Vulnerability Development mailing list archives
RE: (stupid one) physical security of remotes?
From: "Stejerean, Cosmin" <cosmin () cti depaul edu>
Date: Tue, 13 Dec 2005 15:21:18 -0600
There was a presentation at Defcon 13 (this past summer) with the title "Old Skewl Hacking - Infrared" by Major Malfunction that showed a lot of the possibilities for abuse of infrared setup boxes. It showed how he used infrared to hijack someone else's email session, view charges of other people's rooms and even get control of an NT box that was somehow connected to the TV system. The presentation was mostly focused on hotels but I'm sure similarly evil things could be done with home setup boxes. You might be able to find the presentation slides online. Regards, Cosmin Stejerean -----Original Message----- From: Michal Zalewski [mailto:lcamtuf () dione ids pl] Sent: Friday, December 09, 2005 12:28 PM To: vuln-dev () securityfocus com Cc: vulndiscuss () vulnwatch org Subject: (stupid one) physical security of remotes? Now, I have this ridiculous question about a topic that is not strictly infosec-ish (at least not historically); still, this is probably the best place to ask, so I'll go ahead... It's not terribly important, but got me wondering while I was doing research on something just remotely related to that topic. The question is: has anyone at least semi-comprehensively researched and reported on the potential for abuse of infrared remote control communications in cable TV set-tops and various other appliances of this nature? Yeah, it is well-known and well-documented that various harmless pranks - such as turning the device on or off - can be played with universal remotes or computer-controlled transmitters (including high-output hacks that could work over considerable distances, with no line-of-sight). In fact, there are commercial products trying to capitalize on this possibilitty [http://www.thinkgeek.com/gadgets/electronic/755e/]. What I couldn't find are reliable discussions of the opportunities for going beyond mere annoyance - by causing actual financial harm or legal trouble to single victims or entire communities. It's easy to think of such attack scenarios, e.g.: a) in many hotels and using some set-top boxes, it is possible to automatically order PPV or request other paid services and have the customer automatically charged a hefty fee he'd have a real hard time fighting off; b) more advanced digital TV boxes can be reconfigured or even locked out to prevent use by owners; c) media center appliances let you send out mails or attack websites (whoop!). Granted, (a) in non-hotel situations can be mitigated by PIN requests, but just how many people configure any PINs on settop boxes, unless they have unruly kids... I also couldn't find any information on efforts to remediate this, even though many similar technologies had their flaws addressed in the meantime (replay attacks on wireless car / garage entry, proximity card replay attacks, snooping of wireless phones, networks, random bluetooth pairing, RF keyboard attacks, etc). I know there must be some anecdotal mentions of hotel PPV attacks, of "heard something like that on CCC congress" variety - but have you seen anything that indicates that vendors of such technologies are aware of abuse potential, and did something (or dismissed the threat)? Or is it really something that went unnoticed by the mainstream for all these years? If anything, even if such attacks never occur to real people, this would be a great way to duck your way out of the court - "but judge, it wasn't me who sent out all these nastygrams from my nifty XP Media Center gizmo!". Mind you, I do not mean to claim this is a serious threat, nor a unique one. I'm just curious, and surprised I couldn't Google anything up. Cheers, -- --------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Don't look back, the lemmings are gaining on you! ----------------------------- 2005-12-09 18:27 -- http://lcamtuf.coredump.cx/silence/
Attachment:
smime.p7s
Description:
Current thread:
- (stupid one) physical security of remotes? Michal Zalewski (Dec 13)
- <Possible follow-ups>
- RE: (stupid one) physical security of remotes? Stejerean, Cosmin (Dec 14)
- Re: (stupid one) physical security of remotes? andy . x . johnson (Dec 14)