Security Holes Opened Back Door To TCL Android Smart TVs (securityledger.com) 55
chicksdaddy shares a report from The Security Ledger: Millions of Android smart television sets from the Chinese vendor TCL Technology Group Corporation contained gaping software security holes that researchers say could have allowed remote attackers to take control of the devices, steal data or even control cameras and microphones to surveil the set's owners. The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm among the researchers about whether the China-based firm is able to access and control deployed television sets without the owner's knowledge or permission, according to a report published on Monday by two security researchers.
The report describes two serious software security holes affecting TCL brand television sets. First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989. That flaw, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned. Second, the researchers found a vulnerability in the TCL software that allowed a local unprivileged attacker to read from and write to critical vendor resource directories within the TV's Android file system, including the vendor upgrades folder. That flaw was assigned the identifier CVE-2020-28055.
The researchers, John Jackson, an application security engineer for Shutter Stock, and the independent researcher known by the handle "Sick Codes," said the flaws amount to a "back door" on any TCL Android smart television. "Anybody on an adjacent network can browse the TV's file system and download any file they want," said Sick Codes in an interview via the Signal platform. That would include everything from image files to small databases associated with installed applications, location data or security tokens for smart TV apps like Gmail. If the TCL TV set was exposed to the public Internet, anyone on the Internet could connect to it remotely, he said, noting that he had located a handful of such TCL Android smart TVs using the Shodan search engine.
The report describes two serious software security holes affecting TCL brand television sets. First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989. That flaw, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned. Second, the researchers found a vulnerability in the TCL software that allowed a local unprivileged attacker to read from and write to critical vendor resource directories within the TV's Android file system, including the vendor upgrades folder. That flaw was assigned the identifier CVE-2020-28055.
The researchers, John Jackson, an application security engineer for Shutter Stock, and the independent researcher known by the handle "Sick Codes," said the flaws amount to a "back door" on any TCL Android smart television. "Anybody on an adjacent network can browse the TV's file system and download any file they want," said Sick Codes in an interview via the Signal platform. That would include everything from image files to small databases associated with installed applications, location data or security tokens for smart TV apps like Gmail. If the TCL TV set was exposed to the public Internet, anyone on the Internet could connect to it remotely, he said, noting that he had located a handful of such TCL Android smart TVs using the Shodan search engine.
Smart tvs lol (Score:1)
If posting the whole article keep the funny part.. (Score:5, Informative)
According to the researchers, TCL patched the vulnerabilities they had identified silently and without any warning. “They updated the (TCL Android) TV I was testing without any Android update notification or warning,” Sick Codes said. Even the reported firmware version on the TV remained unchanged following the patch. “This was a totally silent patch – they basically logged in to my TV and closed the port.”
Sick Codes said that suggests that TCL maintains full, remote access to deployed sets. “This is a full on back door. If they want to they could switch the TV on or off, turn the camera and mic on or off. They have full access.”
Jackson agreed and said that the manner in which the vulnerable TVs were updated raises more questions than it answers. “How do you push that many gigabytes (of data) that fast with no alert? No user notification? No advisory? Nothing. I don’t know of a company with good security practices that doesn’t tell users that it is going to patch.”
Re:If posting the whole article keep the funny par (Score:5, Insightful)
Re: (Score:2, Interesting)
Re: (Score:3)
For all of its failings (and they are legion) Microsoft doesn't secretly update your PC. After your PC reboots due to an unblockable update, when it comes back up you can see the reason in the update history.
Sneaking in an update to close a sophomoric security hole would be low even for Microsoft. Whataboutism for the purposes of making excuses for bad behavior is especially pathetic when it's not even correct. Microsoft is generally quite open about how they're fucking you. The only significant exception o
Re: (Score:1)
Re: (Score:2)
Is openly installing a new OS version with ads better than secretly closing a vulnerability?
It's better from the standpoint of transparency.
I don't run Windows 10, I tried it (laptop came with it) and hated it (installed Mint.)
Re: (Score:2, Insightful)
Ooo it's the Chinese, M$ does exactly the same thing, hell double boot and they will firmware hack your computer, straigh into bios with an illegal letter from any US agency.
You all make it sound like a big deal with M$ do the same fucking thing, even when you are using the device. Well at least TCL did no brick any TVs like M$ regularly bricks PCs with forced updates.
