by Paul Roberts
Millions of Android smart television sets from the Chinese vendor TCL Technology Group Corporation contained gaping software security holes that researchers say could have allowed remote attackers to take control of the devices, steal data or even control cameras and microphones to surveil the set‘s owners.
The vulnerabilities raise serious questions about the cyber security of consumer electronics that are being widely distributed to the public. TCL, a mainland Chinese firm, is among those that have raised concerns within the U.S. Intelligence community and among law enforcement and lawmakers, alongside firms like Huawei, which has been labeled a national security threat, ZTE and Lenovo. TCL smart TVs are barred from use in Federal government facilities.
TCL‘s TV sets are widely available in the US via online e-tailers like Amazon and brick and mortar “box stores” like Best Buy. It is unclear whether those retailers weigh software security and privacy protections of products before opting to put them on their store shelves. An email to Best Buy seeking comment on the TCL vulnerabilities was not returned.
The security researchers who discovered the flaw said that consumers should beware when buying smart home electronics like TV sets, home surveillance cameras, especially those manufactured by companies with ties to authoritarian regimes.
“Don‘t buy it just because a TVs cheap. Know what you‘re buying,” said Sick Codes. “That‘s especially true if it‘s hooked up to the Internet.”
UPDATE
In a Nov. 16 statement, TCL said it “quickly took steps to investigate, thoroughly test, develop patches, and implement a plan to send updates to resolve the matter,” though it acknowledged that improvements to its bug-reporting process are needed.
TCL says the problem affects “a limited number” of its TVs—model numbers 32S330, 40S330, 43S434, 50S434, 55S434, 65S434, and 75S434.