Millions of Android smart television sets from the Chinese vendor TCL Technology Group Corporation contained gaping software security holes that researchers say could have allowed remote attackers to take control of the devices, steal data or even control cameras and microphones to surveil the set’s owners.
The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm among the researchers about whether the China-based firm is able to access and control deployed television sets without the owner’s knowledge or permission.
Two Flaws, Lots of Red Flags
In a report published on Monday, two security researchers described two serious software security holes affecting TCL brand television sets. First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989.
That flaw, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.
Second, the researchers found a vulnerability in the TCL software that allowed a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder. That flaw was assigned the identifier CVE-2020-28055.
Both flaws affect TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below, according to the official CVE reports.
The researchers, John Jackson, an application security engineer for Shutter Stock, and the independent researcher known by the handle “Sick Codes,” said the flaws amount to a “back door” on any TCL Android smart television. “Anybody on an adjacent network can browse the TV’s file system and download any file they want,” said Sick Codes in an interview via the Signal platform. That would include everything from image files to small databases associated with installed applications, location data or security tokens for smart TV apps like Gmail. If the TCL TV set was exposed to the public Internet, anyone on the Internet could connect to it remotely, he said, noting that he had located a handful of such TCL Android smart TVs using the Shodan search engine.
CVE-2020-28055 was particularly worrisome, Jackson said. “It was clear that utilizing this vulnerability could result in remote code execution or even network ‘pivots’ by attackers.” That would allow malicious actors to move from the TV to other network connected systems with the intention of exploiting systems quickly with ransomware, Jackson observed. That, coupled with a global population of millions of TCL Android TVs, made the risk considerable.
Nobody Home at TCL
The researchers said efforts to alert TCL about the flaws in October initially fell on deaf ears. Emails sent to a designated email address for reporting security issues bounced. And inquiries to the company on October 16 and 20th went unanswered. Furthermore, the company did not appear to have a dedicated product security team to reach out to, Jackson said in a phone interview.
Only after reaching out to a security contact at TCL partner Roku did Sick Codes and Jackson hear from a security resource within TCL. In an email dated October 29th, Eric Liang of TCL wrote to the two researchers thanking them for their discovery and promising a quick fix.
“Here is how is it going on now: A new version to fix this vulnerability is going to release to SQA on Oct. 29 (UTC+8). We will arrange the upgrade plan after the regression test passes.”
Silent Patch Raises More Questions
Following that, however, there was no further communication. And, when that fix came, it raised more questions than it answered, the researchers said.
According to the researchers, TCL patched the vulnerabilities they had identified silently and without any warning. “They updated the (TCL Android) TV I was testing without any Android update notification or warning,” Sick Codes said. Even the reported firmware version on the TV remained unchanged following the patch. “This was a totally silent patch – they basically logged in to my TV and closed the port.”
Sick Codes said that suggests that TCL maintains full, remote access to deployed sets. “This is a full on back door. If they want to they could switch the TV on or off, turn the camera and mic on or off. They have full access.”
Jackson agreed and said that the manner in which the vulnerable TVs were updated raises more questions than it answers. “How do you push that many gigabytes (of data) that fast with no alert? No user notification? No advisory? Nothing. I don’t know of a company with good security practices that doesn’t tell users that it is going to patch.”
There was no response to emails sent by Security Ledger to Mr. Liang and to TCL media relations prior to publication. We will update this story with any comment or response from the company when we receive it.
Questions on Smart Device Security
The vulnerabilities raise serious questions about the cyber security of consumer electronics that are being widely distributed to the public. TCL, a mainland Chinese firm, is among those that have raised concerns within the U.S. Intelligence community and among law enforcement and lawmakers, alongside firms like Huawei, which has been labeled a national security threat, ZTE and Lenovo. TCL smart TVs are barred from use in Federal government facilities. A 2019 U.S. Department of Defense Inspector General’s report raised warnings about the cyber security risks to the Pentagon of commercial off the shelf (COTS) technology purchased by the U.S. military including televisions, laptops, surveillance cameras, drones and more. (PDF)
And while disputes over Chinese apps like TikTok dominate the headlines, a recent report from the firm IntSights on China’s growing cyber risk notes that the Chinese Communist Party (CCP) is engaged in a far broader campaign to elevate the country to superpower status by treating “data as the most valuable asset.”
The supply chain for a seemingly endless variety of technology sold and used in the United States originates in China. A 2019 study by the security firm Interos, for example, found that one fifth (20%) of the hardware and software components in a popular voting machine came from suppliers in China. Furthermore, close to two-thirds (59%) of components in that voting machine came from companies with locations in both China and Russia.
TCL has risen quickly in the past five years to become a leading purveyor of smart television sets in the U.S. with a 14% market share, second behind Samsung. The company has been aggressive in both partnerships and branding: teaming with firms like Alcatel Mobile and Thompson SA to produce mobile phones and other electronics, and sponsoring sports teams and events ranging from the Rose Bowl in Pasadena, California, to The Ellen Show to the 2019 Copa América Brasil soccer tournament.
TCL’s TV sets are widely available in the US via online e-tailers like Amazon and brick and mortar “box stores” like Best Buy. It is unclear whether those retailers weigh software security and privacy protections of products before opting to put them on their store shelves. An email to Best Buy seeking comment on the TCL vulnerabilities was not returned.
The security researchers who discovered the flaw said that consumers should beware when buying smart home electronics like TV sets, home surveillance cameras, especially those manufactured by companies with ties to authoritarian regimes.
“Don’t buy it just because a TVs cheap. Know what you’re buying,” said Sick Codes. “That’s especially true if it’s hooked up to the Internet.”