Authentication Bug Opens Android Smart-TV Box to Data Theft

android smart tv set top box

The streaming box allows arbitrary code execution as root, paving the way to pilfering social-media tokens, passwords, messaging history and more.

A critical bug in the Hindotech HK1 TV Box would allow root-privilege escalation thanks to improper access control. A successful exploit would allow attackers to steal social-networking account tokens, Wi-Fi passwords, cookies, saved passwords, user-location data, message history, emails, contacts and more, researchers said.

The bug, which is awaiting a CVE assignment, comes in at 9.3 out of 10 on the CvSS severity scale, according to researchers at Sick.Codes, a security resource for developers.

The HK1 Box S905X3 TV Box is an Android-based streaming box that plugs into a TV and allows users to access YouTube, Netflix and other streaming content “over-the-top,” i.e., without a cable subscription. Users can also sign into their favorite email, music and social-networking-related apps for a full “smart TV” experience. It retails for under $100.

Threatpost Webinar Promo Retail Security

Click to Register!

The vulnerability would allow a local, unprivileged user to escalate to root, the Sick.Codes team said in a posting this week. At issue is a lack of authentication when it comes to the debugging functions of the set-top – specifically, when connected to the device through the serial port (UART), or while using the Android Debug Bridge (adb), as an unprivileged user.

adb is a versatile command-line tool that lets users communicate with a device. It facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that can be used to run a variety of commands on a device.

“A local attacker using adb, or a physical attacker connecting to the device through the UART serial debugging port, is dropped into a shell as the ‘shell’ user without entering a username or password,” researchers explained. “Once logged in as the ‘shell’ user, the attacker can escalate to root using the /sbin/su binary which is group executable (750), or /system/xbin/su which is executable by all users (755).”

Once endowed with root privileges, the attacker can view any of the information for the apps the user is signed into – paving the way for stealing access tokens, passwords, contacts and messages and more. Attackers could also use the HK1 Box maliciously to sniff other devices on the same network, usually in a home-networking environment, according to the analysis.

“For example, once root, the network Wi-Fi password can be read in plain text at /data/misc/wifi/WifiConfigStore.xml,” researchers explained.

Thus far, the issue has not been addressed.

The vendor for the device is the Shenzhen Hindo Technology Co.,Ltd., based just outside of Hong Kong. The researchers were unable to contact the company (and its website,, was down as of the time of writing). Instead, the researchers submitted a draft advisory to Amlogic, which shares branding with the device in the States – and received no response.

Threatpost has tried to contact Shenzhen Hindo but has been unsuccessful in reaching the company.

This is only the latest entertainment-related security bug. Last week, researchers disclosed the ‘WarezTheRemote’ attack, affecting Comcast’s XR11 voice remote control. A security flaw would allow attackers to remotely snoop in on victims’ private conversations.

The flaw stems from Comcast’s XR11, a popular voice-activated remote control for cable TV, which has more than 18 million units deployed across the U.S. The remote enables users to say the channel or content they want to watch rather than keying in the channel number or typing to search.

On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.

Suggested articles