Philips & Thomson TV set-top boxes allow hackers to sneak into your home

Many researchers alerted the industry to the security risks present in Internet of Things (IoT) devices before their use became a must. Now, when in virtually every home in the world there are multiple connected devices, there are severe problems for users, cyber security solutions specialists mention.

Researchers from Avast IoT Lab revealed the discovery of severe security vulnerabilities in two of the world’s most widely used TV set-top boxes, manufactured by Thomson and Philips. According to the report, exploiting these flaws would allow threat actors to use malware for botnets and even infect an affected device with ransomware.

This research is carried out by Vladislav Ilyushin, director of Avast IoT Lab, and cyber security solutions expert Marko Zbirka.

The first finding from the cyber security solutions experts was that the two manufacturers sell network-connected decoders with open telnet ports, an unencrypted protocol that was designed more than 50 years ago used to handle communication with remote devices or servers. These weaknesses allow threat actors to access devices to launch denial of service (DoS) attacks, among other attack variants. In testing, Avast experts managed to run a binary file of the Mirai botnet, a very common attack variant among this kind of device.

The Avast team also identified a flaw in the architecture of these companies’ set-top boxes, which use Linux kernel version 3.10.23, installed in 2016. The kernel acts as a link between hardware and software, ensuring the correct execution of the decoders. The problem is that compatibility with version 3.10.23 expired in November 2017, implying that the fixes were only released for one year; when the security flaw update is suspended, thousands of users may be exposed.

Experts found multiple additional flaws, such as an unencrypted connection between the set-top boxes and the legacy AccuWeather weather service application. A threat actor might modify the content that users view.

To mitigate exploitation risks, users can enable the following measures:

  • Do not connect the set-top box when not using its smart features
  • Purchase these devices only with authorized vendors
  • Log in to your device’s web management interface to disable the Universal Plug and Play (UPnP) feature if enabled

The companies have already been contacted to notify them of these findings, although they have not commented on them.

Originally published at https://www.securitynewspaper.com on August 27, 2020.