Major vulnerabilities found in Philips and Thomson set-top boxes
Avast IoT Lab researchers have discovered serious vulnerabilities in two popular set-top boxes from Philips and Thomson. According to them, these vulnerabilities allow attackers to use the devices in Botnets and to carry ransomware attacks.
Bug were found on THOMSON THT741FTA and Philips DTR3502BFTA devices From Europe, particularly to those users whose TVs do not support the DVB-T2 standard, which provides access to HD resolution. The products’ owners were informed about the findings and various measures were proposed to them to improve the safety.
Vlasdislav Ilyushin, head of the IoT labroratory with the IoT threat researcher Marko Zbirka, started the investigation back in January this year. The research was the part of an Avast initiative to research and test security solutions for smart devices. Upon analysis, they discovered that both manufacturers supply STBs with Telnet ports open by default.
“This protocol was created in 1969, so it is more than 50 years old, it does not have encryption, but is still used to communicate with remote devices or servers. Essentially, in the case of vulnerable set-top boxes, Telnet allows attackers to remotely access devices and make them part of botnets, then use them for DDoS attacks and other malicious activity”, said the Avast researchers.
For example, the researchers managed to run the binary file of the famous IoT Mirai malware on both consoles. Also, they identified an issue to the architecture of the gadgets – both the consoles use the Linux kernel version 3.10.23. This serves as a bridge between hardware and shareware of the set-top boxes. Support for this version was expired back in November 2017 as a result of which users become vulnerable of potential attacks for which they simply did not receive fixes.
In addition to this, an unencrypted connection was found in the two consoles – between the set-top boxes and the pre-installed and outdated app -AccuWeather. The insecure connection between the set-top boxes and the AccuWeather allows the attackers to change the content that users see on their TVs.
“Manufacturers are responsible for meeting safety standards not only when they sell them. They are also responsible for the safety of their further exploitation by users. Unfortunately, manufacturers of IoT devices rarely wonder how they can mitigate the threats posed by their products. Instead, they rely on minimal or at least completely ignore IoT security to cut costs and speed time to market”, – said in Avast.
Avast experts recommend the users to choose models from reliable brands that have a history of long term support of devices and work on security. In addition, check the port forwarding configuration and disabling it, if it is not necessary.