Some Android TV smart TVs, set-top boxes, and streaming devices can detect the contents of your email inboxes, as well as other services associated with your Google Account, such as cloud storage. An attacker needs physical access to the device to do this. However, a current case shows how careless handling of Google accounts can lead to unwanted data leaks, even for products other than PCs or smartphones that are not primarily intended to process personal information. The security gap is likely to be a particular problem in the case of Android TVs in companies that are resold, given away, or improperly disposed of. Another scenario is devices that are more or less accessible, for example in waiting areas such as those in a doctor's office.
advertisement
YouTube Cameron Gray I noticed the possibility of an attack in principle a few months ago when configuring an Android TV. Google only acknowledged the problem now after politicians and the media got involved. “You should never sign in to an Android TV device with a Google Account that contains sensitive data,” Gray warns in the video. Aside from using typical and desirable TV features like YouTube, cybercriminals can “access basically anything through your Google account, and this includes emails through Gmail, files through Google Drive, or even services you join from While you're signed in to a Google external service.
Chrome is coming to Android TV via a detour
The exploit relies on logging into your Android's Google account. In principle, this allows users to automatically log in to their applications without having to enter login data each time. With Android TV, Google intentionally left out the Chrome browser in order to limit account functionality to live streaming and social media activities as much as possible. But there are solutions. Gray first installed the “TV Bro” browser on his set-top box with Android TV, then used it to download Chrome from an APK download archive that specializes in Android software. When he started Chrome, he noticed that he wasn't prompted for his Google account password. Instead, the browser used existing login information for the Android operating system itself, which Gray had initially entered while setting up the device. This means that all applications associated with Chrome were open.
The demonstration brought, among others, US Senator Ron Wyden of the Democrats to the scene. “My office is in the midst of a review of the privacy practices of broadcast TV technology providers,” the politician said. To the electronic magazine 404 media. The team also became aware of a “disturbing video” about unsupervised access to an Android TV device. Google initially told Wyden's staff that it was expected behavior. It was only when 404 Media reporters asked the company that this became clearer. “Most Google TV devices running the latest software versions no longer allow this behavior,” the company said. They are also in the process of “providing a solution for the remaining devices.” It is not clear from the report which versions of Android TV are included and which versions can no longer be patched.
(never)
“Subtly charming coffee scholar. General zombie junkie. Introvert. Alcohol nerd. Travel lover. Twitter specialist. Freelance student.”
More Stories
Ryvid Outset – Scrambler style electric model
Researchers simulate a black hole for NASA
Researchers have discovered the atmosphere around rocky exoplanets for the first time