Endpoint Security , Internet of Things Security

Finding Vulnerabilities in Smart TVs

Researcher Describes How He Found Serious Flaws in TCL Smart TVs
A researcher who asked to remain anonymous found vulnerabilities in TCL smart TVs.

Nearly all TVs sold today are smart TVs that connect to the internet, which holds the potential for security problems. TVs are one of the most pervasive internet-of-things devices.

See Also: Rapid Digitization and Risk: A Roundtable Preview

An Australian security researcher who blogs at the site sick.codes recently examined a smart TV made by Chinese electronics company TCL, one of the largest TV manufacturers. The researcher, who didn’t want to be identified, found two serious flaws.

The flaws raised the attention of the U.S. Department of Homeland Security. Former DHS Acting Secretary Chad F. Wolf mentioned the issues in a speech at the Heritage Foundation on Dec. 21, noting that DHS was closely watching Chinese technology companies.

One of the flaws, CVE-2020-27403, allowed him to download files and browse the full file system of the Android-powered TV while on the same network. The other, CVE-2020-28055, would allow an unprivileged attacker to read and write files to certain directories.

Notifying the vendor turned out not to be straightforward, he says. The process took weeks. TCL fixed one flaw immediately, but never informed the researcher, and the second issue took much longer, he says. Eventually, TCL said it would put “processes in place to better react to discoveries by 3rd parties" as well as engage with independent testing firms to ensure the security of its firmware.

“Just keep up communication,” he says. “That’s the only thing that failed here. If this had been cleaned up earlier, it would have been so much more simpler.”

In this video interview, the researcher discusses:

  • How he found two serious vulnerabilities in TCL smart TVs;
  • What risks the flaws posed;
  • How vendors can improve communication with security researchers.

The researcher does private security consulting and separately blogs on his independent work. His GitHub is here.

About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.