In the past 20 years, bug hunting has transformed from a hobby (or maybe even a felony) to a full-time profession for tens of thousands of talented software engineers around the globe. Thanks to the growth in private and public bug bounty programs, men and women with the talent can earn a good living by sniffing out flaws in the code for applications and – increasingly -physical devices that power the 21st century global economy.
In this interview, Sick Codes and I talk about his path to becoming a vulnerability researcher, the paid and unpaid research he conducts looking for software flaws in common software and internet of things devices, some of the challenges and impediments that still exist in reporting vulnerabilities to corporations and what’s in the pipeline for 2021.
The acting head of the U.S. Department of Homeland Security said the agency was assessing the cyber risk of smart TVs sold by the Chinese electronics giant TCL, following reports last month in The Security Ledger and elsewhere that the devices may give the company “back door” access to deployed sets.
Speaking at The Heritage Foundation, a conservative think tank, Acting DHS Secretary Chad Wolf said that DHS is “reviewing entities such as the Chinese manufacturer TCL.”
“This year it was discovered that TCL incorporated backdoors into all of its TV sets exposing users to cyber breaches and data exfiltration. TCL also receives CCP state support to compete in the global electronics market, which has propelled it to the third largest television manufacturer in the world,” Wolf said, according to a version of prepared remarks published by DHS. His talk was entitled “Homeland Security and the China Challenge.”
As reported by The Security Ledger last month, independent researchers John Jackson, (@johnjhacking) -an application security engineer for Shutter Stock – and a researcher using the handle Sick Codes (@sickcodes) identified and described two serious software security holes affecting TCL brand television sets. The first, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.
The second vulnerability, CVE-2020-28055, would have allowed a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder.
Both flaws affect TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below, according to the official CVE reports. In an interview with The Security Ledger, the researcher Sick Codes said that a TCL TV set he was monitoring was patched for the CVE-2020-27403 vulnerability without any notice from the company and no visible notification on the device itself.
In a statement to The Security Ledger, TCL disputed that account. By TCL’s account, the patched vulnerability was linked to a feature called “Magic Connect” and an Android APK by the name of T-Cast, which allows users to “stream user content from a mobile device.” T-Cast was never installed on televisions distributed in the USA or Canada, TCL said. For TCL smart TV sets outside of North America that did contain T-Cast, the APK was “updated to resolve this issue,” the company said. That application update may explain why the TCL TV set studied by the researchers suddenly stopped exhibiting the vulnerability.
While TCL denied having a back door into its smart TVs, the company did acknowledge the existence of remote “maintenance” features that could give its employees or others control over deployed television sets, including onboard cameras and microphones. Owners must authorize the company to access cameras and microphones, however, according to a company statement.
The company did not address in its public statements the question of whether prior notification of the update was given to TCL owners or whether TV set owners were given the option to approve the update before it was installed.
Sick Codes, in a phone interview with The Security Ledger, said the company’s ability to push and update code to its deployed sets without owner approval amounted to a back door that could give TCL access to audio and video streams from deployed sets, regardless of the wishes of owners.
“They can update the application and make authorization happen through that. They have full control,” he said.
Such concerns obviously raised alarms within the Department of Homeland Security as well, which has taken steps to ban technology from other Chinese firms from use on federal networks.
In his address on Monday, Acting Secretary Wolf said the warning about TCL will be part of a a broader “business advisory” cautioning against using data services and equipment from firms linked to the People’s Republic of China (PRC).
This advisory will highlight “numerous examples of the PRC government leveraging PRC institutions like businesses, organizations, and citizens to covertly access and obtain the sensitive data of businesses to advance its economic and national security goals,” Wolf said.
“DHS flags instances where Chinese companies illicitly collect data on American consumers or steal intellectual property. CCP-aligned firms rake in tremendous profits as a result,” he said.
The statement is part of escalating tensions between Washington and Beijing. On Friday, Commerce Secretary Wilbur Ross announced export controls on 77 Chinese companies including the country’s biggest chipmaker, SMIC, and drone maker DJI that restrict those firms’ access to US technology. The order cites those firms alleged ties to China’s military.
TCL did not respond to an email request for comment prior to publication of this story. We will update this story as more information becomes available.
Editor’s note: this story was updated to add reference to John Jackson, who helped discover the TCL vulnerabilities. – PFR 12/22/2020
Chinese electronics giant TCL has acknowledged security holes in some models of its smart television sets, but denies that it maintains a secret “back door” that gives it control over deployed TVs.
In an email statement to The Security Ledger dated November 16, Senior Vice President for TCL North America Chris Larson acknowledged that the company issued a security patch on October 30 for one of two serious security holes reported by independent researchers on October 27. That hole, assigned the Common Vulnerabilities and Exposure (CVE) number 2020-27403 allowed unauthenticated users to browse the contents of a TCL smart TV’s operating system from an adjacent network or even the Internet.
