Android-based TV set-top boxes sold online are most likely running outdated operating systems that have not received security updates for at least a year, according to research published today by US cyber-security firm Tripwire.
The experiment consisted of Tripwire's Vulnerability and Exposure Research Team (VERT) researchers buying and testing ten Android-based TV set-top boxes.
"In accordance with Tripwire’s responsible disclosure process, we are not yet naming specific vendors, Craig Young, senior security researcher at Tripwire and the one who led the experiment, told Bleeping Computer via email.
The Tripwire VERT team says that all of the devices they tested were running very old and insecure versions of Android.
Further, Young says that the most recent Android monthly security update on any system was almost a year old.
For all devices, updates had to come from the Android TV set-top box vendor, not directly from Google, similar to how most Android phone owners are trapped into using devices running antiquated Android OS versions because mobile carriers fail to deliver upgrades and security patches.
Another big security lapse the researchers noted was the fact that all devices came configured by default to allow the installation of Android apps from untrusted sources, the primary means through which most Android-based devices get infected with malware, especially smartphones.
But the big security issues didn't stop here. "On several systems, it was possible for an attacker to connect over a network to the TV box and gain complete control of the system without prior authorization," researchers noticed.
Furthermore, one of the TV set-top boxes came with an integrated camera and microphone, which the Tripwire VERT team was able to take over and record nearby users. This hack is similar to Weeping Angel, a CIA-made hacking tool described in WikiLeaks documents that the CIA allegedly developed to infect Samsung smart TVs and record nearby users via the TV's microphone.
Most of the devices Young and the Tripwire team tested were low-end products that were also advertised as a means to access premium cable content for free.
"The best advice that we can give to any consumer is to buy a product from a known brand that has made a commitment to support the devices in the field. Buying random products from unknown brands is risky but they are deemed especially risky when they advertise access to paid content for free. If it looks too good to be true, it probably is," Young says.
Young also warns that because these devices are running Android, they are also vulnerable to Android-based ransomware.
"In this context would be less about locking access to files and more about locking access to the device itself, which we have already seen happen to the Android-based LG TV," Young said, referencing an incident from last Christmas.
The Tripwire research was not the only one published yesterday in terms of TV cable box news. Security researchers from Trend Micro's Zero-Day Initiative discovered a vulnerability in the video bridge component that's part of DirecTV wireless cable boxes manufactured by Linksys.
Despite uncovering the vulnerability over the summer, Trend Micro researchers decided to go public with their findings after Linksys failed to deploy patches.