China_Cyber_Threat_Concept

Update: DHS Looking Into Cyber Risk from TCL Smart TVs

The acting head of the U.S. Department of Homeland Security said the agency was assessing the cyber risk of smart TVs sold by the Chinese electronics giant TCL, following reports last month in The Security Ledger and elsewhere that the devices may give the company “back door” access to deployed sets.

Speaking at The Heritage Foundation, a conservative think tank, Acting DHS Secretary Chad Wolf said that DHS is “reviewing entities such as the Chinese manufacturer TCL.”

“This year it was discovered that TCL incorporated backdoors into all of its TV sets exposing users to cyber breaches and data exfiltration. TCL also receives CCP state support to compete in the global electronics market, which has propelled it to the third largest television manufacturer in the world,” Wolf said, according to a version of prepared remarks published by DHS. His talk was entitled “Homeland Security and the China Challenge.”

In an e-mail statement to Security Ledger, TCL spokesman Chris Larson said the company was concerned that “recent comments about TCL appear to originate from inaccurate descriptions of our products, features, and capabilities in recent weeks.” He said those have “led to speculative conclusions and a rush to judgment.”

Regarding Acting Secretary Wolf’s speech, Larson said that TCL’s “conduct is forthright and beyond reproach, and we firmly reject the unsupported characterizations and speculative conclusions from this speech. It misleads the public about who we are and how we conduct ourselves. TCL’s success in the U.S. is due to the hard work and commitment from our dedicated teams of employees and is entirely earned.”

As reported by The Security Ledger last month, independent researchers John Jackson, (@johnjhacking) -an application security engineer for Shutter Stock – and a researcher using the handle Sick Codes (@sickcodes) identified and described two serious software security holes affecting TCL brand television sets. The first, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications. The flaw could lead to serious critical information disclosure, the researchers warned.

Episode 197: The Russia Hack Is A 5 Alarm Fire | Also: Shoppers Beware!

The second vulnerability, CVE-2020-28055, would have allowed a local unprivileged attacker to read from- and write to critical vendor resource directories within the TV’s Android file system, including the vendor upgrades folder.

Both flaws affect TCL Android Smart TV series V8-R851T02-LF1 V295 and below and V8-T658T01-LF1 V373 and below, according to the official CVE reports. In an interview with The Security Ledger, the researcher Sick Codes said that a TCL TV set he was monitoring was patched for the CVE-2020-27403 vulnerability without any notice from the company and no visible notification on the device itself.

In a statement to The Security Ledger last month, TCL disputed that account. By TCL’s account, the patched vulnerability was linked to a feature called “Magic Connect” and an Android APK by the name of T-Cast, which allows users to “stream user content from a mobile device.” T-Cast was never installed on televisions distributed in the USA or Canada, TCL said. For TCL smart TV sets outside of North America that did contain T-Cast, the APK was “updated to resolve this issue,” the company said. That application update may explain why the TCL TV set studied by the researchers suddenly stopped exhibiting the vulnerability.

DHS announces New Cybersecurity Strategy

While TCL denied having a back door into its smart TVs, the company did acknowledge the existence of remote “maintenance” features that could give its employees or others control over deployed television sets, including onboard cameras and microphones. Owners must authorize the company to access cameras and microphones, however, according to a company statement.

The company did not address in its public statements the question of whether prior notification of the update was given to TCL owners or whether TV set owners were given the option to approve the update before it was installed.

Sick Codes, in a phone interview with The Security Ledger, said the company’s apparent ability to push and update code to its deployed sets without owner approval amounted to a back door that could give TCL access to audio and video streams from deployed sets, regardless of the wishes of owners.

“They can update the application and make authorization happen through that. They have full control,” he said.

Larson, the TCL spokesman, said the company has been doing business in the U.S. for 15 years and “is broadly regarded as a model citizen and good actor for our adherence to local laws and customs in the U.S. and throughout the world, and for our record of profound respect for intellectual property and privacy.”

All TCL televisions sold in North America rely on the either the Roku or the Android operating system, he wrote. In both cases, the companies behind those operating systems (Roku and Google, respectively) “hold manufacturers to a very high standard in terms of security and privacy.”

The recent vulnerabilities discovered by Jackson and Sick Codes are an example: both were patched by the company which “quickly took steps to disclose, investigate, thoroughly test, develop patches, and send updates to resolve the matter.”

“Updating devices and applications to enhance security is a regular occurrence in the technology industry, and this vulnerability has been corrected and is no longer an issue,” he said.

