Security Holes Opened Back Door To TCL Android Smart TVs

chicksdaddy shares a report from The Security Ledger: Millions of Android smart television sets from the Chinese vendor TCL Technology Group Corporation contained gaping software security holes that researchers say could have allowed remote attackers to take control of the devices, steal data or even control cameras and microphones to surveil the set's owners. The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm among the researchers about whether the China-based firm is able to access and control deployed television sets without the owner's knowledge or permission, according to a report published on Monday by two security researchers.

The report describes two serious software security holes affecting TCL brand television sets. First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989. That flaw, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned. Second, the researchers found a vulnerability in the TCL software that allowed a local unprivileged attacker to read from and write to critical vendor resource directories within the TV's Android file system, including the vendor upgrades folder. That flaw was assigned the identifier CVE-2020-28055.

The researchers, John Jackson, an application security engineer for Shutter Stock, and the independent researcher known by the handle "Sick Codes," said the flaws amount to a "back door" on any TCL Android smart television. "Anybody on an adjacent network can browse the TV's file system and download any file they want," said Sick Codes in an interview via the Signal platform. That would include everything from image files to small databases associated with installed applications, location data or security tokens for smart TV apps like Gmail. If the TCL TV set was exposed to the public Internet, anyone on the Internet could connect to it remotely, he said, noting that he had located a handful of such TCL Android smart TVs using the Shodan search engine.

Smart tvs lol

[Anonymous Coward]

I am Jack's complete lack of surprise.

If posting the whole article keep the funny part..

[mattr]

According to the researchers, TCL patched the vulnerabilities they had identified silently and without any warning. “They updated the (TCL Android) TV I was testing without any Android update notification or warning,” Sick Codes said. Even the reported firmware version on the TV remained unchanged following the patch. “This was a totally silent patch – they basically logged in to my TV and closed the port.”

Sick Codes said that suggests that TCL maintains full, remote access to deployed sets. “This is a full on back door. If they want to they could switch the TV on or off, turn the camera and mic on or off. They have full access.”

Jackson agreed and said that the manner in which the vulnerable TVs were updated raises more questions than it answers. “How do you push that many gigabytes (of data) that fast with no alert? No user notification? No advisory? Nothing. I don’t know of a company with good security practices that doesn’t tell users that it is going to patch.”

Re:If posting the whole article keep the funny par

[Arnonyrnous Covvard]

They should just call it "telemetry". Then it will be fine. We're only bashing them because they're Chinese, aren't we? Like Microsoft doesn't have full control over your PC. Or like Amazon will let you know what its spy pods are really doing. People act like you could port scan a device and know if it has some remotely accessible service running. It is absolutely trivial to make a device behave like nothing is listening and still allow the manufacturer to remotely access the device. On any device with automatic updates, this is just one bad faith update away. Literally every manufacturer of devices with automatic updates has the capability to do everything they want with the devices, even if the current firmware doesn't have the functionality. If you understand that, then the only difference between manufacturers is whether you believe that they'll abuse that power. Microsoft installs ads on your PC and if you want to keep using the PC, you can't deny those "updates". Samsung infects their TVs (haha, you thought you own it...) with ads. Just because it's called "update" doesn't mean it even resembles the software that was on there before.

Re:

[Anonymous Coward]

And while you're naming names, you forgot to meantion that Sony updates their devices to actively remove functionality you had from when you originally purchased it. Where do you think Tesla learned that trick from?

Re:

[drinkypoo]

For all of its failings (and they are legion) Microsoft doesn't secretly update your PC. After your PC reboots due to an unblockable update, when it comes back up you can see the reason in the update history.

Sneaking in an update to close a sophomoric security hole would be low even for Microsoft. Whataboutism for the purposes of making excuses for bad behavior is especially pathetic when it's not even correct. Microsoft is generally quite open about how they're fucking you. The only significant exception o

Re:

[Arnonyrnous Covvard]

Can you point me to the description of the update that put ads in the start menu? Microsoft does not secretly update, as far as we know, but I didn't claim they do, just that they have the power to do it. Every product with automatic updates provides that capability. Microsoft regularly uses updates to "change the deal", openly but without any chance for you to deny the update. Is openly installing a new OS version with ads better than secretly closing a vulnerability?

