[ad_1]
TCL smart TVs running Android appear to have huge security holes and could even be designed to spy on users around the world, according to two security researchers. The issues do not affect TCL sets running Roku software.
“I can say with all my heart that there were several times when I, and another security researcher I met along the way, couldn’t believe what was happening,” one researcher wrote to himself. calling it “Sick Codes” in a blog post earlier this week. “Several times I felt like, ‘you couldn’t even make that up.'”
Sick Codes and the other researcher, John Jackson, who works at the Shutterstock photo licensing service, found that they could access the entire file system of a TCL smart TV over a Wi-Fi connection using an undocumented TCP / IP port. They found that they could overwrite files on the TV as well.
All of this could be done without entering a username, password, or any other type of authorization. The flaws received Common Vulnerability and Exposure catalog numbers CVE-2020-27403 and CVE-2020-28055 after researchers notified the U.S. Computer Emergency Response Team (US-CERT) of the Carnegie Mellon University in Pittsburgh.
The flaws were fixed on the TV model Sick Codes and Jackson were analyzing – more on that below – but apparently not all of the TCL smart TV models.
Browse someone else’s file system on your phone
Tom’s Guide contacted Sick Codes and Jackson via Twitter, and during the conversation that followed we received a URL that appeared to give full access to the file system of a TCL smart TV in Zambia.
We were able to browse through this random person’s TV directories through our Android phone’s Chrome browser, until the TV user apparently turned the TV off.
(Sick Codes told us it was one of dozens of TCL smart TVs around the world that was directly on the internet; in most cases, you need to be on the same local Wi-Fi network to be able to browse the system. files.)
“When in your career history have you ever needed to serve the entire file system via http?” asked Sick Codes in his blog post.
Tom’s Guide has requested feedback from the North American division of TCL, which is a Chinese company, and we will update this story when we receive a response.
Do TCL TVs collect customer files?
The pair also found that an app on the TCL TV called Terminal Manager Remote had a configuration file listing the servers that appeared to be ready to handle files, logs, and screenshots related to users’ TVs.
“It’s a Chinese backdoor,” Sick Codes told us in a phone conversation.
The researchers’ blog post contained a screenshot of the server list, which was divided into four regions. One was for mainland China, another for the rest of the Asia-Pacific region (including Hong Kong and Taiwan), a third for the Middle East, Africa and Europe, and the fourth for the Latin America and North America.
It was not exactly clear whether these servers were intended to send files to TCL TVs or to receive files from them.
“I don’t have the answer,” Sick Codes wrote in the blog post. “TCL does, however.”
Tom’s Guide attempted to access a few of the URLs and was told that “GET” requests – normal web browser requests to download files – were not supported. We will try to send “POST” requests to download files after working hours and update this story if we find anything interesting.
Sick Codes also sent us a link to what appeared to be a widely open web server with dozens of TCL firmware updates. No permission was needed to view the files. We haven’t tried to download any, but Sick Codes said it would be possible.
A “ silent patch ” with worrying implications
Sick Codes and Jackson said they attempted to contact TCL via email, Twitter, phone and direct posting to TCL’s website to notify them of the flaws from October 16, but it was not until October 26 that they obtained confirmation that the message had been received.
“I called TCL and spoke to a support rep,” Sick Codes wrote in the blog post. “I insisted to her that we had a serious vulnerability on our hands and she said she had no contact information with the security team and that she didn’t even think / knew if TCL had a security team. “
On October 29, the issues on their test TV were suddenly resolved without any notifications, alerts, or user permission requests.
“It was a totally silent patch,” Sick Codes told The Security Ledger, who first reported this story. “They basically hooked up to my TV and shut down the port.”
For Sick Codes, this is just as worrying as the security holes that have been fixed on some models (but not the one on which Tom’s Guide could browse the file system).
“It’s a solid back door,” he told the Security Ledger. “If they wish, they can turn the TV on or off, turn the camera and microphone on or off. They have full access.”
What should I do if I have a TCL smart TV?
If you have a TCL smart TV, first check if it’s one of the versions running Roku software. These do not seem to be affected by these flaws.
If it’s not a Roku model, you’ll want to make sure that your home Wi-Fi network has a very strong password and that you don’t give out the password to visitors. Many routers allow you to set up a separate network for this.
You will also want to access your router’s administrative menu to disable access to devices on your network from the Internet. We have a list of other safety tips for smart TVs.
Also be aware that the manufacturer of the TV may be able to see what you are watching. It’s not something specific to TCL – many smart TVs, set-top boxes, and DVRs keep tabs on what their customers are watching.
[ad_2]
Source link