Still, such concerns obviously raised alarms within the Department of Homeland Security as well, which has taken steps to ban technology from other Chinese firms from use on federal networks.

In his address on Monday, Acting Secretary Wolf said DHS was issuing a broader “business advisory” cautioning against using data services and equipment from firms linked to the People’s Republic of China (PRC).

This advisory will highlight “numerous examples of the PRC government leveraging PRC institutions like businesses, organizations, and citizens to covertly access and obtain the sensitive data of businesses to advance its economic and national security goals,” Wolf said.

“DHS flags instances where Chinese companies illicitly collect data on American consumers or steal intellectual property. CCP-aligned firms rake in tremendous profits as a result,” he said.

The statement is part of escalating tensions between Washington and Beijing. On Friday, Commerce Secretary Wilbur Ross announced export controls on 77 Chinese companies including the country’s biggest chipmaker, SMIC, and drone maker DJI that restrict those firms’ access to US technology. The order cites those firms alleged ties to China’s military.


Editor’s note: this story was updated to add reference to John Jackson, who helped discover the TCL vulnerabilities. – PFR 12/22/2020

Editor’s note: this story was updated to add comments from TCL spokesman Chris Larson. Also provided a link to the DHS business advisory – PFR 12/23/2020

15 Comments

  1. Pingback: DHS Is Looking Into Backdoors In Smart TVs By China's TCL - F1TYM1

  2. So if you have one of those TVs can you just turn off wifi and safely use it as a dumb terminal- ie for use as a big computer monitor or with a Roku?

  3. For the first time my sister turned on my mirroring on my tcl. Within 1 minute I received two very strange text messages messages sent MMS. It was two guys checking to see if the other guy was able to get access to my cell phone. Pretty sure they were hackers. I saved the messages in case fbi wants to catch them

  4. Pingback: DHS: kiberkockázat a kínai okosTV – Yet Another News Aggregator Channel

  5. Just Android based. Not the Roku based sets.

    • Exactly; Roku basically controls the software on Roku TVs from its U.S. facilities. I have yet to see ANY evidence of a Chinese government backdoor in Chinese electronics, and that includes Huawei; all I’ve seen is run-of-the-mill Android malware that doesn’t appear to involve state actors. This is just another case of unproven, unwarranted FUD from the U.S. government.

  6. Dear DHS, please listen too me when I beg you to please help in that lawsuit against Google. It’s so very important to cut out almost 100% of these issues by taking down Google for good! I’m telling you now that they 1 of the if not the biggest player in all this besides being in China. I know personally how abusive they can be both physically& mentally. They lie on privacy statements & in their terms n agreements they actually create private info about you. Use your audio & visual w/o. You knowing. And they are known by millions for being the #1 internet stalker on www. Keep our info safe they say! Who keeps us safe from them? The FBI admitted themselves that Google has more information on “YOU” yes, “YOU” than they do! So China’s chip with Google in hand = TRUE WORLD DOMINATION!! NO JOKE! FORGET ABOUT WHOM IS PRESIDENT! So please DHS, Take this note to heart? Won’t you please? Take a guess at who was the first major search engine to go www? I know & they are everywhere hands into everyone n thing. God Bless& MERRY CHRISTMAS!

  7. Pingback: US-Heimatschutz ist wegen Backdoors in Fernsehern aus China alarmiert | Technologie Neuigkeiten | DataPur Deutschland

  8. I believe the Roku version is compromised as well. Pretty sure they are using YouTube videos as the source for the drive by download. If you watch enough of the exploited videos and pause any other video long enough for the screen saver to come on, when you try to start the video again it redirects you to what looks like some random app but that is the exploit running and it needs you to click the cancel button to run. You will notice when trying to install any other app there is no cancel option during the install. That it all. Happy hunting…

  9. Pingback: The Grim Lessons of the SolarWinds Breach – iftttwall

  10. Pingback: The Grim Lessons of the SolarWinds Breach – Reason.com | Political Bomb Show

  11. Pingback: The Grim Lessons of the SolarWinds Breach – Reason.com – The Hub Press

  12. Pingback: The Grim Lessons of the SolarWinds Breach – Reason – The Screensitter

  13. Pingback: The Cyberlaw Podcast: The Grim Lessons of the SolarWinds Breach – Lawfare – The Screensitter

  14. Pingback: Episode 200: Sakura Samurai Wants To Make Hacking Groups Cool Again. And: Automating Our Way Out of PKI Chaos