Disconnect Your TCL Smart TV From the Internet—NOW

Researchers are sounding the alarm about Android TVs from TCL. A pair of bugs make them serious targets for hackers.

And the Chinese manufacturer has a backdoor in every set—millions of them. Is this the next Huawei?

Give me my back old 28-inch Sony Trinitron. In today’s SB Blogwatch, we define the standard.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Metfakes.

Pull the Plug

What’s the craic? James Gelinas reports—“Dangerous security issues found in millions of smart TVs”:

 Smart TVs are computers just like your phone and laptop, and they’re vulnerable to the same kind of threats. … One of the most popular smart TV brands has a critical flaw in its operating system that gives a hacker full access to the system’s back end. … With enough time, a hacker could rewrite code on the smart TV, inject malicious files or disable it altogether.

Millions of TCL Android smart TVs are at risk. … TCL is the world’s third-largest TV manufacturer. Millions of the company’s smart TVs could be at risk for hacking or intrusion with no way to protect against it. … If you had planned on buying a new smart TV, you might want to pick a brand other than TCL.

And Nick Farrell calls it a “gaping security hole”:

 The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm among the researchers about whether the China-based firm is able to access and control deployed television sets without the owner’s knowledge or permission.

CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure.

CVE-2020-28055 … allowed a local unprivileged attacker to read from and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder.

Who found the bugs? The pairing of the pseudonymous sick.codes with John Jackson—“Extraordinary Vulnerabilities”:

 [This] is the culmination of a three-month long investigation into Smart TVs running Android. … On multiple occasions I found myself feeling as though, “you couldn’t even make this up.”

Why does a TV need so many open ports? … Why would an Android device need a web server running on a non-standard port? What kind of manufacturer publishes the whole file system of a device?

It was clear that utilizing this vulnerability could result in remote code execution or even quick network pivots with the intention of exploiting systems quickly with ransomware. … Days later [we] managed to acquire a name and point of contact at TCL. We reached out and after about a week, the company had acknowledged the vulnerability and stated that they would patch the issue. We asked for updates over the course of weeks, but they stopped responding to us. CERT … told us to disclose the vulnerability if that was the case.

These folders are now writable, by all users on the file system. /data/vendor/tcl contains critical files to operate the TV. These files should not be writable by arbitrary users, or potentially malicious apps or APKs.

Seems a bit theoretical? Paul Roberts hates to burst your bubble—“Security Holes Opened Back Door”:

 The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm … about whether the China-based firm is able to access and control deployed television sets without the owner’s knowledge or permission.

According to the researchers, TCL patched the vulnerabilities they had identified silently and without any warning. … Even the reported firmware version on the TV remained unchanged following the patch. [They] said that suggests that TCL maintains full, remote access to deployed sets … and said that the manner in which the vulnerable TVs were updated raises more questions than it answers.

The vulnerabilities raise serious questions about the cyber security of consumer electronics that are being widely distributed to the public. TCL, a mainland Chinese firm, is among those that have raised concerns within the U.S. Intelligence community and among law enforcement and lawmakers, alongside firms like Huawei. … TCL smart TVs are barred from use in Federal government facilities.

TCL’s TV sets are widely available in the US via online e-tailers like Amazon and brick and mortar “box stores” like Best Buy. It is unclear whether those retailers weigh software security and privacy protections of products. … Buyer beware.

Or, y’know, blame the victim? That’s what ccham appears to do:

 You buy the cheapest TVs on the market and you are surprised it is a **** show with security holes, open backdoors, and active complete stealth control from the vendor?

But why is this so, so bad? u/efteeminus5 explains like we’re five:

 [TCL] have a reverse shell backdoor. If the device is calling out to some external party and says, “Hey please send me new code/binaries to execute,” without asking for user approval, that’s a backdoor.

Do you trust TCL/China to install … code without approval on your device? Because I sure don’t.

Bad TCL. Bad. No cookie. This Anonymous Coward names another name or two:

 And while you’re naming names, you forgot to mention that Sony updates their devices to actively remove functionality you had from when you originally purchased it. Where do you think Tesla learned that trick from?

So, what have we learned today? u/Cobra800089 counts the ways:

 Exhibit #172161537281615 why not every device needs to be smart. Give me a damn dumb TV and let me have a cheap device I can update or replace when the time comes.

Why am I hinging my entire home viewing experience on some half-baked solution inside of the TV? Not to mention when these “smart” devices get old and go through multiple updates they typically slow to a crawl and make the user experience incredibly painful.

Meanwhile, another Anonymous Coward just laughs:

 Smart tvs lol. … I am Jack’s complete lack of surprise.

And Finally:

A deepfake I can get behind

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Levi Stute (via Unsplash)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 452 posts and counting.See all posts by richi