Endpoint Security , Internet of Things Security , Open XDR

Finding Vulnerabilities in Smart TVs

Researcher Describes How He Found Serious Flaws in TCL Smart TVs
A researcher who asked to remain anonymous found vulnerabilities in TCL smart TVs.

Nearly all TVs sold today are smart TVs that connect to the internet, which holds the potential for security problems. TVs are one of the most pervasive internet-of-things devices.

See Also: Beyond Pandemic: Right-Sizing the Cybersecurity Posture

An Australian security researcher who blogs at the site sick.codes recently examined a smart TV made by Chinese electronics company TCL, one of the largest TV manufacturers. The researcher, who didn’t want to be identified, found two serious flaws.

The flaws raised the attention of the U.S. Department of Homeland Security. Former DHS Acting Secretary Chad F. Wolf mentioned the issues in a speech at the Heritage Foundation on Dec. 21, noting that DHS was closely watching Chinese technology companies.

One of the flaws, CVE-2020-27403, allowed him to download files and browse the full file system of the Android-powered TV while on the same network. The other, CVE-2020-28055, would allow an unprivileged attacker to read and write files to certain directories.

Notifying the vendor turned out not to be straightforward, he says. The process took weeks. TCL fixed one flaw immediately, but never informed the researcher, and the second issue took much longer, he says. Eventually, TCL said it would put “processes in place to better react to discoveries by 3rd parties" as well as engage with independent testing firms to ensure the security of its firmware.

“Just keep up communication,” he says. “That’s the only thing that failed here. If this had been cleaned up earlier, it would have been so much more simpler.”

In this video interview, the researcher discusses:

  • How he found two serious vulnerabilities in TCL smart TVs;
  • What risks the flaws posed;
  • How vendors can improve communication with security researchers.

The researcher does private security consulting and separately blogs on his independent work. His GitHub is here.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.