Vulnerabilities Expose Popular DVB-T2 Set-Top Boxes to Botnets: Researchers
Avast security researchers have identified vulnerabilities in DVB-T2 devices that could allow attackers to ensnare them in botnets.
An extension of the DVB consortium standard for the broadcast transmission of digital terrestrial television, DVB-T2 (Digital Video Broadcasting — Second Generation Terrestrial) can transmit compressed digital audio, video, and other data.
There is a push for the adoption of DVB-T2, following the European Union’s decision to auction the 700 MHz band to telecommunications operators, but, given that not all TVs support the new standard, set-top boxes that support it are required.
Many such set-top boxes are primitive, consisting of a TV tuner and an output device, some packing Internet support, and many are highly insecure, Avast’s security researchers reveal.
Analysis of two popular devices, namely Thomson THT741FTA and Philips DTR3502BFTA, revealed a series of vulnerabilities that could be exploited to inject malware and create botnets of set-top boxes.
One of the first discoveries the security researchers made was the lack of Telnet protections, with the device allowing them to connect without prompting for a login. Furthermore, the devices allowed for the transmission of data over FTP, courtesy of ftpput and ftpget.
The boxes were found to use the MIPS architecture and run Linux kernel 3.10.23, which stopped receiving support in November 2017.
The researchers also discovered that they could tamper with the content displayed to the user through weather and RSS feed applications on the device, due to the use of unencrypted communication. Both MiTM and DNS hijack attacks can be used for that, they say.
“Consequently, intruders could show a user a ransomware message telling them their TV has been hijacked and demanding a ransom to free the device,” Avast notes.
Furthermore, the researchers discovered that it was possible to move the DNS hijack attack to the device, and that persistent storage on the device was also available, which could essentially allow an attacker to store malware payloads or other tools, thus persisting through reboots and resets.
“And as a bonus, when we added something to /config and performed a factory-reset, the files remained. So even if a user performed a factory reset, the files added to this directory would be left untouched,” Avast explains.
On top of that, the security researchers discovered that the firmware has a wget utility built-in, which allows for the fetching of data from HTTP servers, meaning that adversaries could easily download malicious binaries within the telnet session.
The researchers successfully downloaded a Mirai version onto the set-top box, which, they discovered, closed the telnet daemon, thus preventing other malware from infecting the same device, and started scanning the Internet for additional devices to infect.
“Do not use your set-top box’s network functionality unless it’s absolutely necessary. You are probably better off checking the weather forecast or news on your phone,” Avast notes.
Users are advised to scan their devices for open ports, in the event they do want to connect the device to the network, disable Universal Plug and Play (UPnP) if it is enabled, and check port forwarding configuration and disable it unless absolutely necessary.
Two CVE identifiers were issued for the discovered vulnerabilities, namely CVE-2020-11617, which impacts the RSS application on Thomson THT741FTA 2.2.1 and Philips DTR3502BFTA DVB-T2 2.2.1 set-top boxes, and CVE-2020-116180, for the telnet services hardcoded to start on boot, on both devices.
The researchers contacted the affected vendors, but the issues remain unpatched. While Philips did respond, it said that the subcontractor it uses for new set-top boxes won’t fix the vulnerabilities, and Thomson never replied, the researchers say.
“It is unfortunate that companies continue to push products to the market with no intention of releasing firmware updates and no way for the average customer to secure their box, which in this case is simply disabling Telnet and updating the RSS/Weather apps to use TLS. This negligence affects customers who either cannot afford a new TV or see no need to replace a TV that’s in perfect working order,” Avast concludes.