Many researchers alerted the industry to the security risks present in Internet of Things (IoT) devices before their use became a must. Now, when in virtually every home in the world there are multiple connected devices, there are severe problems for users, cyber security solutions specialists mention.
Researchers from Avast IoT Lab revealed the discovery of severe security vulnerabilities in two of the world’s most widely used TV set-top boxes, manufactured by Thomson and Philips. According to the report, exploiting these flaws would allow threat actors to use malware for botnets and even infect an affected device with ransomware.
This research is carried out by Vladislav Ilyushin, director of Avast IoT Lab, and cyber security solutions expert Marko Zbirka.
The first finding from the cyber security solutions experts was that the two manufacturers sell network-connected decoders with open telnet ports, an unencrypted protocol that was designed more than 50 years ago used to handle communication with remote devices or servers. These weaknesses allow threat actors to access devices to launch denial of service (DoS) attacks, among other attack variants. In testing, Avast experts managed to run a binary file of the Mirai botnet, a very common attack variant among this kind of device.
The Avast team also identified a flaw in the architecture of these companies’ set-top boxes, which use Linux kernel version 3.10.23, installed in 2016. The kernel acts as a link between hardware and software, ensuring the correct execution of the decoders. The problem is that compatibility with version 3.10.23 expired in November 2017, implying that the fixes were only released for one year; when the security flaw update is suspended, thousands of users may be exposed.
Experts found multiple additional flaws, such as an unencrypted connection between the set-top boxes and the legacy AccuWeather weather service application. A threat actor might modify the content that users view.
To mitigate exploitation risks, users can enable the following measures:
- Do not connect the set-top box when not using its smart features
- Purchase these devices only with authorized vendors
- Log in to your device’s web management interface to disable the Universal Plug and Play (UPnP) feature if enabled
The companies have already been contacted to notify them of these findings, although they have not commented on them.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
