Most Android-Based TV Set-Top Boxes Run Old and Insecure OS Versions


MalwareTips Staff
Jul 22, 2014
Android-based TV set-top boxes sold online are most likely running outdated operating systems that have not received security updates for at least a year, according to research published today by US cyber-security firm Tripwire.

The experiment consisted of Tripwire's Vulnerability and Exposure Research Team (VERT) researchers buying and testing ten Android-based TV set-top boxes.

"In accordance with Tripwire’s responsible disclosure process, we are not yet naming specific vendors, Craig Young, senior security researcher at Tripwire and the one who led the experiment, told Bleeping Computer via email.

"I will say though that I see several of the tested devices on the first page of results when I search for 'Android TV box' on Amazon US, Amazon UK, and eBay," he added.

Devices run old OS versions, don't receive updates
The Tripwire VERT team says that all of the devices they tested were running very old and insecure versions of Android.

Further, Young says that the most recent Android monthly security update on any system was almost a year old.

For all devices, updates had to come from the Android TV set-top box vendor, not directly from Google, similar to how most Android phone owners are trapped into using devices running antiquated Android OS versions because mobile carriers fail to deliver upgrades and security patches.

Another big security lapse the researchers noted was the fact that all devices came configured by default to allow the installation of Android apps from untrusted sources, the primary means through which most Android-based devices get infected with malware, especially smartphones.

Researchers carry out Weeping Angel-type hack


Level 4
Jul 14, 2014
Many prominent people like Bruce Schneier, who testified in Congress, have been warning about IoT security and more. It's not that the powers that be don't know, but, it's taking too long. One government agency even has/had a contest with substantial reward, for someone to come up with the best solution to this problem. But, they excluded researchers who work for Security companies. It's only open to independent researchers or really, anyone else. Here is the notice of the winner of contest.
FTC Announces Winner of its Internet of Things Home Device Security Contest

I've not read it yet, but will later.