A patch for a second flaw, CVE-2020-28055, will be released in the coming days, TCL said. That flaw allows a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder.
The Security Ledger reported last week on the travails of the researchers who discovered the flaws, @sickcodes and @johnjhacking, who had difficulty contacting security experts within TCL and then found a patch silently applied without any warning from TCL.
A Learning Process for TCL
In an email statement to Security Ledger, Larson acknowledged that TCL, a global electronics giant with a market capitalization of $98 billion, “did not have a thorough and well-developed plan or strategy for reacting to issues” like those raised by the two researchers. “This was certainly a learning process for us,” he wrote.
At issue was both the security holes and the manner in which the company addressed them. In an interview with The Security Ledger, the researcher using the handle Sick Codes said that a TCL TV set he was monitoring was patched for the CVE-2020-27403 vulnerability without any notice from the company and no visible notification on the device itself.
By TCL’s account, the patch was distributed via an Android Package (APK) update on October 30. APK files are a method of installing (or “side loading”) applications and code on Android-based systems outside of sanctioned application marketplaces like the Google Play store. The company did not address in its public statements the question of whether prior notification of the update was given to customers or whether TV set owners were required to approve the update before it was installed.
Limited Impact in North America
However, the patch issued on October 30 is unlikely to have affected TCL customers in the U.S. and Canada, as none of the TCL models sold in the North America contain the CVE-2020-24703 vulnerability, TCL said in its statement. However, some TCL TV models sold in the U.S. and Canada are impacted by CVE-2020-28055, the company warned. They are TCL models 32S330, 40S330, 43S434, 50S434, 55S434, 65S434, and 75S434.
The patched vulnerability was linked to a feature called “Magic Connect” and an Android APK by the name of T-Cast, which allows users to “stream user content from a mobile device.” T-Cast was never installed on televisions distributed in the USA or Canada, TCL said. For TCL smart TV sets outside of North America that did contain T-Cast, the APK was “updated to resolve this issue,” the company said. That application update may explain why the TCL TV set studied by the researchers suddenly stopped exhibiting the vulnerability.
While TCL denied having a back door into its smart TVs, the company did acknowledge the existence of remote “maintenance” features that could give its employees or others control over deployed television sets, including onboard cameras and microphones.
In particular, TCL acknowledges that an Android APK known as “Terminal Manager…supports remote diagnostics in select regions,” but not in North America. In regions where sets with the Terminal Manager APK are deployed, TCL is able to “operate most functions of the television remotely.” That appears to include cameras and microphones installed on the set.
However, TCL said that Terminal Manager can only be used if the user “requests such action during the diagnostic session.” The process must be “initiated by the user and a code provided to TCL customer service agents in order to have diagnostic access to the television,” according to the company’s FAQ.
Other clarifications from the vendor suggest that, while reports of secret back doors in smart TVs may be overwrought, there is plenty of reason to worry about the security of TCL smart TVs.
The TCL statement acknowledged, for example, that two publicly browsable directories on the TCL Android TVs identified by the researchers could have potentially opened the door for malicious actors. A remotely writeable “upgrade” directory /data/vendor/upgrade on TCL sets has “never been used” but is intended for over the air firmware upgrades. Firmware update files placed in the directory are loaded on the next TV reboot. Similarly a directory /data/vendor/tcl, has also “never been used,” but stores “advertising graphics” that also are loaded “as part of the boot up process,” TCL said.
Promises to work with Independent Researchers
The company said it has learned from its mistakes and that it is undertaking efforts to work more closely with third party and independent security researchers in the future.
“Going forward, we are putting processes in place to better react to discoveries by 3rd parties. These real-world experts are sometimes able to find vulnerabilities that are missed by testing. We are performing additional training for our customer service agents on escalation procedures on these issues as well as establishing a direct reporting system online,” the company said.
China Risk Rising
Vendor assurances aside, there is growing concern within the United States and other nations about the threat posed by hundreds of millions of consumer electronic devices manufactured – or sourced in China. The firm Intsights in August warned that China was using technological exports as “weaponized trojans in foreign countries.” The country is “exporting technology around the world that has hidden backdoors, superior surveillance capability, and covert data collection capabilities that surpass their intended purposes and are being used for widespread reconnaissance, espionage, and data theft,” the company warned, citing reports about gear from the telecommunications vendor Huawei and social media site TikTok among others.
Western governments and non-governmental organizations have also raised alarms about the country’s blend of technology-enabled authoritarianism, including the use of data theft and data harvesting, coupled with artificial intelligence to identify individuals whose words or actions are counter to the ruling Communist Party.
Millions of Android smart television sets from the Chinese vendor TCL Technology Group Corporation contained gaping software security holes that researchers say could have allowed remote attackers to take control of the devices, steal data or even control cameras and microphones to surveil the set’s owners.
