Serious security flaws have been discovered in two popular TV set-top boxes, potentially leaving customers at risk cyber-attack. According to an investigation by Avast, the THOMSON THT741FTA and Philips DTR3502BFTA devices contain vulnerabilities that can allow them to be accessed remotely by malicious actors, who can then launch botnet and ransomware attacks.
The internet-connected set-top boxes are often purchased by consumers who have television sets that do not support DVB-T2, the most up-to-date digital signal for terrestrial television.
The investigators found that both Internet of Things (IoT) devices are shipped by their manufacturers with open telnet ports, an unencrypted protocol used for communicating with remote devices or servers. This could allow cyber-criminals to launch attacks such as DDoS using botnets, with the Avast team successfully executing the binary of the Mirai botnet to both devices.
Another issue is that the privileged program Linux Kernel 3.10.23, installed on both boxes in 2016 to allocate sufficient resources to the software to enable it to run, was only supported with patches for bugs and vulnerabilities until November 2017. Users have therefore not received security updates since that time.
Avast also believe an unencrypted connection between the devices and a pre-installed legacy application of the popular weather forecasting service AccuWeather could enable malicious actors to modify the content users see on their TVs when using this app. This could potentially lead to ransom messages being displayed, claiming that the user’s TV has been hijacked and demanding a sum to free it.
Vladislav Iluishin, IoT Lab Team lead at Avast commented: “Manufacturers are not only responsible for ensuring safety standards are met before their products are made available for purchase, they are also responsible for securing them and therefore the security of their users.
“Unfortunately, it’s rare for IoT manufacturers to assess how the threat surface of their products can be reduced. Instead, they rely on the bare minimum, or in extreme cases completely disregard IoT and customer security in order to save costs and push their products to market quicker.”
The findings are part of an ongoing project by Avast to explore and test the security postures of IoT enabled devices.
Last week, IBM revealed it found a vulnerability in a component used in millions of IoT devices.