Re:

[drinkypoo]

Is openly installing a new OS version with ads better than secretly closing a vulnerability?

It's better from the standpoint of transparency.

I don't run Windows 10, I tried it (laptop came with it) and hated it (installed Mint.)

Re:

[rtb61]

Ooo it's the Chinese, M$ does exactly the same thing, hell double boot and they will firmware hack your computer, straigh into bios with an illegal letter from any US agency.

You all make it sound like a big deal with M$ do the same fucking thing, even when you are using the device. Well at least TCL did no brick any TVs like M$ regularly bricks PCs with forced updates.

How do they know it was GB of data?

[drinkypoo]

I have been skimming the linked articles (and searching them) and haven't come up with any information to support the claim that they pushed gigabytes of data.

A full system update might be multiple GB, but they could easily issue a patch that would change some startup files in just a few kB.

Is there some evidence somewhere that they actually pushed a full update?

Re:

[ConnyWilmering]

https://www.youtube.com/watch?... [youtube.com]

You buy the cheapest TVs on the market

[ccham]

and you are surprised it is a shit show with security holes, open backdoors, and active complete stealth control from the vendor?

Re:You buy the cheapest TVs on the market

[Rosco P. Coltrane]

I'm surprised a TV has a microphone, personally.

I'm also surprised people didn't boycott smart devices with surveillance hardware built-in when they started coming onto the market. There used to be a time when people actually cared about the safety of their home and their privacy.

Re:

[zenlessyank]

Your first statement just proves your second statement's reason.

People can't boycott something they know nothing about. And most people have no idea what their TV does because they don't or won't read the free manual.

Re:You buy the cheapest TVs on the market

[the_skywise]

Because you're old, like me, and don't see 77" TVs as a communication device. Today's younger generation sees these as nothing more than giant iPads and it helps Grandma videochat.

The bigger question is if this android device had a firmware hole that allowed this on a TV - how many android phones have the same "glitch" that are patched without your permission?

Re:

[ArchieBunker]

The sad part is that tv already had more updates than a lot of phones.

Re:

[WorBlux]

Even if they didn't, most sound chip-sets can mux all the I/O lines and is some cases could use the speakers as a rudementary microphone.

Re:

[Wescotte]

I believe the microphone is generally in the remote. Or at least that is where it on the Roku version so you can do voice searches [youtube.com].

I don't own a smart TV but I've tested the functionality on friends/family and it's very useful when you want to find a way to watch a specific movie/show and have no idea what channel/streaming service actually has it.

Re:

[jenningsthecat]

and you are surprised it is a shit show with security holes, open backdoors, and active complete stealth control from the vendor?

You buy any smart entertainment devices on the market and you are surprised it is a shit show... FTFY

The big difference here is that the shit show is more visible. Oh, wait... wasn't there something a few months ago about a whole bunch of Samsung smart DVD players being totally bricked by an update? That was pretty visible too. Never mind the cheapness of the hardware or how well known the company is: if it's a 'smart' device, then it's not a smart choice unless you have the will or the knowledge to mitigat

Re:

[OpinOnion]

I love my 4K HDR 55" TCL. It works great, has built in Roku and was only about 350 bucks. So far I will keep buying their TVs because they are great deals and look good. There is no personal info in my TV or mic or camera and I don't need smart TVs for that matter as I use an Nvidia Shield instead. It's nice though if my shield breaks I have a built in ROKU to fall back on... or if I catastrophically lose my remote. ;) I'm sure tons of Smart TVs have security holes, they were never really designed to be se

Re:

[mcswell]

"There is no personal info in my TV or mic or camera": "Smith!' screamed the shrewish voice from the telescreen. '6079 Smith W.! Yes, you! Bend lower, please! You can do better than that. You're not trying. Lower, please! That's better, comrade.

