] TV antenna facility attackWe can eliminate the radio phase by injecting our signal into the antenna facility, replacing the main TV stream from theantenna with our stream.AmplifierSplitterDefCON 27, Pedro Cabrera

[III] TV antenna facility attackTV splitters (1/3)TV antennafacilityDefCON 27, Pedro Cabrera

[III] TV antenna facility attack (II)TV splitters (1/4)TV antennafacilityTV AmplifierDefCON 27, Pedro Cabrera

[III] TV antenna facility attackDefCON 27, Pedro Cabrera

[III] Why miniaturization weight-can-a-drone-lift/DefCON 27, Pedro Cabrera

[III] Miniaturization – Drone attacks300 grDefCON 27, Pedro CabreraGPDBladeRF480gr170grHackRFBateria iPhone 10.000mABateria Solar 24.000mABateria NeoXeo 6.000mA100gr280gr350gr100grOdroid C2Carcasa Odroid68gr32gr

[III] Drone attackDefCON 27, Pedro Cabrera

[III] DVB-T Channel Hijacking: ImpactGeneric TV NetworkDefCON 27, Pedro Cabrera

[III] DVB-T Channel Hijacking: ImpactDefCON 27, Pedro Cabrera

[IV] URL Injection attackThe HbbTV standard allows Smart TVs to send GET requests to the URL transmitted by the channel (station) every sooften:URLDefCON 27, Pedro Cabrera

[IV] URL Injection attackDefCON 27, Pedro Cabrera

[IV] URL Injection attack: BasicWe add the URL of our fake server in the HbbTV metadata: application name, base URL, web page,organizationId and applicationIdVideo filegr-dtv(gr-dvbt)HbbTVChannelMetada (URL)DefCON 27, Pedro Cabrera

[IV] URL Injection attack: Video ReplayDVBv5 ToolsdvbsnoopChannel video& audiogr-dtv(gr-dvbt)HbbTVChannelMetada (URL)DefCON 27, Pedro Cabrera

[IV] URL injection attackWe must generate a "Transport Stream" (TS file) with the same parameters of the legitimate channel and the newApplication/URL content:Video TSVideo file1. ffmpeg(hbbtv-dvbstream)2. OpenCasterAudio TSHbbTVMetadataappli name [“DefCON27"]appli root ["http://10.0.0.1/"]appli path ["index1.htm"]DefCON 27, Pedro CabreraTransportstream file

[IV] One SmartTV, two browsersSDR URL injection attack· HbbTV Browser(remote)HbbTVBrowserARP Poison/DNS Hijacking URL injection attack· HbbTV & UserBrowsers(requires WLANaccess)UserBrowserHbbTVBrowserDefCON 27, Pedro Cabrera[ ]

[IV] One SmartTV, two browsersSamsung TV:HbbTV/1.2.1 ( DRM lla/5.0 (SMART-TV; Linux; Tizen 3.0) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.0Chrome/47.0.2526.69 TV safari/537.36Panasonic TV:HbbTV/1.2.1 (;Panasonic;VIERA 2014;3.101;6101-0003 0010-0000;)Mozilla/5.0 (X11; FreeBSD; U; Viera; es-ES) AppleWebKit/537.11 (KHTML, like Gecko) Viera/3.10.14Chrome/23.0.1271.97 Safari/537.11DefCON 27, Pedro Cabrera

[IV] Smart (TV) scanningApache Log files: Public IP address Models/Manufacturers(UA) DVB-TChannels/AudienceanalysisDefCON 27, Pedro Cabrera

[IV] Video replay & URL injection attackdvbv5-zapgr-dvbtdvbsnooptscbrmuxerDefCON 27, Pedro Cabrera

[IV] Social engineering (SE) attacksDefCON 27, Pedro Cabrera

[IV] Keylogger attackDefCON 27, Pedro Cabrera

[IV] Crypto -ethereummining-youtube-advertsDefCON 27, Pedro Cabrera

[IV] Crypto Mining attackDefCON 27, Pedro Cabrera

[IV] Hooking user browserDefCON 27, Pedro Cabrera

[IV] User browser attackDefCON 27, Pedro Cabrera

[V] .eff.org/files/2019/07/09/whitepaper imsicatchers eff 0.pdfDefCON 27, Pedro Cabrera

[V] fCON 27, Pedro Cabrera

Thank YouGonzalo ManeraPepe CámaraAlvaro CastellanosLuis Bernal (aka n0p)github.com/pcabreracamara/DC27DefCON27, Pedro2019 August,DefCONCabrera27

DefCON27, Pedro Cabrera [I] TV Channels& Frequencies Digital Mutiplex Channel Frequency MPE5 atreseries HD 482.000.000 MPE5 BeMad tv HD 482.000.000 MPE5 Realmadrid TV HD 482.000.000 MPE4 TRECE 514.000.000 MPE4 Energy 514.000.000 MPE4 mega 514.000.000 MPE4 Boing 514.000.000 MPE1 PARAMOUNT CHANNEL 570.000.000 MPE1 GOL 570.000.000 MPE1 DMAX 570.000.000 MPE1 Disney Channel 570.000.000 .