Hijacking Smart TVs With IR: The Research

IR Has No Authentication

Infrared remote control has been the standard control interface for televisions since the 1980s. In all that time, not a single IR protocol has implemented authentication. Any IR signal on the correct carrier frequency with the correct pulse pattern is accepted by the receiver as a legitimate command. There is no pairing process, no handshake, no cryptographic verification.

This was a reasonable design choice when televisions were passive display devices. The worst outcome of an unauthorized IR command was someone changing your channel. But smart TVs run full operating systems with web browsers, app stores, network connections, and microphones. An unauthorized IR command to a smart TV can open a browser, navigate to a malicious URL, change network settings, or enable remote management features.

The security model of IR remote control - trust any signal that matches the protocol - has not evolved, even as the capabilities of the devices it controls have expanded enormously.

How IR Remote Control Works

IR remote controls communicate using modulated infrared light, typically at a carrier frequency of 38 kHz. The remote transmits pulses of IR light in patterns defined by the manufacturer's protocol. The TV's IR receiver demodulates the signal and interprets the pulse pattern as a specific command.

graph TD
    subgraph "IR Communication"
        A[Remote Control Button Press] --> B[IR LED Transmits Pulses]
        B --> C[38 kHz Modulated Signal]
        C --> D[Line-of-Sight Transmission]
        D --> E[TV IR Receiver]
        E --> F[Demodulate and Decode]
        F --> G[Execute Command]
    end
    subgraph "No Security Layer"
        H[No Pairing]
        I[No Authentication]
        J[No Encryption]
        K[Any Matching Signal Accepted]
    end

IR communication chain - from button press to command execution with zero authentication

Common IR protocols include NEC (used by many Asian manufacturers), Sony SIRC, RC-5 and RC-6 (Philips), and Samsung's proprietary protocol. Each defines a specific pulse timing scheme, address space (to distinguish between devices), and command set. The protocols are publicly documented and easily replicated.

The address field in IR protocols was designed for device selection (so a TV remote does not accidentally control a DVD player), not for security. Once an attacker knows the address code for a target TV model, they can send any command in the protocol's command set.

Demonstrated Attacks on Smart TVs

Security researchers have demonstrated several attack scenarios against smart TVs using IR commands.

Opening the browser to an attacker-controlled URL is the most impactful demonstration. Many smart TVs have an IR command to open the built-in web browser and a mechanism to input URLs using directional pad commands. An automated IR transmitter can type a URL character by character and navigate to a page that hosts an exploit, a phishing form, or malicious content.

Changing network settings via IR commands can redirect the TV's DNS to an attacker-controlled server. If the TV resolves DNS through the attacker's server, the attacker can redirect streaming services, update checks, and other network requests to malicious servers.

Enabling developer mode or remote debugging exposes the TV's operating system to network-based attacks. Samsung TVs, for example, have a hidden menu accessible through a specific IR command sequence that enables developer mode and SSH access. LG TVs have similar hidden service menus.

Factory reset via IR destroys the owner's configuration, removes installed apps, and disconnects streaming service accounts. While not a data theft vector, it is disruptive and can be used for harassment or extortion.

Meeting Room and Conference Display Attacks

Corporate meeting rooms and conference spaces present a particularly interesting IR attack surface. Projectors, large displays, and video conferencing systems in these spaces all accept IR commands - and they often display sensitive business information.

graph TD
    subgraph "Meeting Room IR Attack Scenarios"
        A[Attacker in Adjacent Room] --> B[High-Power IR Through Window/Wall Gap]
        B --> C[Target Projector/Display]
        C --> D[Change Input Source]
        C --> E[Power Off During Presentation]
        C --> F[Open Browser on Display]
        C --> G[Adjust Settings - Offensive Content]
    end
    subgraph "Physical Access Scenarios"
        H[IR Blaster Hidden in Room] --> C
        I[Modified TV Remote Left Behind] --> C
    end

Meeting room IR attack scenarios - displays in corporate settings accept commands from any IR source

An attacker with brief physical access to a meeting room could leave a small, battery-powered IR transmitter hidden under a table or behind equipment. Programmed on a timer or triggered remotely (via WiFi or Bluetooth), the transmitter could disrupt presentations by powering off the display, changing the input source, or adjusting the picture to be unusable.

More sophisticated attacks could target the smart functionality of the display. If the meeting room display is a smart TV with a browser, the same URL injection technique applies. A display navigating to an attacker-controlled page during a board meeting would be embarrassing at minimum and could be used for social engineering or disinformation.

Extending IR Range

Standard IR remotes have a range of approximately 5-10 meters and require approximate line-of-sight to the receiver. This limits the attack surface to scenarios where the attacker is in the same room or has a clear view of the TV's IR receiver.

However, IR range can be extended significantly. High-power IR LEDs can push the effective range to 30 meters or more. IR laser diodes can reach even further with precise aiming. Reflected IR signals can bounce off walls and ceilings, reaching receivers that are not in direct line of sight.

Research has also demonstrated IR transmission through windows. A high-power IR transmitter outside a building can potentially reach a TV or display visible through a window. The IR signal passes through glass with some attenuation but remains decodable at the receiver.

Smart TV Browser Exploitation

Smart TV browsers are particularly attractive targets because they often run outdated rendering engines with known vulnerabilities. TV manufacturers update their browser components less frequently than desktop or mobile browser vendors. A smart TV purchased in 2022 may still be running a browser engine from 2020 or earlier, with known exploits available.

If an IR attack successfully navigates the TV's browser to an exploit page, the attacker potentially gains code execution on the TV's operating system. From there, they can access the TV's microphone (present for voice search features), camera (if equipped), local network connection, and any credentials stored for streaming services.

The combination of IR-based URL injection and browser exploitation creates a wireless attack path from outside the room to code execution on a device connected to the home or corporate network.

The BLEShark Nano IR Blaster

The BLEShark Nano includes an IR blaster capable of transmitting IR signals across common protocols. For security professionals conducting authorized assessments, this provides a tool to demonstrate IR-based attack scenarios to stakeholders.

The Nano can record IR signals from existing remotes and replay them, as well as transmit arbitrary IR commands using known protocol definitions. This allows testers to demonstrate that meeting room displays, lobby TVs, and other IR-controlled devices can be manipulated from any device that can produce the correct IR signal.

The demonstration value is significant. Many organizations are unaware that their conference room displays - which may show sensitive presentations, financial data, or strategic plans - can be controlled by any device that can transmit IR. Showing this capability during a security assessment motivates investment in mitigations.

Limited Defenses

Defending against IR attacks is challenging because the protocol itself has no security mechanism to build upon.

Physical security of the IR receiver is the primary mitigation. Covering the IR receiver with a physical shield that blocks external signals while allowing a controlled remote to operate prevents unauthorized command injection. Some commercial display mounts include IR receiver covers.

Disabling the IR receiver entirely and using an alternative control method (network-based control, HDMI-CEC, or a dedicated control system like Crestron or AMX) removes the IR attack surface. This is practical in corporate meeting rooms where a professional AV control system is already installed.

Network segmentation isolates smart TVs from sensitive network resources. Even if a TV is compromised via IR-based browser exploitation, proper segmentation prevents the attacker from reaching corporate servers, file shares, or other critical systems.

The fundamental problem remains: IR was designed in an era when "remote control" meant changing channels, and the protocol has not been redesigned for an era when the "TV" is actually a networked computer with a microphone, a camera, and access to the local network.