Our Cyberhood Watch partners Avast have discovered security flaws in two popular set-top boxes, typically used by customers to access Freeview services in the UK. The two boxes with these security flaws are:

  • THOMSON THT741FTA
  • Philips DTR3502BFTA

The flaws could allow cyber-criminals to store malware on the devices as a gateway to launch botnet, or ransomware attacks using the online weather forecast service on the device. Full details can be found in the press release below, but if you do have one of the above mentioned boxes, Avast recommends the following advice:

  1. If you don’t need to use your set-top box’s internet-based features, don’t connect it to your home network
  2. For more advanced users, log in to your router interface and check in the settings to see if Universal Plug and Play (UPnP) is enabled. If it is, we recommend you disable it. We also suggest checking your port forwarding configuration and disabling it unless it's absolutely necessary for your purposes 

Vulnerabilities in THOMSON and Philips DVB-T2 set-top boxes underline manufacturer negligence towards securing IoT devices
 

Security flaws discovered in popular set-top boxes from consumer electronics giants

London, United Kingdom / Redwood City, California, United States, August 25, 2020 - Researchers from Avast’s IoT Labs have discovered serious security flaws in two popular TV set-top boxes which could allow cybercriminals to store malware on the devices for the purposes of launching botnet attacks or ransomware using a weather forecast service. The boxes under the microscope are manufactured by consumer electronics companies Thomson and Philips. The THOMSON THT741FTA and Philips DTR3502BFTA are available throughout Europe and are frequently purchased by consumers with television sets that do not support DVB-T2, the most up-to-date digital signal for terrestrial television that provides access to additional high-definition (HD) TV services.

The investigation, led by IoT Lab Team Lead Vladislav Iluishin and IoT Threat Researcher Marko Zbirka, began in January this year and is part of an ongoing initiative by Avast to explore and test the security postures of IoT enabled devices. 

Early on in their analysis, Iliushin and Zbirka discovered that both internet-connected devices are shipped by their manufacturers with open telnet ports, a more than 50 year-old unencrypted protocol used for communicating with remote devices or servers. This could allow an attacker to gain remote access to the devices and recruit them in botnets to launch Distributed Denial of Service (DDoS) attacks or other malicious schemes. Iliushin and Zbirka were successful in executing the binary of the widespread Mirai botnet to both set-top boxes.

They also exposed an oversight linked to the set-top boxes’ architecture. Both devices rely on Linux Kernel 3.10.23, a privileged program installed on the boxes in 2016 which serves as a bridge between the devices’ hardware and software by allocating sufficient resources to the software to enable it to run. However, support for version 3.10.23 expired in November 2017, meaning patches for bugs and vulnerabilities were only issued for one year before they were discontinued, leaving users exposed to potential attacks thereafter.

Additional security issues affecting the devices included an unencrypted connection between the set-top boxes and a pre-installed legacy application of the popular weather forecasting service AccuWeather, a revelation discovered by analyzing the traffic between the set-top boxes and the router. The insecure connection between the boxes and the AccuWeather backend could allow a bad actor to modify the content users see on their TVs when using the weather application. For instance, an intruder could display a ransomware message claiming the user’s TV has been hijacked while demanding a payment to free the device.

“Manufacturers are not only responsible for ensuring safety standards are met before their products are made available for purchase, they are also responsible for securing them and therefore the security of their users,” said Iliushin. “Unfortunately, it’s rare for IoT manufacturers to assess how the threat surface of their products can be reduced. Instead, they rely on the bare minimum, or in extreme cases completely disregard IoT and customer security in order to save costs and push their products to market quicker.”

A full analysis of the discoveries have been published on Decoded, Avast’s dedicated Threat Intelligence blog. The article also includes best practice security advice for the manufacturers of these devices and for consumers. For owners of these set-top boxes, some top tips have been included below:

  1. If you don’t need to use your set-top box’s internet-based features, don’t connect it to your home network
  2. Do research. Always buy from established, credible brands that have a history of long-term device and security support
  3. For more advanced users, log in to your router interface and check in the settings to see if Universal Plug and Play (UPnP) is enabled. If it is, we recommend you disable it. We also suggest checking your port forwarding configuration and disabling it unless it's absolutely necessary for your purposes

As part of the investigation, Avast contacted both Philips and Thomson disclosing the findings along with suggestions on improvements to product security. More details, including visuals, timelines and CVEs, can be found in the link above.