It has been reported that security experts have found a backdoor security flaw within TCL’s Android T.V.’s. A publication called Digital Information World says the flaw could allow an intruder to collect information from the file system, delete files, or rewrite files without a password.
“It would allow hackers to essentially upload new software to the T.V. which could make it potentially do anything that any computerized device connected to your network could do,” FOX19 NOW’s tech expert Dave Hatter said.
In a statement released by TCL , it states the following:
“TCL was recently notified by an independent security researcher of two vulnerabilities in Android T.V. models. Once TCL received notification, the company quickly took steps to investigate, thoroughly test, develop patches, and implement a plan to send updates to resolve the matter. Updating devices and applications to enhance security is a regular occurrence in the technology industry, and these updates should be distributed to all affected Android T.V. models in the coming days.
TCL takes privacy and security very seriously, and particularly appreciates the vital role that independent researchers play in the technology ecosystem. We wish to thank the security researchers for bringing this matter to our attention as we work to advance the user experience. We are committed to bringing consumers secure and robust products, and we’re confident that we’re putting in place effective solutions for these devices.”
This is very similar to how some of the Android BusyBox deployments got hacked in late 2016. This lead to a rapid increase in the scale and bandwidth utilised during DDoS attacks.
The root cause appears to be nearly the same: default credentials on an unspecified port. Should these devices have this capability, who has access and why do they require access are questions that need to be asked. Previously the issue was on Telnet (port23 by default), with default credentials remaining from the rebranding and repacking of IoT devices, but not reconfiguring the devices themselves.
There is very little information available on the TCL website related to configurations and exposures of these devices.
With nearly every device being embedded with smart capabilities and being connected to the internet, consumers should be wary when purchasing any device. More tech-savvy consumers can look into things such as whether default passwords can be changed, how easy it is to patch the device, and whether it is remotely accessible.
Unfortunately, there are not many easy options for non-technical consumers to explore. Which is why any regulatory requirements placed on manufacturers to ensure devices are secure before shipping and are maintained for a minimum period of time is quite essential.
Otherwise, we will continue to see the market flooded with products which have vulnerabilities that are difficult, if not impossible to patch or rectify.