TCL smart TVs running Android seem to have huge security holes and could even be designed to spy on users around the world, two security researchers say. The issues do not affect TCL sets running Roku software.
“I can wholeheartedly say that there were multiple moments that I, and another security researcher that I met along the way, couldn’t believe what was happening,” wrote a researcher calling himself “Sick Codes” in a blog post earlier this week. “On multiple occasions I found myself feeling as though, ‘you couldn’t even make this up.'”
Sick Codes and the other researcher, John Jackson, who works at photo-licensing service Shutterstock, discovered that they could access the entire filesystem of a TCL smart TV over a Wi-Fi connection using an undocumented TCP/IP port. They found that they could also overwrite files on the TV.
All of this could be done without entering a username, a password or any kind of authorization at all. The flaws were assigned the Common Vulnerability and Exposure catalog numbers CVE-2020-27403 and CVE-2020-28055 after the researchers notified the U.S. Computer Emergency Response Team (US-CERT) at Carnegie Mellon University in Pittsburgh.
The flaws were patched on the TV model that Sick Codes and Jackson were analyzing — more on that below — but apparently not all on TCL smart TV models.
Browsing someone else’s file system on your phone
Tom’s Guide reached out to Sick Codes and Jackson over Twitter, and in the course of the resulting conversation, we were sent a URL that appeared to give full access to the file system of a TCL smart TV in Zambia.
We were able to browse the directories of this random person’s TV through the Chrome browser on our Android phone, until the TV user apparently turned the TV off.
(Sick Codes told us that was one of only a dozen TCL smart TVs worldwide that was directly on the internet; in most cases, you’d have to be on the same local Wi-Fi network to be able to browse the file system.)
“When in the history of your career have you ever needed to serve the entire filesystem over http?” wondered Sick Codes in his blog post.
Tom’s Guide has reached out for comment to the North American division of TCL, which is a Chinese company, and we will update this story when we receive a reply.
Are TCL TVs collecting files from customers?
The pair also found that an app on the TCL TV, called Terminal Manager Remote, had a configuration file listing servers that seemed to be ready to handle files, logs, and screenshots pertaining to user TVs.
“It’s a Chinese backdoor,” Sick Codes told us in a telephone conversation.
The researchers’ blog post had a screenshot of the server list, which was divided into four regions. One was for mainland China, another for the rest of the Asia-Pacific region (including Hong Kong and Taiwan), a third for the Middle East, Africa and Europe, and the fourth for Latin America and North America.
It wasn’t exactly clear whether those servers were meant to send files to TCL TVs, or to receive files from them.
“I don’t have the answer,” wrote Sick Codes in the blog post. “TCL does, however.”
Tom’s Guide tried to access a few of the URLs and was told that “GET” requests — normal requests by web browsers to download files — were not supported. We’ll try to send some “POST” requests to upload files after working hours and will update this story if we discover anything interesting.
Sick Codes also sent us a link to what appeared to be a wide-open web server holding dozens of TCL firmware updates. No authorization was needed to view the files. We did not try to download any, but Sick Codes said it would be possible.
A ‘silent patch’ with worrisome implications
Sick Codes and Jackson said they tried to reach out to TCL using email, Twitter, telephone and direct posting on the TCL website to notify them of the flaws beginning Oct. 16, but it took until Oct. 26 before they got an acknowledgement that the message had been received.
“I called TCL and talked to a support representative,” Sick Codes wrote in the blog post. “I urged her that we had a serious vulnerability on our hands and she stated that she had no contact info to the Security team, and didn’t even think/know if TCL had a Security team.”
On Oct. 29, the problems on their test TV set were suddenly fixed without any notification, alert or request for user authorization.
“This was a totally silent patch,” Sick Codes told The Security Ledger, which first reported this story. “They basically logged in to my TV and closed the port.”
To Sick Codes, this is just as worrisome as the security flaws that got patched on some models (but not the one on which Tom’s Guide could browse the file system).
“This is a full on back door,” he told The Security Ledger. “If they want to, they could switch the TV on or off, turn the camera and mic on or off. They have full access.”
What should I do if I have a TCL smart TV?
If you own a TCL smart TV, first check whether it’s one of the versions running Roku software. Those do not seem to be affected by these flaws.
If it’s not a Roku model, then you’ll want to make sure that your home Wi-Fi network has a very strong password, and that you don’t give visitors the password. Many routers let you set up a separate network for that.
You’ll also want to get into your router’s administrative menu to disable access to devices inside your network from the internet. We’ve got a list of other smart-TV security tips.
Also, be aware that the TV manufacturer may be able to see what you’re watching. That’s not something specific to TCL — many smart TVs, set-top boxes and DVRs keep tabs on what their customers watch.
