(stupid one) physical security of remotes?



Now, I have this ridiculous question about a topic that is not strictly
infosec-ish (at least not historically); still, this is probably the best
place to ask, so I'll go ahead...

It's not terribly important, but got me wondering while I was doing
research on something just remotely related to that topic.

The question is: has anyone at least semi-comprehensively researched and
reported on the potential for abuse of infrared remote control
communications in cable TV set-tops and various other appliances of this
nature?

Yeah, it is well-known and well-documented that various harmless pranks -
such as turning the device on or off - can be played with universal
remotes or computer-controlled transmitters (including high-output hacks
that could work over considerable distances, with no line-of-sight). In
fact, there are commercial products trying to capitalize on this
possibilitty [http://www.thinkgeek.com/gadgets/electronic/755e/].

What I couldn't find are reliable discussions of the opportunities for
going beyond mere annoyance - by causing actual financial harm or legal
trouble to single victims or entire communities. It's easy to think of
such attack scenarios, e.g.: a) in many hotels and using some set-top
boxes, it is possible to automatically order PPV or request other paid
services and have the customer automatically charged a hefty fee he'd have
a real hard time fighting off; b) more advanced digital TV boxes can be
reconfigured or even locked out to prevent use by owners; c) media center
appliances let you send out mails or attack websites (whoop!).

Granted, (a) in non-hotel situations can be mitigated by PIN requests, but
just how many people configure any PINs on settop boxes, unless they have
unruly kids...

I also couldn't find any information on efforts to remediate this, even
though many similar technologies had their flaws addressed in the meantime
(replay attacks on wireless car / garage entry, proximity card replay
attacks, snooping of wireless phones, networks, random bluetooth pairing,
RF keyboard attacks, etc).

I know there must be some anecdotal mentions of hotel PPV attacks, of
"heard something like that on CCC congress" variety - but have you seen
anything that indicates that vendors of such technologies are aware of
abuse potential, and did something (or dismissed the threat)?

Or is it really something that went unnoticed by the mainstream for all
these years? If anything, even if such attacks never occur to real people,
this would be a great way to duck your way out of the court - "but judge,
it wasn't me who sent out all these nastygrams from my nifty XP Media
Center gizmo!".

Mind you, I do not mean to claim this is a serious threat, nor a unique
one. I'm just curious, and surprised I couldn't Google anything up.

Cheers,
--
--------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Don't look back, the lemmings are gaining on you!
----------------------------- 2005-12-09 18:27 --

http://lcamtuf.coredump.cx/silence/



Relevant Pages

  • SecurityFocus Microsoft Newsletter #254
    ... Analyzer automatically correlates attacks from various Firewall and network ... MICROSOFT VULNERABILITY SUMMARY ... Remote: Yes ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #257
    ... Analyzer automatically correlates attacks from various Firewall and network ... MICROSOFT VULNERABILITY SUMMARY ... Veritas Storage Exec Multiple Remote DCOM Buffer Overflow Vulnerabilities ... Relevant URL: http://www.securityfocus.com/bid/14801 ...
    (Focus-Microsoft)
  • RE: (stupid one) physical security of remotes?
    ... possibilities for abuse of infrared setup boxes. ... similarly evil things could be done with home setup boxes. ... physical security of remotes? ... attacks, snooping of wireless phones, networks, random bluetooth pairing, ...
    (Vuln-Dev)
  • ASPR #2010-11-05-01: Remote Binary Planting in Adobe Flash Player
    ... Simon Raner of ACROS Security ... and executed from local drives, remote Windows shares, and even shares ... located on Internet. ... Stopping the Web Client service could stop Internet-based attacks as ...
    (Bugtraq)
  • [Full-disclosure] ASPR #2010-11-10-3: Remote Binary Planting in Microsoft Excel 2010
    ... Simon Raner of ACROS Security ... executed from local drives, remote Windows shares, and even shares located ... the intermediate firewalls allow outbound HTTP traffic to the Internet. ... Stopping the Web Client service could stop Internet-based attacks as ...
    (Full-Disclosure)