A researcher reported ‘extraordinary’ vulnerabilities in TCL Android TVs – TCL is the world’s 3rd largest TV manufacturer.
Sticking with the television has been a long habit of entertainment consumers now more than ever thanks to the inbuilt integration offered with apps such as Netflix.
Riding on this wave, TCL happens to be one such manufacturer who has become the 3rd largest in this industry, beating a lot of noteworthy rivals. However, there is bad news too. Just recently, a security report by the researcher has found some serious vulnerabilities in TCL Android TVs.
To start with, a Nmap scan was done on the television which revealed a range of open TCP ports serving as the first red flag. Investigating further into this, the researcher used the IP addresses obtained of the open ports to try accessing them via a web browser.
Out of this while some did not open or made the browser blank-point crash, some of them showed interesting messages such as the user not being allowed to access a particular file. But testing another address “http://10.0.0.117:7989/sdcard” finally yielded the results to a directory served entirely over HTTP – a very insecure practice.
To this, the researcher explained in their blog post that,
Port 7989 is not on the list of standard TCP/UDP ports by the Internet Assigned Numbers Authority (IANA), https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
Why would an Android device need a web server running on a non-standard port?
What kind of manufacturer publishes the whole file system of a device?
This led him to report the issue to TCL through a long and tedious process. The company finally replied after a wholesome 13 days (the perfect thing to do after leaving a bug in millions of TV sets) and reported that the issue had been fixed.
Wondering how they had fixed it with such ease apparently, the researcher went digging in further. This though was another nightmare as he writes:
Indeed, there were critical changes made by TCL to several folders on the TV file system that should be absolutely locked down……This means that these folders are now writable, by all users on the file system…These files should not be writable by arbitrary users, or potentially malicious apps or APKs. One can only guess what consequences having read & write access to the TCL updates folder might have…
To conclude, this seems to be a very irresponsible display of behavior from TCL. The company should have been open about the whole vulnerability fixing process and quite frankly award the researcher a handsome sum of money for saving them from a major security scandal.
For the future, it bears on us to remember that low-cost alternatives on the market do not always translate to high security and for those of you conscious about this, it may be better sticking with the major brands like Samsung.