Android TVs Can Expose User Email Inboxes (404media.co) 29
Some Android-powered TVs can expose the contents of users' email inboxes if an attacker has physical access to the TV. Google initially told the office of Senator Ron Wyden that the issue, which is a quirk of how software is installed on these TVs, was expected behavior, but after being contacted by 404 Media, Google now says it is addressing the issue. From the report: The attack is an edge case but one that still highlights how the use of Google accounts, even on products that aren't necessarily designed for browsing user data, can expose information in unusual ways, including TVs in businesses or ones that have been resold or given away.
"My office is mid-way through a review of the privacy practices of streaming TV technology providers. As part of that inquiry, my staff discovered an alarming video in which a YouTuber demonstrated how with 15 minutes of unsupervised access to an Android TV set top box, a criminal could get access to private emails of the Gmail user who set up the TV," Senator Ron Wyden told 404 Media in a statement.
"My office is mid-way through a review of the privacy practices of streaming TV technology providers. As part of that inquiry, my staff discovered an alarming video in which a YouTuber demonstrated how with 15 minutes of unsupervised access to an Android TV set top box, a criminal could get access to private emails of the Gmail user who set up the TV," Senator Ron Wyden told 404 Media in a statement.
Separate components (Score:4, Interesting)
I've always believed in using separate components for my home entertainment system to the greatest extent possible, and while not specifically for this particular scenario I still maintain that it makes sense to keep the system modular.
If nothing else, it means that if one part of the modular system becomes obsolete, only that module has to be replaced. And with the heightened pace of obsolescence of cloud-connected personal electronics these days it even makes sense from an e-waste perspective. It's a lot less wasteful to dispose of something the size of a Roku box or a Fire TV stick than to dispose of a whole TV. Plus it means from a security point of view that if one does need to protect one's accounts, even physically destroying the small object is a lot less wasteful or polluting.
Re:Separate components (Score:5, Interesting)
I've always believed in using separate components for my home entertainment system to the greatest extent possible, and while not specifically for this particular scenario I still maintain that it makes sense to keep the system modular.
I agree with you. I'd add that 'bundling' in general is a bad idea. For example- A company like Spectrum (formerly Time Warner Cable) would offer you both cable AND internet, and offer a discount for using them both. The problem with that? If your TV service suffers (like ... too many ads, for example) then you're compelled to try to weather it because you won't give up your internet and suddenly that discount is a BFD. My stress level went down a LOT when I split up my TV and internet services, cell services as well.
That said, that's not really the big issue here. Google is sucking up all your data. That is their goal as a corporation. Everything of theirs that you log into is more surface area for a potentially-damaging attack. Did I mention they trust zillions of third parties?
Re: (Score:2)
Heh. I was in the cablemodem pilot neighborhood in the mid-nineties, and somehow managed to convince Dad to sign up for it. A few months later COX called trying to upsell, they got down as low as something like $1.50 more per month for cable TV on top of our Internet service and he still said no.
It was probably a good thing really, we already watched too much TV and that would have only compounded the problem, but I couldn't help but be amazed at how cheap he was being at that particular moment.
Do not use (Score:5, Insightful)
DO NOT USE THE SAME ACCOUNT FOR EVERYTHING.
Don't use the same account for youtube and email. Don't use the same account for email and gaming. Don't use the same account for gaming and business. Don't use the same account for business and television.
Wait. Why on earth are you using an account for television.
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Yes. To all of that. But people are lazy and most people are not IT security experts and usually not even IT experts. They do not realize what risks they are exposing themselves to.
Re: (Score:2)
> Wait. Why on earth are you using an account for television.
So you can watch your YouTube videos on your TV?
Re: (Score:2)
You don't need an account to watch random public YouTube videos.
Re: (Score:2)
Try telling that to an Apple user
If your TV needs your email address (Score:2)
...get a different television.
It has one job - take signals and turn them into images and sound. Maybe not even sound if you have an audio system.
