On the afternoon of March 14, the Thai terminal laboratory teamed up with the OASES Alliance, Baidu Security, Antiy, Pangu, and Palm Security, and released security evaluation results for artificial intelligence TVs.
The brands participating in the evaluation include: Skyworth, Hisense, TCL, Sharp, Changhong, Xiaomi, Konka, Microwhale, Philips, Haier, LeTV, Storm TV. The results of the evaluation show that there are generally safe AI TVs currently on the market. Risks, including unrepaired security vulnerabilities, applications that can be installed remotely, unencrypted transmissions of user personal information, etc., are mainly divided into the following three points:
1. Some AI TV privilege debug ports are under strict control. The system's highest root privilege can be obtained remotely. That is, a hacker can gain full control of the TV through the root privilege, and can even remotely switch cameras, install malicious software, control ransomware, and play illegally. Advertising, mobile phone user privacy information, etc.
2. Some products are not encrypted for the transmission of user privacy information. The TV remote control, voice control instructions, and even viewing habits are easily stolen by criminals.
3. Since most TVs are based on older versions of Android, many exploits that have been publicly exploited have not been fixed. Hackers can obtain TV control rights and user privacy information based on vulnerabilities.
In addition, Tell Labs stated that it will release more security evaluation results on AI smart TVs in the future. Please continue to pay attention to the coverage of Sina Technology.
The following is the full text of the report:
In recent years, domestic and foreign media, security forums frequently broke the information security problem of artificial intelligence televisions. Criminals can use various security risks of artificial intelligence televisions to: Remotely control televisions, install malicious software remotely, monitor homes remotely, and create user privacy. Leakage or damage to property. In view of possible information security problems in artificial intelligence TVs, Terrell Labs recently conducted joint efforts with OASES Alliance, Baidu Security, Antiy, Pangu, and Palm Control Security Organizations and vendors to organize and conduct artificial intelligence television security evaluations. .
The safety evaluation laboratory selected 12 mainstream brands and models of the current 'AI Smart TV' or 'Artificial Smart TV' on the market, including: Skyworth, Hisense, TCL, Sharp, Changhong, Xiaomi, Konka, Micro. Whale, Philips, Haier, LeTV, Storm TV, review content includes: Systematic vulnerabilities, configuration security, port security, important component security, pre-installed application security, third-party software installation security, voice control module security, and user-sensitive information security. 24 items in all aspects.
The security evaluation products are widespread: unrepaired security vulnerabilities, improper configuration, unauthorized operations, insufficient tune-up port protection, applications that can be silently installed remotely, low vulnerability repair rates, transparent transmission of sensitive user information, and missing preset security protection information Security issues, these issues will give users a very large information security risk, artificial intelligence television information security situation is not optimistic.
The following lists some of the outstanding safety issues and possible impacts of some of the artificial intelligence TVs that were sampled this time:
Root permissions can be obtained remotely, devices can be hijacked remotely
Some of the tested AI TV high-privilege debug ports are not strictly controlled, and there are root privilege escalation loopholes in the core service components of the system. The criminals can use these problems to obtain full control of the TV, that is, the TV is completely “naked” to the attacker. The attacker can remotely switch cameras, install malicious applications, control ransomware, hijack TV content, display illegal advertisements, collect user privacy information, etc. Users will suffer privacy leaks, property damage, equipment failure, and even threats. life safety.
Remotely execute adb shell commands
Plaintext transmission of user information, user privacy can be easily disclosed and attacked
Part of the pre-determined application of the artificial smart TV has the behavior of transmitting user information in the clear, the user's remote control operation, voice control content, personal viewing habits information, etc. can be stolen or maliciously hijacked by the attacker. For example, a product is receiving The plaintext transmission is used when the remote control request sent by the user's mobile phone APP causes the content to be intercepted by the middleman, intercepting remote control operation, and voice control content.
Intercept voice search information
There are a large number of unrepaired vulnerabilities in the system.
The operating system version of the artificial intelligence TV is usually older, and the security update is not complete. Through the vulnerability scanning and manual investigation of the operating system of the artificial artificial TV under test, it is found that some TV operating systems have a large number of unfixed loopholes. Publicly exploited vulnerabilities, such as: Dirty Cow Vulnerability (CVE-2016-5195), Bluetooth vulnerabilities (CVE-2017-0785), etc., allow attackers to exploit known vulnerabilities, gain system rights, and damage the system. Stealing user account information, etc.
Fix a bug in a device
Artificial intelligence TVs equipped with open operating systems bring a wealth of experience to users, but also introduce a large number of security risks. We hope relevant equipment manufacturers can take necessary security measures in time to enhance the security protection capabilities of operating systems and application software. It also reminds users to install security updates in a timely manner. At the same time, we recommend that consumers increase their awareness of security and try to choose safe-certified artificial intelligence TV products to protect their legitimate rights and interests.
The results of this evaluation we have feedback to the relevant manufacturers in the first time and is willing to provide relevant technical advice for related companies to jointly improve the product's security protection capabilities.