How do they know it was GB of data? (Score:3)
I have been skimming the linked articles (and searching them) and haven't come up with any information to support the claim that they pushed gigabytes of data.
A full system update might be multiple GB, but they could easily issue a patch that would change some startup files in just a few kB.
Is there some evidence somewhere that they actually pushed a full update?
Re: (Score:1)
You buy the cheapest TVs on the market (Score:3, Insightful)
and you are surprised it is a shit show with security holes, open backdoors, and active complete stealth control from the vendor?
Re:You buy the cheapest TVs on the market (Score:4, Insightful)
I'm surprised a TV has a microphone, personally.
I'm also surprised people didn't boycott smart devices with surveillance hardware built-in when they started coming onto the market. There used to be a time when people actually cared about the safety of their home and their privacy.
Re: (Score:3)
Your first statement just proves your second statement's reason.
People can't boycott something they know nothing about. And most people have no idea what their TV does because they don't or won't read the free manual.
Re:You buy the cheapest TVs on the market (Score:5, Interesting)
Because you're old, like me, and don't see 77" TVs as a communication device. Today's younger generation sees these as nothing more than giant iPads and it helps Grandma videochat.
The bigger question is if this android device had a firmware hole that allowed this on a TV - how many android phones have the same "glitch" that are patched without your permission?
Re: (Score:3)
The sad part is that tv already had more updates than a lot of phones.
Re: (Score:2)
Even if they didn't, most sound chip-sets can mux all the I/O lines and is some cases could use the speakers as a rudementary microphone.
Re: (Score:2)
I believe the microphone is generally in the remote. Or at least that is where it on the Roku version so you can do voice searches [youtube.com].
I don't own a smart TV but I've tested the functionality on friends/family and it's very useful when you want to find a way to watch a specific movie/show and have no idea what channel/streaming service actually has it.
Re: (Score:3)
and you are surprised it is a shit show with security holes, open backdoors, and active complete stealth control from the vendor?
You buy any smart entertainment devices on the market and you are surprised it is a shit show... FTFY
The big difference here is that the shit show is more visible. Oh, wait... wasn't there something a few months ago about a whole bunch of Samsung smart DVD players being totally bricked by an update? That was pretty visible too. Never mind the cheapness of the hardware or how well known the company is: if it's a 'smart' device, then it's not a smart choice unless you have the will or the knowledge to mitigat
Re: (Score:2)
Re: (Score:2)
"There is no personal info in my TV or mic or camera": "Smith!' screamed the shrewish voice from the telescreen. '6079 Smith W.! Yes, you! Bend lower, please! You can do better than that. You're not trying. Lower, please! That's better, comrade.
No one should buy TCL, they demand a credit card# (Score:1, Flamebait)
I bought one on sale once. Returned it to the store less than two hours later after discovering it refused to work as a smart tv until it had a credit card number or PayPal account. Fuuck that. The only other TV I've seen wanting an account is Samsung, no credit card required, and only to download apps not installed by default.
Re:No one should buy TCL, they demand a credit car (Score:4, Informative)
Re: (Score:2)
Then you're either ignorant or lying about lying. Flat out, I had to register an account before I could get to Netflix, Amazon Prime, etc.
Re: (Score:2)
Re: (Score:2)
And I own a Ford Pinto where the gas tank has never exploded. Doesn't mean it wasn't a problem, though.
Re: (Score:2)
Re: (Score:2)
55", over a year ago. Maybe they've pulled their heads out after enough returns/complaints, but after creating a Roku account left me with giving credit card/paypal information or Store Mode. My Samsung insisted on having an account before downloading new apps, but at least a junk email address worked for that.
Re: (Score:2)
Re: (Score:2)
Sure sure. I mean the TV wouldn't work aside from changing the volume and connecting to HDMI (store mode). No smart tv function, no Netflix, no Amazon Prime, nada. Until you gave them a credit card. The recent Visio and Samsung TV's I've used spam you with content you would have to register an account and pay for, but it's totally optional.
Re: (Score:2)
If this was a Roku TV, the Roku web site asks for a CC# during the creation of an account. You can skip this step.
Re: (Score:2)
There was no skip option on the TCL that I returned to Walmart. Only options were to give them a credit card number, or go into store mode where you could only play from HDMI.
Re: (Score:2)
No, not on the TV itself. You'd have to create the Roku account from a phone or computer.
Re: (Score:2)
Yeah, I did that. And searched online before returning since it was already mounted on the wall. Credit card or paypal required. If they had some super secret opt-out option, they still didn't deserve my money for making it a pain in the ass.
