It is not often that TVs feature in security discussions, but that appears to be the case if reports from security researchers are anything to go by.
First reported by Tom’s Guide, it has since emerged that TCL TVs that are running Android may have security holes that can allow outside access.
Specifically, the TVs identified are those running Android and not Roku, the platform that offers users with a variety of entertainment services such as streaming, and other online services. Roku also makes streaming boxes that run its in-house software.
The issues, which have been blogged extensively by Sick Codes, are linked to undocumented TCIP/IP ports.
Sick Codes expands the flaws as follows:
Each stick that I tested had at least one of the following major security flaws:
- Port 22 open and allowing SSH access as root:root out of the box
- Port 5555 open and allowing unauthenticated android (adb) as root:root out of the box
- Rooted device, with world-executable su binaries in multiple locations
- Open Wi-Fi network with adb and ssh daemons running
The above issues allowed the researcher to access a TCL smart TV’s entire file system over a Wi-Fi connection over the said ports.
It was also discovered that the files on the TVs could be overwritten.
Sick Codes says that the issues were resolved on the TV they were testing. However, not all TCL smart TVs have received the patch.
However, that is not all; Sick Codes reportedly identified an app called Terminal Manager Remote that contained files listing servers that could have managed files, logs and screen grabs of a customer’s set. One of the servers was sourced to China, while others were in various parts of Asia, Africa and Latina America.
The researcher did not elaborate whether user data was sent to those locations. However, TCL is in a better position to explain the issues.
After reaching out to TCL, the issues were fixed, but not for all of their TV models. That was toward the end of October.
Still, the flaws have all the characteristics of a backdoor because TLC can access any of their TVs and perform any function they want without the knowledge of a user.
No official word has been released by the Chinese TV manufacturer, yet.
This could also be worrying especially in the Kenya case where many people are picking up smart TVs, including TCLs.
No one wants to feel that they are being watched.