New Platform, Old Issues: How Web-based TV Broadcasts threaten Users' Security

PDF Paper

Authors

Carlotta Tagliaro, Andrej Danis, Kevin Borgolte, Martina Lindorfer

Publication

Proceedings of the 23rd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2026

Abstract

Hybrid digital TV, combining standard television broadcasts with Internet content, has become the de facto standard for delivering broadcast TV. One such web-based TV standard is the Hybrid Broadcast Broadband TV (HbbTV), which is used in Europe, Oceania, and parts of Asia. With millions of supported devices, and the trust users put into this traditional type of media, security is crucial. While prior work has examined privacy risks due to tracking, the security of the HbbTV protocol and its implementation remain underexplored.

In this paper, we present the first cross-vendor security analysis of HbbTV browsers on Smart TVs. We focus on three devices, from Toshiba (Android TV), Samsung (Tizen OS), and LG (WebOS), manufactured over the last nine years. We show that attackers can inject malicious HbbTV applications into broadcast streams and compromise TVs without user interaction through the built-in HbbTV browser. In particular, we show that all three TVs are vulnerable to denial of service (making the TV unusable), spoofing (replacing news banners with fake ones to spread misinformation), as well as phishing (tricking users into inputting sensitive information, like credentials) attacks, and that the Toshiba and LG TVs give attackers local network access to send web requests to other connected devices, potentially enabling attackers to move laterally within the user’s network. We discuss that the root causes are two-fold: HbbTV application capabilities and outdated embedded browser runtimes. Addressing these risks requires systemic changes to both the HbbTV specification and its implementations.

BibTeX

@inproceedings{dimva2026-hbbtv-old-issues,
  title     = {{New Platform, Old Issues: How Web-based TV Broadcasts threaten Users' Security}},
  author    = {Tagliaro, Carlotta and Danis, Andrej and Borgolte, Kevin and Lindorfer, Martina},
  booktitle = {Proceedings of the 23rd Conference on Detection of Intrusions and Malware \& Vulnerability Assessment (DIMVA)},
  series    = {Lecture Notes in Computer Science (LNCS)},
  code      = {https://github.com/SecPriv/HbbTV-attack-toolkit},
  date      = {2026-07},
  editor    = {Moonsamy, Veelasha and D'Elia, Daniele Cono},
  location  = {Chania, Greece},
  publisher = {Springer International Publishing}
}