The IT Nerd

Apparently the Department Of Homeland Security is probing Chinese based TV maker TCL over accusations that their Android TVs have backdoors that facilitate data theft:

The acting head of the U.S. Department of Homeland Security said the agency was assessing the cyber risk of smart TVs sold by the Chinese electronics giant TCL, following reports last month in The Security Ledger and elsewhere that the devices may give the company “back door” access to deployed sets, The Security Ledger reports. Speaking at The Heritage Foundation, a conservative think tank, Acting DHS Secretary Chad Wolf said that DHS is “reviewing entities such as the Chinese manufacturer TCL.” “This year it was discovered that TCL incorporated backdoors into all of its TV sets exposing users to cyber breaches and data exfiltration. TCL also receives CCP state support to compete in the global electronics market, which has propelled it to the third largest television manufacturer in the world,” Wolf said, according to a version of prepared remarks published by DHS. His talk was entitled “Homeland Security and the China Challenge.” 

As reported last month, independent researchers John Jackson — an application security engineer for Shutter Stock — and a researcher using the handle Sick Codes identified and described two serious software security holes affecting TCL brand television sets and would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned. Both flaws affect TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below, according to the official CVE reports. In an interview with The Security Ledger, the researcher Sick Codes said that a TCL TV set he was monitoring was patched for the CVE-2020-27403 vulnerability without any notice from the company and no visible notification on the device itself. In a statement to The Security Ledger, TCL disputed that account. By TCL’s account, the patched vulnerability was linked to a feature called “Magic Connect” and an Android APK by the name of T-Cast, which allows users to “stream user content from a mobile device.” T-Cast was never installed on televisions distributed in the USA or Canada, TCL said. For TCL smart TV sets outside of North America that did contain T-Cast, the APK was “updated to resolve this issue,” the company said. That application update may explain why the TCL TV set studied by the researchers suddenly stopped exhibiting the vulnerability. 

In his address on Monday, Acting Secretary Wolf said the warning about TCL will be part of a broader “business advisory” cautioning against using data services and equipment from firms linked to the People’s Republic of China (PRC). This advisory will highlight “numerous examples of the PRC government leveraging PRC institutions like businesses, organizations, and citizens to covertly access and obtain the sensitive data of businesses to advance its economic and national security goals,” Wolf said. “DHS flags instances where Chinese companies illicitly collect data on American consumers or steal intellectual property. CCP-aligned firms rake in tremendous profits as a result,” he said.

As far as I can tell, this is restricted to Android powered TVs that TCL makes. I have a Roku powered TCL TV that don’t appear to be affected. But this highlights the fact that if you put something on the Internet, smart or otherwise, it’s a risk. So if this concerns you, and if you have one of these TVs, you should unplug it from the Internet. Though these TVs never saw the light of day in Canada.

This entry was posted on December 23, 2020 at 9:57 am and is filed under Commentary with tags TCL. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.