Android-based smart TVs have vulnerabilities that put users at risk of being attacked by cyber criminals.
According to researchers at security solutions vendor Trend Micro, the apps on smart TVs that allow users to watch channels from around the globe are beneficial to many users; however, these apps also put users at risk.
They explain these apps contain a backdoor that abuses an old flaw (CVE-2014-7911) in Android versions before Lollipop 5.0 (Cupcake 1.5 to Kitkat 4.4W.2).
The majority of today's smart TVs use older versions of Android which still contain this flaw, says Trend Micro, adding that other Android devices with older versions installed are also at risk but these kind of apps are mainly used in smart TVs or smart TV boxes.
Android TV is a smart TV platform developed by Google. Running on the Android 5.0 Lollipop operating system, it creates an interactive television experience. The TV was announced in June 2014.
As these smart TVs have been gaining popularity across the world, many manufacturers plan to produce televisions loaded with the latest Android OS. Brands like Sony, CG and Hisense have already launched Android OS-based televisions, while a few others plan to do so.
"These TVs are more than just passive display devices; many of them can even run Android apps as well. Some may find these features useful, but these capabilities bring their own risks," says Ju Zhu, mobile threats analyst at Trend Micro.
Describing how the attack happens, Zhu says first, the attackers lure owners of smart TVs to infected Web sites and get the owners to install the apps infected with malware.
"Once these are installed, the attacker will trigger the vulnerability in the system. Well-known exploit techniques like heap sprays or return-oriented programming are used to gain elevated privileges in the system."
With elevated permissions, he explains, the attacker will then silently install other apps or malware onto the system. "Our analysis revealed they remotely update apps or remotely push related apps to the television sets."
However, says Zhu, these remotely installed apps are only downloaded via HTTP and not HTTPS. As a result, a second attacker capable of carrying out man-in-the-middle attacks could change the downloaded apps, in effect overriding the payload of the first attacker.
Trend Micro urges users to install mobile security solutions on smart TVs to mitigate the risks. "Upgrading smart TVs may be challenging for owners because they are limited by the hardware, thus users must get protection solutions installed instead and avoid the installation of apps from third-party sites."
Share