Last Christmas, I Gave You… An Insecure Connected Device

Posted on December 12, 2017
No doubt, a plethora of connected devices have made it onto your holiday shopping list this year. Virtual personal assistants, smart home devices, and perhaps a TV streaming device for catching up on the latest season of Stranger Things? Streaming TV devices are certainly a popular option as the cord-cutting trend continues, but buyers should be aware of devices that look too good to be true. Several low-cost devices boasting free access to premium paid content have hit the market. What’s the catch? I’m glad you ask. Other than the obvious piracy issues (around which many lawsuits have already sprung; see here, here, and here), Tripwire’s Vulnerability and Exposure Research Team (VERT) has found that several Android-based TV devices can present serious security and privacy risks. Earlier this year, VERT purchased and tested 10 different Android-based TV set top boxes. They found that:
  • All of the devices were running very old and insecure versions of Android.
  • On several systems, it was possible for an attacker to connect over a network to the TV box and gain complete control of the system without prior authorization.
  • All systems were configured to install new applications from untrusted sources.
  • Updates had to come from the Android TV vendor (not directly from Google).
  • The most recent monthly security update on any system was almost a year old.
Creepiest of all… VERT was able to take full control of the integrated camera and microphone on one of the devices. They did so by executing an exploit similar to the CIA’s ‘Weeping Angel’ hack outlined in the WikiLeaks revelations. The released documents described how a CIA operative would need to physically install hacked software through a USB stick so that they could then covertly activate the TV’s camera and microphone. VERT tried this with one of the Android TV units and found that an attacker could take complete control of the device, including its camera and microphone, without the need to physically access it. In this case, all it would take is cracking the Wi-Fi password which is usually not difficult. Craig Young, senior security researcher at Tripwire who led the effort, had some advice for consumers to avoid these types of attacks:
The best advice that we can give to any consumer is to buy a product from a known brand that has made a commitment to support the devices in the field.  Buying random products from unknown brands is risky but they are deemed especially risky when they advertise access to paid content for free. If it looks too good to be true, it probably is.
Several of these issues stem from a lack of good ol’ basics, but they can have serious consequences. Here's Young again:
Several of biggest, most widespread cyberattacks have been largely attributed to outdated and unpatched systems, so it is disappointing to see that these devices are still using outdated software. Malicious hackers may wish to target these devices to add into botnets, install ransomware, or spy on users. Attackers could also install ransomware, where in this context would be less about locking access to files and more about locking access to the device itself, which we have already seen happen to the Android-based LG TV.
So this holiday season, think twice before purchasing that device. Otherwise, you may be getting an earful of “you shouldn’t have, you really shouldn’t have.”
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!