Security Loophole Discovered in Media Streaming Smart TV Devices

Nowadays an increasing number of people are moving away from conventional television and are switching to various streaming solutions that deliver an even wider variety of content without the need to let the cable guy in your house. Those various types of streaming hardware are sometimes referred to as "stream boxes". One such streaming box has only recently been discovered to contain a critical flaw that allows hackers to do a lot of bad things with your data.

The streaming box in question is the Hindotech HK1 - a media streaming device that runs on Android and lets you watch online videos and streaming services like YouTube and Netflix or Twitch on your television set. The device also allows the installation of Android apps so you can access various social media from it, on the big screen.

Hackers Can Gain Elevated Privileges

The critical issue with the hardware has been rated at 9.3 out of a maximum 10 on the Common Vulnerability Scoring System Calculator operated by the National Vulnerability Database. The reason for this high rating is the fact that the security loophole in the streaming box allows for the execution of arbitrary code, at root level. This is more or less equal to full control over the device.

With root access and arbitrary code execution, bad actors can steal Wi-Fi passwords, messages, social network account tokens, location data and contact lists.

The reason the bad actors can get root privileges in the first place is an issue with access control. A local user without privileges can escalate to root. The device suffers from an issue with debugging functions when connection is made through its serial port or when using an Android Debug Bridge, even as a regular user.

A bad actor can gain access to the shell without entering any sort of login credentials and can then escalate their privileges to root.

Once root access is obtained, nothing is off limits. Any data about the regular user of the device is available, as well as the ability to sniff other connected devices on the same network.

No Response from the Manufacturer

The Hindotech HK1 is manufactured by the Shenzhen Hindo Technology Co.,Ltd - an entity operating out of the Hong Kong area. The researchers from Sick.Codes who discovered the security issue with the streaming box failed in their attempts to contact the manufacturer about the issue. The company's official website is still returning an Internal Server Error 500 on all of its pages at the time of this writing. The issue with the hardware remains unaddressed.

This is neither the first nor the last case of security issues with home devices. In the past we have covered multiple cases of devices with serious security issues, ranging from something as complex as a streaming setup to objects as simple as a smart plug. Those past cases should serve as a reminder to always do that extra bit of research before buying any device that can connect to the Internet.

October 16, 2020

Leave a Reply