A modular research toolkit for analyzing the security of Smart TVs through the HbbTV runtime.
This repository contains the proof-of-concept toolkit used in our study of HbbTV-enabled Smart TVs. It combines:
- a Python control server
- an HbbTV client application served to the TV
- a Socket.IO control channel between the TV and the operator console
The toolkit was designed to support controlled, reproducible security experiments on lab-owned devices.
This project is intended exclusively for research, testing, and educational use in controlled environments. Do not use this toolkit against devices, networks, or broadcast infrastructure you do not own or explicitly have permission to test. Real-world broadcast injection and unauthorized device interaction may be illegal and harmful.
Once the HbbTV application is launched on a compatible Smart TV, the operator can interact with connected clients from the terminal menu.
Current capabilities include:
- display connected client information
- request HbbTV/browser/device metadata from the client
- trigger denial-of-service style UI disruption
- show and remove a fake banner overlay
- display a phishing-style popup and collect submitted input
- switch TV channels
- start a local network scan from the TV browser context
- issue HTTP requests from the TV to local or external targets
- evaluate custom JavaScript on the target
- redirect the target to another URL
- reload the target application
These actions are implemented through the Python entry point and helper modules in the repository. The HbbTV-side assets are located in the hbbtv/ directory. The repository currently includes files such as attack_toolkit.py, ClientManager.py, dos.py, fakenews.py, phishing.py, net_scan.py, http_request.py, and the HbbTV client files under hbbtv/.
.
├── attack_toolkit.py # Main Flask/Socket.IO server and terminal UI
├── ClientManager.py # Connected-client tracking
├── request_data.py # Requests for configuration/app metadata
├── dos.py # DoS trigger
├── fakenews.py # Fake banner controls
├── phishing.py # Popup/phishing controls
├── net_scan.py # Local network scan trigger
├── http_request.py # HTTP requests from the target
├── channel_switch.py # Channel switching actions
├── prompt.py # Terminal menu helpers
├── hbbtv/
│ ├── entry.html # HbbTV entry point
│ ├── entry.js # Client-side logic
│ ├── rc-buttons.js # Remote-control handling
│ ├── webscan.js # Browser-based network scanning
│ ├── abort-controller.js # Compatibility helper
│ ├── socket.io.min.js # Socket.IO client
│ └── ...
└── requirements.txt # Python dependencies- Python 3.6 or newer
- A machine reachable by the target TV over the network
- A compatible HbbTV-capable Smart TV in a controlled lab setup
- A way to deliver the HbbTV application to the TV (for example, through an injected/custom DVB stream with an AIT that points to this server)
The current Python dependencies are listed in requirements.txt and include Flask, Flask-SocketIO, colorlog, and simple-term-menu.
Create a virtual environment and install the dependencies:
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txtStart the control server:
python attack_toolkit.pyBy default, the server listens on:
- host:
0.0.0.0 - port:
5000
You can also choose a custom bind address and port:
python attack_toolkit.py -ip 0.0.0.0 -p 5000After startup, the toolkit:
- launches a Flask server
- serves the HbbTV client from the
hbbtv/directory - waits for incoming Socket.IO client connections
- opens a terminal-based operator menu
The HbbTV application is served from the /hbbtv/ path by the Python server.
The HTML entry point is delivered with the HbbTV MIME type and cache-control headers to improve compatibility with HbbTV runtimes.
In practice, the Smart TV must be directed to load this application through a broadcast-delivered AIT or another suitable HbbTV launch mechanism.
A typical experiment looks like this:
- Start the toolkit server.
- Make the server reachable from the target TV.
- Launch the HbbTV application on the TV through your broadcast/test setup.
- Wait for the client to connect back to the server.
- Use the terminal menu to inspect the client and trigger actions.
- Review output artifacts written to disk.
The toolkit stores results from different actions in separate directories, including:
config/appObject/appMgr/phishing/netscan/requests/success/requests/fail/
These files can be useful for later analysis and for documenting experimental results.
The toolkit can request browser-related and HbbTV-related information from the connected client. In our experiments, this was used together with feature-based checks in the HbbTV application to estimate the browser baseline and supported APIs.
The local network scan is browser-based and runs from inside the embedded HbbTV browser context. It does not provide a full network inventory. Instead, it identifies hosts that are reachable and observable through the networking primitives available to the target browser.
After a scan, the operator can select discovered targets and instruct the TV to send HTTP requests to them. Requests can also be sent directly to a manually entered URL.
Some actions, such as JavaScript evaluation and channel switching, can cause you to lose access to the target or interrupt the current experiment. Use them carefully.
This toolkit is a research prototype, not a production framework.
Some capabilities are highly dependent on:
- the TV vendor and model
- the HbbTV version
- the embedded browser version
- vendor-specific runtime restrictions
- the network environment
- the broadcast delivery setup
As a result, behavior may differ significantly across devices.
To use the toolkit on a real device, launch the HbbTV application on the target TV. In our workflow, this requires creating a DVB stream with an injected/custom AIT pointing to the server hosting this toolkit.
For general background on broadcast-launched HbbTV applications, see the official HbbTV developer documentation:
You may also want to document your exact broadcast/modulation setup separately, since this repository focuses on the application/toolkit side.