Almost every device today can be vulnerable to cyber attacks, be it a computer or a simple remote control. Keeping this in mind, just recently, Avast Security has released a detailed blog post highlighting how 2 DVB top-set boxes are vulnerable to both botnet and ransomware attacks.
The boxes happen to be THOMSON THT741FTA and Philips DTR3502BFTA allowing consumers to enable their televisions to support DVB-T2 when not inbuilt.
The vulnerability is centered around how both of these devices do not use encryption for transmitting data back and forth to their servers or other connected devices. Furthermore, when tested by Avast; telnet network protocol was found exposing the device to infection from infamous Mirai botnet.
In a blog post, Avast’s Vladislav Iliushin and Marko Zbirka wrote that:
Luckily for the “bad guys”, the firmware has a wget utility built in, which allows fetching data from HTTP servers, be it a webpage or a file with malicious payload built in. So, downloading the binaries within the telnet session is relatively easy.
It is important to mention here that in the example below, we downloaded the binary of the widespread Mirai botnet to the /tmp directory because by default it is the only folder with write access, said Avast.
Yet, this is not all. According to the analysis, it was found out that Linux kernel 3.10.23 which came out initially in 2013 was deployed to these devices in 2016. That’s alright as long as you have continued maintenance coming in but that’s where the catch is.
Support for this specific Linux kernel ended in November 2017 which means that if that version had vulnerabilities, users weren’t going to get updates that would patch their boxes. Hence, it meant constant exposure to the bad guys.
Lastly, it was also found that a legacy API was being used for communication “between the set-top box and the AccuWeather backend” to support the functioning of a weather app named “Skyapp”. The app which markets itself as giving weather forecast updates using the user’s location, therefore, sent all data unencrypted which in a nutshell could allow a threat actor to tamper with it and display data of their own choice.
Not only this, but it could also be used to ransom the user, especially if they’re not technical enough to understand what’s going on.
To conclude, Avast recommends only using the network functionality of these boxes when absolutely (I repeat absolutely) necessary. Additionally, routinely checking for open ports using a network scanner would also come in handy if you’re good with tech.
For the manufacturers though, they should take heed and at least start implementing encryption wherever the communication of data is involved. Constantly testing their devices for vulnerabilities should also be a priority. To top it off in the words of the gurus themselves:
Following the design & development phase, it’s important to consider how the threat surface can be reduced. Question if you really need a particular service or application in the final product. If you need to keep something, then consider giving your customers the option to disable non-essential services, change credentials or set up a firewall on the device. Do not forget that your device is not intended to be publicly facing on the internet, it doesn’t mean it won’t. In such an unlikely situation, an attacker can traverse in the LAN.