Re: (Score:2)
It's also combined with the Android part in order to stream content. Which certainly means third party content, but also it will heavily push it's own Google content/store. Which is why it's better, thought getting more difficult, to keep the streaming device independent of the TV.
Another option. (Score:3)
It is getting really difficult to find a non "Smart" TV these days. so this approach has saved me real money. My TV has a fire stick, and my gaming computer connected to it, so I really only use 2 HDMI inputs.
Physical not Internet Access (Score:2)
It has not been connected to the internet since.
The summary only mentions vulnerability to physical access so disconnecting it is not enough - did you wipe any account information as well? Generally it is much harder to protect something when you have physical access to it and I suspect most Android devices would fail under those conditions. However, by the time someone else has physical access to your TV they are in your home and have access to a lot of sensitive information.
Re: (Score:2)
It has not been connected to the internet since.
The summary only mentions vulnerability to physical access so disconnecting it is not enough - did you wipe any account information as well? Generally it is much harder to protect something when you have physical access to it and I suspect most Android devices would fail under those conditions. However, by the time someone else has physical access to your TV they are in your home and have access to a lot of sensitive information.
I used a junk gmail account that I keep around for such things. Has nothing to connect it to my "real" accounts.
Re: (Score:2)
Whenever I have to do anything with Google, I create a fresh junk gmail account and forget about it shortly thereafter.
If I have to remember gmail credentials to use something... I find another option that doesn't have that restriction.
Re: (Score:2)
You wasted money on the Fire stick (granted, not much), since the TV can do everything it can, and more. Okay, it looks like it can maybe do a little bit too *much* more (Gmail access), but it sounds like that was an oversight that is being fixed.
Re: (Score:2)
You wasted money on the Fire stick (granted, not much), since the TV can do everything it can, and more. Okay, it looks like it can maybe do a little bit too *much* more (Gmail access), but it sounds like that was an oversight that is being fixed.
I was able to put SmartTube on the fire stick, and watch YouTube without ads. That makes the Firestick well worth the money.
Also I kind of trust Amazon. Kindof. I certainly trust them more than I trust some cheap TV manufacturer. I don't recall which version of Android was on the TV when I bought it, but I doubt it was current, and I really doubt that have been any updates since. (I have had it about 2 years.)
Re: (Score:2)
Have you tried simply not agreeing to the EULAs? Hit decline and the usually disable all the smart features. If not, return the TV as instructed by the EULA and find a better brand.
Re: (Score:2)
Have you tried simply not agreeing to the EULAs? Hit decline and the usually disable all the smart features. If not, return the TV as instructed by the EULA and find a better brand.
I think the issue is, some models don't work until you agree to the EULAs and I've even heard some refuse to work until you connect them to the internet.
I may be moving soon and might need a TV at the end of it, so trying to find a decent 4K TV that isn't a smart TV is like searching for rocking horse poo.
Re: (Score:2)
That's why I tend to buy stuff like that over the internet. In the UK the Distance Selling Regulations apply, so it's generally a lot easier to return stuff if e.g. the EULA is unacceptable.
Why would I give my TV access? (Score:2)
I mean it is a TV. It should decidedly not be within my main security perimeter and it should decidedly not have my passwords.
Sounds like a big risk. (Score:2)
I will still never buy another Android TV because of the âoefinish setting up Googleâ nag messages that pop up over my content.
Google's Worst Explanation (Score:2)
which is a quirk of how software is installed on these TVs
In other words, when you log into your Google Account on the TV, it gives an unrestricted login token to the TV. Instead of having a scope that makes sense for the fact that TVs don't fit in your pocket. If you manage to sideload Google Chrome, I'm sure Google wants to automatically sign you in using that token before even opening a web page, and then you already have a login session to use for email.
It's a feature (Score:2)
Expected Behavior?!? (Score:2)
WTF, Google???
Expected? By who? Certainly not the User. . .
Oh, I know: It's plainly stated on Page 10.3 ^ 22 of the EULA, right?