No doubt, a plethora of connected devices have made it onto your holiday shopping list this year.

Virtual personal assistants, smart home devices, and perhaps a TV streaming device for catching up on the latest season of Stranger Things? Streaming TV devices are certainly a popular option as the cord-cutting trend continues, but buyers should be aware of devices that look too good to be true.

Several low-cost devices boasting free access to premium paid content have hit the market. What’s the catch? I’m glad you ask. Other than the obvious piracy issues (around which many lawsuits have already sprung; see here, here, and here), Tripwire’s Vulnerability and Exposure Research Team (VERT) has found that several Android-based TV devices can present serious security and privacy risks.

Earlier this year, VERT purchased and tested 10 different Android-based TV set top boxes. They found that:

  • All of the devices were running very old and insecure versions of Android.
  • On several systems, it was possible for an attacker to connect over a network to the TV box and gain complete control of the system without prior authorization.
  • All systems were configured to install new applications from untrusted sources.
  • Updates had to come from the Android TV vendor (not directly from Google).
  • The most recent monthly security update on any system was almost a year old.

Creepiest of all… VERT was able to take full control of the integrated camera and microphone on one of the devices. They did so by executing an exploit similar to the CIA’s ‘Weeping Angel’ hack outlined in the WikiLeaks revelations. The released documents described how a CIA operative would need to physically install hacked software through a USB stick so that they could then covertly activate the TV’s camera and microphone. VERT tried (Read more...)