The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm among the researchers about whether the China-based firm is able to access and control deployed television sets without the owner’s knowledge or permission.
Two Flaws, Lots of Red Flags
In a report published on Monday, two security researchers described two serious software security holes affecting TCL brand television sets. First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989.
That flaw, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.
Second, the researchers found a vulnerability in the TCL software that allowed a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder. That flaw was assigned the identifier CVE-2020-28055.
The researchers, John Jackson, an application security engineer for Shutter Stock, and the independent researcher known by the handle “Sick Codes,” said the flaws amount to a “back door” on any TCL Android smart television. “Anybody on an adjacent network can browse the TV’s file system and download any file they want,” said Sick Codes in an interview via the Signal platform. That would include everything from image files to small databases associated with installed applications, location data or security tokens for smart TV apps like Gmail. If the TCL TV set was exposed to the public Internet, anyone on the Internet could connect to it remotely, he said, noting that he had located a handful of such TCL Android smart TVs using the Shodan search engine.
CVE-2020-28055 was particularly worrisome, Jackson said. “It was clear that utilizing this vulnerability could result in remote code execution or even network ‘pivots’ by attackers.” That would allow malicious actors to move from the TV to other network connected systems with the intention of exploiting systems quickly with ransomware, Jackson observed. That, coupled with a global population of millions of TCL Android TVs, made the risk considerable.
Nobody Home at TCL
The researchers said efforts to alert TCL about the flaws in October initially fell on deaf ears. Emails sent to a designated email address for reporting security issues bounced. And inquiries to the company on October 16 and 20th went unanswered. Furthermore, the company did not appear to have a dedicated product security team to reach out to, Jackson said in a phone interview.
Only after reaching out to a security contact at TCL partner Roku did Sick Codes and Jackson hear from a security resource within TCL. In an email dated October 29th, Eric Liang of TCL wrote to the two researchers thanking them for their discovery and promising a quick fix.
“Here is how is it going on now: A new version to fix this vulnerability is going to release to SQA on Oct. 29 (UTC+8). We will arrange the upgrade plan after the regression test passes.”
Silent Patch Raises More Questions
Following that, however, there was no further communication. And, when that fix came, it raised more questions than it answered, the researchers said.
According to the researchers, TCL patched the vulnerabilities they had identified silently and without any warning. “They updated the (TCL Android) TV I was testing without any Android update notification or warning,” Sick Codes said. Even the reported firmware version on the TV remained unchanged following the patch. “This was a totally silent patch – they basically logged in to my TV and closed the port.”
Sick Codes said that suggests that TCL maintains full, remote access to deployed sets. “This is a full on back door. If they want to they could switch the TV on or off, turn the camera and mic on or off. They have full access.”
Jackson agreed and said that the manner in which the vulnerable TVs were updated raises more questions than it answers. “How do you push that many gigabytes (of data) that fast with no alert? No user notification? No advisory? Nothing. I don’t know of a company with good security practices that doesn’t tell users that it is going to patch.”
There was no response to emails sent by Security Ledger to Mr. Liang and to TCL media relations prior to publication. We will update this story with any comment or response from the company when we receive it.
Questions on Smart Device Security
The vulnerabilities raise serious questions about the cyber security of consumer electronics that are being widely distributed to the public. TCL, a mainland Chinese firm, is among those that have raised concerns within the U.S. Intelligence community and among law enforcement and lawmakers, alongside firms like Huawei, which has been labeled a national security threat, ZTE and Lenovo. TCL smart TVs are barred from use in Federal government facilities. A 2019 U.S. Department of Defense Inspector General’s report raised warnings about the cyber security risks to the Pentagon of commercial off the shelf (COTS) technology purchased by the U.S. military including televisions, laptops, surveillance cameras, drones and more. (PDF)
TCL has risen quickly in the past five years to become a leading purveyor of smart television sets in the U.S. with a 14% market share, second behind Samsung. The company has been aggressive in both partnerships and branding: teaming with firms like Alcatel Mobile and Thompson SA to produce mobile phones and other electronics, and sponsoring sports teams and events ranging from the Rose Bowl in Pasadena, California, to The Ellen Show to the 2019 Copa América Brasil soccer tournament.
TCL’s TV sets are widely available in the US via online e-tailers like Amazon and brick and mortar “box stores” like Best Buy. It is unclear whether those retailers weigh software security and privacy protections of products before opting to put them on their store shelves. An email to Best Buy seeking comment on the TCL vulnerabilities was not returned.
The security researchers who discovered the flaw said that consumers should beware when buying smart home electronics like TV sets, home surveillance cameras, especially those manufactured by companies with ties to authoritarian regimes.
“Don’t buy it just because a TVs cheap. Know what you’re buying,” said Sick Codes. “That’s especially true if it’s hooked up to the Internet.”