RE: (stupid one) physical security of remotes?

["Stejerean, Cosmin" <cosmin () cti depaul edu>]

There was a presentation at Defcon 13 (this past summer) with the title "Old
Skewl Hacking - Infrared" by Major Malfunction that showed a lot of the
possibilities for abuse of infrared setup boxes. It showed how he used
infrared to hijack someone else's email session, view charges of other
people's rooms and even get control of an NT box that was somehow connected
to the TV system. The presentation was mostly focused on hotels but I'm sure
similarly evil things could be done with home setup boxes. You might be able
to find the presentation slides online.

Regards,

Cosmin Stejerean

-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf () dione ids pl] 
Sent: Friday, December 09, 2005 12:28 PM
To: vuln-dev () securityfocus com
Cc: vulndiscuss () vulnwatch org
Subject: (stupid one) physical security of remotes?

Now, I have this ridiculous question about a topic that is not strictly
infosec-ish (at least not historically); still, this is probably the best
place to ask, so I'll go ahead...

It's not terribly important, but got me wondering while I was doing
research on something just remotely related to that topic.

The question is: has anyone at least semi-comprehensively researched and
reported on the potential for abuse of infrared remote control
communications in cable TV set-tops and various other appliances of this
nature?

Yeah, it is well-known and well-documented that various harmless pranks -
such as turning the device on or off - can be played with universal
remotes or computer-controlled transmitters (including high-output hacks
that could work over considerable distances, with no line-of-sight). In
fact, there are commercial products trying to capitalize on this
possibilitty [http://www.thinkgeek.com/gadgets/electronic/755e/].

What I couldn't find are reliable discussions of the opportunities for
going beyond mere annoyance - by causing actual financial harm or legal
trouble to single victims or entire communities. It's easy to think of
such attack scenarios, e.g.: a) in many hotels and using some set-top
boxes, it is possible to automatically order PPV or request other paid
services and have the customer automatically charged a hefty fee he'd have
a real hard time fighting off; b) more advanced digital TV boxes can be
reconfigured or even locked out to prevent use by owners; c) media center
appliances let you send out mails or attack websites (whoop!).

Granted, (a) in non-hotel situations can be mitigated by PIN requests, but
just how many people configure any PINs on settop boxes, unless they have
unruly kids...

I also couldn't find any information on efforts to remediate this, even
though many similar technologies had their flaws addressed in the meantime
(replay attacks on wireless car / garage entry, proximity card replay
attacks, snooping of wireless phones, networks, random bluetooth pairing,
RF keyboard attacks, etc).

I know there must be some anecdotal mentions of hotel PPV attacks, of
"heard something like that on CCC congress" variety - but have you seen
anything that indicates that vendors of such technologies are aware of
abuse potential, and did something (or dismissed the threat)?

Or is it really something that went unnoticed by the mainstream for all
these years? If anything, even if such attacks never occur to real people,
this would be a great way to duck your way out of the court - "but judge,
it wasn't me who sent out all these nastygrams from my nifty XP Media
Center gizmo!".

Mind you, I do not mean to claim this is a serious threat, nor a unique
one. I'm just curious, and surprised I couldn't Google anything up.

Cheers,
-- 
--------------------------- bash$ :(){ :|:&};: --
   Michal Zalewski * [http://lcamtuf.coredump.cx]
Don't look back, the lemmings are gaining on you!
----------------------------- 2005-12-09 18:27 --

       http://lcamtuf.coredump.cx/silence/

Attachment: smime.p7s
Description: