Android TV gets proof-of-concept hack, but don’t panic
A recent report by Symantec researcher Candid Wueest highlights some of these risks, and even demonstrates a proof-of-concept hack on what appears to be a Sony Android TV. In the demo, Wueest uses a man-in-the-middle attack to replace an attempted game installation with ransomware, which locks users out of their televisions and demands payment to get things working again. (Strangely, Wueest does not mention the TV manufacturer by name, despite a clear resemblance to Sony’s current lineup.)
“Fortunately, I had previously enabled the hidden Android ADB debugging option and was able to remove the Trojan through an ADB shell,” Wueest wrote. “Without this option enabled, and if I was less experienced user, I’d probably still be locked out of my smart TV, making it a large and expensive paper weight.”
Scary as this sounds, keep in mind Wueest’s man-in-the-middle attack couldn’t happen without access to the network path, either by being on the same Wi-Fi network or by hijacking the user’s DNS resolution. In other words, you’d need to either invite an attacker into your house, or have fallen prey to malware already. Furthermore, Android TV verifies downloaded apps and disallows installations from unknown sources by default, adding another layer of protection.
Still, television makers could be doing more to keep smart TVs locked down. Wueest’s TV, for instance, downloads firmware updates from non-SSL websites, opening up man-in-the-middle attacks that could theoretically block security patches. The TV’s gaming portal also doesn’t use encrypted web requests to communicate with its server, so an attacker could potentially trick users into installing something malicious.
Why this matters: These is hardly the first we’ve heard of smart TV hacking, and Wueest himself notes that widespread malware attacks haven’t happened yet. But his report does illustrate some of the risks—however miniscule—that come with turning TVs into full-blown computing devices. It’s no surprise, then, that so many efforts are springing up to stop malware at the network level. It beats the notion of anti-virus software for your TV, at least.