Never blame incompetence (Score:1)
Because that's an easy get out.
It's so easy to accidentally have security holes or this odd buffer overflow, and do your back door that way - so if anyone comes along and finds it they can't shriek backdoor backdoor, evil {state actor}! Instead it's just a security hole, accepted by many as run of the mill.
Amazing they keep happening though.
The FCC should get involved (Score:4, Interesting)
Re: (Score:2)
How can the software be upgraded - and the revision number remain the same?
The displayed revision number often comes from one particular file's version in the file system. A typical Android phone/tablet/appliance has many hundreds of components that can be updated independently by Google Play without affecting the operating system's displayed version number. Why would anyone expect a cheap Chinese television to be less evil than Google itself?
Re:The FCC should get involved (Score:4, Interesting)
There was a case where an Australian diplomat in a Chinese hotel physically unplugged the room Smart TV, only to have service knock on the door to fix the problem.
Not exactly a new feature for hotel TV's, originally and in it simplest form it was to prevent the TV's walking out the door.
Re: (Score:1)
Re:The FCC should get involved (Score:4, Interesting)
Their patch process is sleazy but there's no certification process for a smart TV. There are only certifications having to do with RF emissions, which they probably also don't have/faked.
Re: (Score:2)
> How can the software be upgraded - and the revision number remain the same?
Do you think NSA hates or loves that feature?
Re: (Score:2)
Comrade, this is Chinese-made TV. This is for benefit of CCP, not NSA.
Deserve what you get (Score:3)
If you plug an appliance, with all the patching issues invloved, such as this into an internet connected network you deserve what you get. Use an android TV device such as an Nvidaia Sheild that will be patched regularly and keep the TV off the network
David
Re: (Score:2)
Don't trust one Android device, trust another?
If you're going to just offload the security risk to a different brand, why not just buy the TV from the trusted brand?
Never buy connected T.V.! (Score:3)
Another excellent reason not to buy a smart T.V., is that updates will slow down, and eventually stop, long before you replace it. In fact, you may have to replace your fancy smart T.V. due to the lack of updates.
Buy a dumb monitor instead, and then a media player. While Roku media players do have their own issues, at least they don't have cameras. (Though you have to get a remote without a microphone!)
Limit the tracking that the New World Order can do, to your smart phone!
Re: (Score:2)
Or you just buy a $25 Roku to attach to it. Seriously, my 2011 55" Vizio is still just fine. It doesn't have 4K and most of the 'smart' apps no longer work, but really it is fine.
- Necron69
Re: (Score:2)
This is like trying to buy a laptop without Windows. Just let them get paid kickbacks to install apps and then never connect it to the Internet. It costs less. Plug in a Roku. If you're worried about it beyond that, clip the wireless antenna lead too.
Adjacent Network (Score:3)
First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989.
What the heck is an adjacent network? The network next to your network? Do they mean one subnet over, as in the subnet next door? Or on the same network?
Re: (Score:2)
I wondered the same. Good luck on them routing the adjacent 192.168.x.x+1 over the internet. I'm thinking that "adjacent" doesn't mean what the author thinks it does.
Dumb TVs still exist (Score:2)
Time again for the dumb TV PSA:
You can buy "digital signage", "commercial" and so on TVs that are still dumb. Most of them have a tuner, so that one wiring plant can be used to operate multiple televisions-as-signs on different channels using up converters. You just run coax to all the TVs and then tune in the channel you want instead of having to worry about network connectivity beyond the wiring. They are not even generally much more expensive than smart TVs, although if you try you can spend much more. T
Re: (Score:2)
Re: (Score:2)
Re: Dumb TVs still exist (Score:2)
Look on amazon and search for "digital signage LCD" for example. I literally gave you everything you needed to find them in my prior comment.
Re: (Score:2)
Don't buy "smart" TVs unless they are essentially free. .
The head of Vizio admitted that their intrusive tracking and marketing of user data is how they (and presumably others) have managed to lower their prices to the level they're at. So, I just buy a smart TV, don't add it to my network, and use it behind an AppleTV thereby gaining the marketing subsidy, without the privacy implications. (Apple's privacy policy disclaims the marketing of user information and if they've broken it they haven't been caught yet.)
TCL ? (Score:2)
REMINDER: Eschew 'smart' TVs and others (Score:2)