No one should buy TCL, they demand a credit card#

[Uberbah]

I bought one on sale once. Returned it to the store less than two hours later after discovering it refused to work as a smart tv until it had a credit card number or PayPal account. Fuuck that. The only other TV I've seen wanting an account is Samsung, no credit card required, and only to download apps not installed by default.

Re:No one should buy TCL, they demand a credit car

[TheRealMindChild]

This is a lie

Re:

[Uberbah]

Then you're either ignorant or lying about lying. Flat out, I had to register an account before I could get to Netflix, Amazon Prime, etc.

Re:

[olsmeister]

I have a TCL smart TV and mine does nothing like that.

Re:

[Uberbah]

And I own a Ford Pinto where the gas tank has never exploded. Doesn't mean it wasn't a problem, though.

Re:

[UnknowingFool]

Which model are you talking about? The model I have does not do this. Granted my TCL uses Roku as the basis of their smart TV apps. I have separated it from the rest of my network.

Re:

[Uberbah]

55", over a year ago. Maybe they've pulled their heads out after enough returns/complaints, but after creating a Roku account left me with giving credit card/paypal information or Store Mode. My Samsung insisted on having an account before downloading new apps, but at least a junk email address worked for that.

Re:

[UnknowingFool]

Wait. To understand your complaint, your Roku driven TCL TV requires a Roku account to access the Roku store to download/buy apps and content. The account requires a credit card for this. To be clear, this is 1) a requirement of Roku not TCL 2) somewhat standard for any store.

Re:

[Uberbah]

Sure sure. I mean the TV wouldn't work aside from changing the volume and connecting to HDMI (store mode). No smart tv function, no Netflix, no Amazon Prime, nada. Until you gave them a credit card. The recent Visio and Samsung TV's I've used spam you with content you would have to register an account and pay for, but it's totally optional.

Re:

[omnichad]

If this was a Roku TV, the Roku web site asks for a CC# during the creation of an account. You can skip this step.

Re:

[Uberbah]

There was no skip option on the TCL that I returned to Walmart. Only options were to give them a credit card number, or go into store mode where you could only play from HDMI.

Re:

[omnichad]

No, not on the TV itself. You'd have to create the Roku account from a phone or computer.

Re:

[Uberbah]

Yeah, I did that. And searched online before returning since it was already mounted on the wall. Credit card or paypal required. If they had some super secret opt-out option, they still didn't deserve my money for making it a pain in the ass.

Never blame incompetence

[Anonymous Coward]

Because that's an easy get out.

It's so easy to accidentally have security holes or this odd buffer overflow, and do your back door that way - so if anyone comes along and finds it they can't shriek backdoor backdoor, evil {state actor}! Instead it's just a security hole, accepted by many as run of the mill.

Amazing they keep happening though.

The FCC should get involved

[Canberra1]

How can the software be upgraded - and the revision number remain the same? Up there with Boeing. Super clear breach. Revoke their certification, or reject their self-certification process, because they broke it. Android may look at the licence terms - a silent update - another FAIL. Maybe the Huawei ban is justified - because protocol is not followed. There was a case where an Australian diplomat in a Chinese hotel physically unplugged the room Smart TV, only to have service knock on the door to fix the problem.

Re:

[scdeimos]

How can the software be upgraded - and the revision number remain the same?

The displayed revision number often comes from one particular file's version in the file system. A typical Android phone/tablet/appliance has many hundreds of components that can be updated independently by Google Play without affecting the operating system's displayed version number. Why would anyone expect a cheap Chinese television to be less evil than Google itself?

Re:The FCC should get involved

[Teun]

There was a case where an Australian diplomat in a Chinese hotel physically unplugged the room Smart TV, only to have service knock on the door to fix the problem.

Not exactly a new feature for hotel TV's, originally and in it simplest form it was to prevent the TV's walking out the door.

Re:

[OpinOnion]

I don't see how it really matters. They make the TV, they make the rules on the software and updates AND few of these TVs have any personal information or mics or camera. Oh well if the software is not perfect, that's the case for most new smart devices, but the incentive to hack them is very low so you don't see much actually happening. I'll certainly keep buying TCL because for the money it's one of the best pictures on the market and with a picture that good for like 300-500 bucks I could care less abou

Re:The FCC should get involved

[drinkypoo]

Their patch process is sleazy but there's no certification process for a smart TV. There are only certifications having to do with RF emissions, which they probably also don't have/faked.

