Outdated Embedded Browsers Expose Smart TVs, Gaming Apps, Game Consoles to Cyber Risks

Key Takeaways

• Widespread obsolescence: Many new smart devices ship with web browsers that are sometimes over three years out of date.
• Tangible security flaws: These outdated components leave users vulnerable to exploits such as interface spoofing and privilege escalation.
• Regulatory gaps: While the EU Cyber Resilience Act will eventually mandate security updates, current vendor compliance remains voluntary and inconsistent.

While consumers and enterprises diligently update desktop software, a critical vector remains largely ignored: the integrated web browser found in smart consumer electronics. New research from the DistriNet Research Unit at KU Leuven identified some device security vulnerabilities stemming from outdated embedded browsers.

Using a user-friendly proprietary evaluation framework called CheckEngine, researchers analyzed closed-source firmware across various product categories, including tablets, e-readers, smart TVs, game consoles, and infotainment systems in cars. They also tested Steam, Ubisoft Connect, and AMD Adrenalin.

The KU Leuven CheckEngine Study Findings

The study said the browser on the analyzed devices was often already delivered with an outdated version. In some cases, the outdated version was more than 3 years old. Case studies focused on three well-documented and varied exploits:

• Address bar spoofing – for convincing phishing.
• Content Security Policy (CSP) bypass – to inject malicious scripts.
• Referrer Policy bypass – collect referrer information that should have been blocked.

Of the 35 smart TVs tested, 24 contained browsers at least three years behind current industry standards. With an LG smart TV released in 2021, researchers could reproduce a CSP bypass and a Referrer Policy bypass.

Similarly, all five e-readers examined were significantly obsolete at the time of release. For instance, the Boox Note Air 3, released in 2024, was found running a version of Chromium dating back to August 2020.

The study revealed that some manufacturers did not provide browser updates, even though free security updates were advertised. In one study, a browser update was not received in an e-ink tablet with four software versions and an e-reader with five. 

One application (Sync cryptocurrency wallet) and one gaming console (PlayStation 4) were also classified as obsolete regarding browser security.

Technical Risks: Spoofing and Privilege Escalation

The implications of these outdated components extend beyond poor performance. The KU Leuven CheckEngine study demonstrated how these legacy browsers expose users to sophisticated attacks. 

In testing gaming platforms, researchers found that outdated Chromium versions within the Steam client allowed for "alert box spoofing." This vulnerability enables attackers to craft URLs that trigger fake system alerts, a powerful tool for phishing campaigns. 

Additionally, the embedded browser in Ubisoft Connect was found to be configured without sandboxing, significantly increasing the risk of privilege escalation and malware installation if compromised. Ubisoft’s bug reporting service closed the submission as “informative,” and researchers escalated the matter to the relevant regulatory bodies.

For AMD Adrenalin, the researchers reproduced the address bar spoofing vulnerability in its Chromium 112-based browser (released April 2023). Navigations were not automatically upgraded to HTTPS, exposing users to a potential man-in-the-middle attack. 

“AMD acknowledged these issues and, at the time of writing, has imposed an embargo while actively working on timely updates,” said the study.

Industry Compliance and Future Regulation

The study attributes these failures partly to the complexity of development frameworks like Electron, where updating the browser requires updating the entire application framework. 

While the forthcoming EU Cyber Resilience Act aims to compel vendors to maintain the security of these embedded components, full enforcement does not begin until December 2027. Until regulatory pressure forces compliance, millions of devices remain susceptible to exploitation through their neglected web interfaces.

In September, California passed a bill requiring a mandatory data-sharing opt-out option in browsers.