Finding Vulnerabilities in Smart TVsResearcher Describes How He Found Serious Flaws in TCL Smart TVs
Nearly all TVs sold today are smart TVs that connect to the internet, which holds the potential for security problems. TVs are one of the most pervasive internet-of-things devices.
An Australian security researcher who blogs at the site sick.codes recently examined a smart TV made by Chinese electronics company TCL, one of the largest TV manufacturers. The researcher, who didn’t want to be identified, found two serious flaws.
The flaws raised the attention of the U.S. Department of Homeland Security. Former DHS Acting Secretary Chad F. Wolf mentioned the issues in a speech at the Heritage Foundation on Dec. 21, noting that DHS was closely watching Chinese technology companies.
One of the flaws, CVE-2020-27403, allowed him to download files and browse the full file system of the Android-powered TV while on the same network. The other, CVE-2020-28055, would allow an unprivileged attacker to read and write files to certain directories.
Notifying the vendor turned out not to be straightforward, he says. The process took weeks. TCL fixed one flaw immediately, but never informed the researcher, and the second issue took much longer, he says. Eventually, TCL said it would put “processes in place to better react to discoveries by 3rd parties" as well as engage with independent testing firms to ensure the security of its firmware.
“Just keep up communication,” he says. “That’s the only thing that failed here. If this had been cleaned up earlier, it would have been so much more simpler.”
In this video interview, the researcher discusses:
- How he found two serious vulnerabilities in TCL smart TVs;
- What risks the flaws posed;
- How vendors can improve communication with security researchers.
The researcher does private security consulting and separately blogs on his independent work. His GitHub is here.