Security researchers find worrying issues affecting versions of TCL smart TVs running Android operating systems. The problem does not affect Roku-based TCL TVs.
Android-based TCL smart TVs have a security problem, according to two security researchers.
A three-month investigation from security researcher “Sick Codes” and Shutterstock application security engineer John Jackson discovered that it’s possible to access a TCL smart TV file system over Wi-Fi via an undocumented TCP/IP port, and then collect, delete, or overwrite files without the need for any sort of password or security clearance. The problem does not affect Roku-based TCL TVs.
One TCL TV app, known as Terminal Manager Remote, is a “Chinese backdoor,” Sick Codes alleged in an interview with Tom’s Guide, though he doesn’t know if it’s sending or receiving info. Sick Codes and Jackson provided the site with a URL that granted the writer access to a TCL smart TV in Zambia, where they were able to browse the TV’s directories until, presumably, the user turned off the unit.
The researchers tried to alert TCL to their findings, but received no reply. A TCL support employee told Sick Codes she had “no contact info [for] the Security team, and didn’t even think/know if TCL had a Security team.” They also contacted the US Computer Emergency Response Team (US-CERT), which took some time to reply but ultimately told the pair to disclose the flaw if they were receiving no response from TCL.
Eventually the problem was fixed on Sick Codes’ TV with a “silent patch.” TCL “basically logged in to my TV and closed the port,” he told The Security Ledger. This patch did not apply to every TCL model, however, and as Sick Codes states, this “backdoor” means the company may as well have full access to consumer models.
TCL has not yet publicly commented on the problem.