Is a Set-Top Virus Possible?


Cable operators are looking to expand the footprint of set-top boxes capable of running interactive TV apps written to EBIF, the CableLabs spec designed to run across virtually any digital cable box currently in use.

Now that there’s a standard, one that’s potentially running on millions of boxes, could some hacker release a malicious EBIF virus that screws up a cable service or displays some kind of spam?

Not likely, says Aslam Khader, chief technology and product officer of interactive TV firm Ensequence.

Using EBIF, “you could make a set-top do things you don’t expect — like randomly changing the channels,” he says, but adds, “It’s really not possible to crash the box with an EBIF application.”

Also note: The MSOs manage the way EBIF applications are delivered over their networks to the user agents in the set-top boxes. There are advantages to not being exposed to the open Internet, although it’s worth noting that even in the walled-garden environment malicious tricks are possible (see Comcast Call: Super Bowl Porn A ‘Malicious’ Act).

The bigger concern for cable operators is the overall stability of applications that are layered into the STB environment, Khader said, and the issue is even more acute with tru2way (a.k.a. OCAP) applications.

“The difference is, EBIF is a much smaller sandbox,” he explains. “It’s a binary specification so you can do less damage with it. OCAP is all Java, it’s a much larger sandbox — so there’s the typical paranoia by the operators, well founded, that you might introduce issues.”

Khader adds: “Even with EBIF they’re taking an extremely cautious approach.”