Re:

[bill_mcgonigle]

> How can the software be upgraded - and the revision number remain the same?

Do you think NSA hates or loves that feature?

Re:

[mcswell]

Comrade, this is Chinese-made TV. This is for benefit of CCP, not NSA.

Deserve what you get

[dbateman]

If you plug an appliance, with all the patching issues invloved, such as this into an internet connected network you deserve what you get. Use an android TV device such as an Nvidaia Sheild that will be patched regularly and keep the TV off the network

David

Re:

[omnichad]

Don't trust one Android device, trust another?

If you're going to just offload the security risk to a different brand, why not just buy the TV from the trusted brand?

Never buy connected T.V.!

[Lady Galadriel]

This is yet another good reason not to buy a connected / smart T.V.

Another excellent reason not to buy a smart T.V., is that updates will slow down, and eventually stop, long before you replace it. In fact, you may have to replace your fancy smart T.V. due to the lack of updates.

Buy a dumb monitor instead, and then a media player. While Roku media players do have their own issues, at least they don't have cameras. (Though you have to get a remote without a microphone!)

Limit the tracking that the New World Order can do, to your smart phone!

Re:

[Necron69]

Or you just buy a $25 Roku to attach to it. Seriously, my 2011 55" Vizio is still just fine. It doesn't have 4K and most of the 'smart' apps no longer work, but really it is fine.

- Necron69

Re:

[omnichad]

This is like trying to buy a laptop without Windows. Just let them get paid kickbacks to install apps and then never connect it to the Internet. It costs less. Plug in a Roku. If you're worried about it beyond that, clip the wireless antenna lead too.

Adjacent Network

[JBMcB]

First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989.

What the heck is an adjacent network? The network next to your network? Do they mean one subnet over, as in the subnet next door? Or on the same network?

Re:

[Rick Zeman]

I wondered the same. Good luck on them routing the adjacent 192.168.x.x+1 over the internet. I'm thinking that "adjacent" doesn't mean what the author thinks it does.

Dumb TVs still exist

[drinkypoo]

Time again for the dumb TV PSA:

You can buy "digital signage", "commercial" and so on TVs that are still dumb. Most of them have a tuner, so that one wiring plant can be used to operate multiple televisions-as-signs on different channels using up converters. You just run coax to all the TVs and then tune in the channel you want instead of having to worry about network connectivity beyond the wiring. They are not even generally much more expensive than smart TVs, although if you try you can spend much more. T

Re:

[UnknowingFool]

It is getting harder to get quality dumb TVs. Sure you can get off brand ones but the major players are all smart TVs these days. However they are so cheap that I do not even count the apps as a feature. On many of them do not connect them to the Internet and rely on standalone devices like a Roku even if the smart TV features a Roku.

Re:

[fropenn]

Do you have a link for a dumb TV that is for sale at a major distributor? I recently looked and they are very, very hard to find. Why not just buy a smart TV and keep it disconnected from the internet?

Re: Dumb TVs still exist

[drinkypoo]

Look on amazon and search for "digital signage LCD" for example. I literally gave you everything you needed to find them in my prior comment.

Re:

[Rick Zeman]

Don't buy "smart" TVs unless they are essentially free. .

The head of Vizio admitted that their intrusive tracking and marketing of user data is how they (and presumably others) have managed to lower their prices to the level they're at. So, I just buy a smart TV, don't add it to my network, and use it behind an AppleTV thereby gaining the marketing subsidy, without the privacy implications. (Apple's privacy policy disclaims the marketing of user information and if they've broken it they haven't been caught yet.)

TCL ?

[jabberw0k]

I thought Tcl was about as obsolete as a language as MUMPS or FOCAL.

REMINDER: Eschew 'smart' TVs and others

[Rick Schumann]

Or at least ensure they aren't allowed to connect to the Internet.