We did a remote desktop session and I ran a trivial nmap scan on the TV to see what it was running out of the box. The key point here is that they aren’t Samsung or LG, but they ARE selling millions of TV sets… With their Amazon success, TCL began targeting other large markets. TCL has been growing their global market share, at a remarkable rate.Īccording to a Forbes article, they only launched in the United States in 2013 and sales began on Amazon: I hadn’t really heard much about TCL, but it turns out TCL is a huge Chinese electronics manufacturing company. Since I don’t actually have an Android Television to test, I asked my friend what type of Smart TV does he have and is it running Android? Suddenly, I thought, “If these sticks are the same, just little Rockchip & Amlogic CPUs, then what is so special about Smart TVs?” Speaking to an associate about my idea, we ended up chatting about real Android TVs. Having witnessed how dismal the security was on these devices, or lack thereof, my plan was to write a really big proof of concept, in the form of an actual shell based worm, that would hop between the 4 or 5 TV sticks that I had. Proof of Concept # connect to the device's open WiFi network without any password In effect, if you had a thousand of these devices, you could worm through all of them, taking advantage of the dual WiFi, plain-text WAN router credentials, and the ability to then hop from the TV stick, to the router, MITM the router, search for more vulnerable devices from the larger, more powerful router, and truly “surf the internet”. Open WiFi network with adb and ssh daemons running.Rooted device, with world-executable su binaries in multiple locations.Port 5555 open and allowing unauthenticated android (adb) as root:root out of the box.Port 22 open and allowing SSH access as root:root out of the box.The following vulnerabilities refer to other products that I was testing at the time before finding the TCL vulnerability that is discussed in depth after the nmap scaps below.Įach stick that I tested had at least one of the following major security flaws. NOTE: TCL does not make TV sticks that are vulnerable. On, I discovered some ridiculous security shortfalls in the TV Sticks. Some of the products that I investigated were “factory-flawed” and deliberately insecure. Most of the dies are 32bit, some are 64bit, but all of them are like a little Raspberry Pi competitor, focusing on GPU performance through the small, but powerful, Mali GPUs. There are four types of TV products in the TV market:Īll of them are ARM based single board computers (SBCs). Without delving into the nuances of each device, all of the Smart TV products are Android based. Near the end of September, while conducting research into low-end Android boxes, I came across a number of serious flaws in the way in which these devices were being designed. They made some very impressive changes and John & myself (sickcodes) are pretty impressed: In my professional opinion, I think it is one of the most comprehensive Bug Bounty programs I’ve seen. One very impressive positive outcome is TCL has actually taken on-board many of the suggestions we made regarding their security. Since our research was published in November 2020, many things happened both positive and negative. We met about half way through this, and I have included his experience too. The second researcher in this story is John Jackson:, an Application Security Engineer with Shutterstock, and a hacker. I’m a security researcher, a freelance developer, and a hacker. On multiple occasions I found myself feeling as though, “you couldn’t even make this up…” Having lived through this research experience, I can wholeheartedly say that there were multiple moments that I, and another security researcher that I met along the way, couldn’t believe what was happening. The following piece is the culmination of a three-month long investigation into Smart TVs running Android.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |