Update 3:57 pm ET: TCL has issued a statement to Tom's Guide.
TCL's Android-powered smart TVs have a huge security hole that could be designed to spy on users around the world, two security researchers have said. The problem does not affect TCL sets running Roku software.
"I can truly say that there were many moments when I, and another security researcher I met along the way, could not believe what was happening," the researcher, who calls himself "Sick Codes," wrote in a blog post earlier this week. Many times, I felt like, "This can't be happening."
Sick Codes and another researcher, John Jackson, who works for the photo licensing service Shutterstock, discovered that they could access the entire file system of a TCL Smart TV over a Wi-Fi connection using an undocumented TCP/IP port They discovered. They also discovered that they could overwrite files on the TV.
All of this was possible without entering a user name, password, or any type of authentication. The flaws were assigned Common Vulnerability and Exposure Catalog numbers CVE-2020-27403 and CVE-2020-28055 after researchers notified the U.S. Computer Emergency Response Team (US-CERT) at Carnegie Mellon University in Pittsburgh.
The flaws were patched in the TV models that Sick Codes and Jackson were analyzing (see below for details), but apparently not in all of TCL's smart TV models.
After we reached out to the company for comment, TCL provided the following statement to Tom's Guide:
"TCL was recently notified by an independent security researcher of two vulnerabilities in Android TV models TCL investigated quickly after receiving notification, thorough testing, developed patches, and implemented a plan to send updates to resolve the issues. Updates to devices and applications to enhance security are a routine occurrence in the technology industry, and these updates should be distributed to all affected Android TV models within the next few days.
TCL takes privacy and security very seriously and especially appreciates the important role that independent researchers play in the technology ecosystem. We would like to thank the security researchers who brought this issue to our attention as we work to improve the user experience. We are committed to providing consumers with secure and robust products and are confident that we are implementing effective solutions for these devices.
Tom's Guide reached out to Sick Codes and Jackson via Twitter, and as a result, during the course of our conversation, we were sent a URL that appears to give us full access to the file system of a TCL Smart TV in Zambia.
We were able to browse this random person's TV directory through the Chrome browser on our Android phone.
(According to Sick Code, there are only 12 TCL smart TVs in the world with direct Internet access, and in most cases we needed to be on the same local Wi-Fi network to browse the file system.)
"Have you ever in your career history had to serve an entire file system via http?" wondered Sick Codes in his blog post.
Tom's Guide reached out to the North American division of TCL, a Chinese company, for comment.
The two also discovered that an app called Terminal Manager Remote on TCL TVs has a configuration file that lists servers that seem ready to process files, logs, and screenshots related to the user's TV.
"This is a Chinese backdoor," Sick Codes told us in a phone conversation.
The researcher's blog post included screenshots of the list of servers divided into four regions. One was for mainland China, another for the rest of Asia Pacific (including Hong Kong and Taiwan), a third for the Middle East, Africa, and Europe, and a fourth for Latin America and North America.
It was not clear exactly whether these servers were for sending files to TCL TV or for receiving files from TV.
"I don't have the answer," Sick Codes wrote in a blog post. "But TCL does.
When Tom's Guide tried to access some URLs, it was told that "GET" requests (normal requests by web browsers to download files) are not supported. I will try sending some "POST" requests to upload files after working hours and will update this article if I find something interesting.
Sick Codes also sent a link to what appears to be a wide-open web server that holds dozens of TCL firmware updates. No authentication was required to view the files. We did not attempt to download the files, but Sick Codes stated that it would be possible.
Sick Codes and Jackson stated that they had attempted to contact TCL since October 16 to inform them of the flaw via email, Twitter, phone, and direct posting on the TCL website, but it took until October 26 to receive notification that they had received the message.
"I called TCL and spoke with a support representative. I didn't even know if TCL had a security team."
On October 29, the problem with the test TV set was suddenly fixed without any notice, warning, or request for user authorization.
"It was a completely silent patch," Sick Codes told The Security Ledger, which first reported the story. 'They basically logged into my TV and closed the port.'
For Sick Codes, this is as worrisome as the security flaw that has been patched on some models (but not the one that allowed Tom's Guide to browse the file system).
"It's a total backdoor," said Cick Codes. 'If they wanted to, they could turn the TV on and off, the camera and microphone on and off. They have full access.
If you have a TCL smart TV, first check to see if it is one of the versions running the Roku software. They do not seem to be affected by these flaws.
If it is not a Roku model, you want to make sure that you have a very strong password set for your home Wi-Fi network and that you do not give your password to visitors. Many routers allow you to set up a separate network for this purpose.
I also want to go into the router's admin menu and disable access to devices in the network from the Internet. Here are some other smart TV security tips.
Also note that the TV manufacturer may be able to see what you are watching. This is not limited to TCL; many smart TVs, set-top boxes, and DVRs monitor what their customers are watching.
.
Comments