- TCL TVs can be accessed remotely via open ports, as long as the hacker knows the target IP address.
- The potential includes accessing files, planting code, exfiltrating data, and even gaining control of cams and mics.
- Users are advised to apply firmware and software updates, check their privacy settings, and cover their cameras.
TCL, the Chinese tech giant who also happens to be the third-largest TV manufacturer in the world, is dealing with a nasty code security problem. As discovered by white-hat hackers, knowing the target TV’s IP address is all that it would take for a threat actor to access it and browse its hidden files. The only tools needed for this would be something to use for port scanning, like Nmap, for example, and a web browser for browsing the filesystem.
The victim, in that case, wouldn’t realize that someone has accessed their TV, so everything would unfold silently. The researchers figured that “http://10.0.0.117:7989/sdcard” doesn’t have any protection against remote access whatsoever. Through there, a capable hacker could plant code in the smart TV, inject malicious files, delete others, exfiltrate what’s there, and more.
TCL was notified of the discoveries but didn’t respond until after 13 days had passed. Their answer was peculiar, as they claimed to the fixed the problem. When the researchers went to confirm that, they saw that TCL’s engineers had moved some critical files around, but access to the filesystem and editing of the files was still possible for remote actors.
It is now accepted that TCL may not do much to fix the problem, leaving millions of people at risk. TCL TVs are selling very well as they’re generally pretty good while maintaining the price at lower levels. However, this is not the first time that TCL has blundered on the privacy and security space, and in fact, it’s not even the second time.
If you own and use a TCL TV, there are a couple of things you can do to mitigate the risks.
- First, check the device’s settings and ensure that access to the camera and microphones is set to “disabled” for all apps. If your TV has a camera, stick a piece of black tape on it just to be sure.
- Second, change user passwords on the TV.
- Thirdly, set up a dedicated WiFi network for these devices and connect the TV to that one instead.
- And lastly, check for any software updates from the TV and firmware updates from the manufacturer’s website. If there are any, go ahead and apply them immediately.