Researchers from Avast’s IoT Labs have discovered serious security flaws in two popular TV set-top boxes which could allow cybercriminals to store malware on the devices for the purposes of launching botnet attacks or ransomware using a weather forecast service.
The boxes under the microscope are manufactured by consumer electronics companies Thomson and Philips. The THOMSON THT741FTA and Philips DTR3502BFTA are available throughout Europe and are frequently purchased by consumers with television sets that do not support DVB-T2, the most up-to-date digital signal for terrestrial television that provides access to additional HD TV services.
The investigation, led by IoT Lab Team Lead Vladislav Iluishin and IoT Threat Researcher Marko Zbirka, began in January this year and is part of an ongoing initiative by Avast to explore and test the security postures of IoT enabled devices.
Early on in their analysis, Iliushin and Zbirka discovered that both internet-connected devices are shipped by their manufacturers with open telnet ports, a more than 50 year-old unencrypted protocol used for communicating with remote devices or servers. This could allow an attacker to gain remote access to the devices and recruit them in botnets to launch Distributed Denial of Service (DDoS) attacks or other malicious schemes. Iliushin and Zbirka were successful in executing the binary of the widespread Mirai botnet to both set-top boxes.
They also exposed an oversight linked to the set-top boxes’ architecture. Both devices rely on Linux Kernel 3.10.23, a privileged program installed on the boxes in 2016 which serves as a bridge between the devices’ hardware and software by allocating sufficient resources to the software to enable it to run. However, support for version 3.10.23 expired in November 2017, meaning patches for bugs and vulnerabilities were only issued for one year before they were discontinued, leaving users exposed to potential attacks thereafter.
Additional security issues affecting the devices included an unencrypted connection between the set-top boxes and a pre-installed legacy application of the popular weather forecasting service AccuWeather, a revelation discovered by analysing the traffic between the set-top boxes and the router. The insecure connection between the boxes and the AccuWeather backend could allow a bad actor to modify the content users see on their TVs when using the weather application. For instance, an intruder could display a ransomware message claiming the user’s TV has been hijacked while demanding a payment to free the device.
“Manufacturers are not only responsible for ensuring safety standards are met before their products are made available for purchase, they are also responsible for securing them and therefore the security of their users,” said Iliushin. “Unfortunately, it’s rare for IoT manufacturers to assess how the threat surface of their products can be reduced. Instead, they rely on the bare minimum, or in extreme cases completely disregard IoT and customer security in order to save costs and push their products to market quicker.”