TV set-top boxes infected with malware are being sold online at Amazon and other resellers, and the Electronic Frontier Foundation wants the Federal Trade Commission to put a stop to it.
“Recent reports have revealed various models of Android TV set-top boxes and mobile devices that are being sold by resellers Amazon, AliExpress, and other smaller vendors to include malware before the point of sale,” the EFF wrote Tuesday in a letter to the FTC.
“These include malware included in devices by Chinese manufacturers AllWinner and RockChip,” the letter continued. “We call on the FTC to use its power…to sanction resellers of devices widely known to include harmful malware.”
The EFF revealed in May that several set-top box models — AllWinner T95, AllWinner T95Max, RockChip X12-Plus, and RockChip X88-Pro-10 — were infected out of the box with malware from the BrianLian family. “These devices were widely reported to contain malware, and Amazon and others still made them available,” said EFF Senior Staff Technologist Bill Buddington.
“We wanted to see the resellers take the devices down and make sure their customers are protected,” he told TechNewsWorld. “Unfortunately, that’s not what we saw, and we thought it was time to bring this up to regulatory parties.”
FTC spokesperson Julianna Gruenwald Henderson said the agency had no comment on the letter.
“Security is of the utmost importance to Amazon,” spokesperson Adam Montgomery told TechNewsWorld. “We are working to learn more about these findings and will take appropriate action if needed.”
Malware-Infected Boxes: Gateway to Click-Fraud
In its letter, the EFF explained that the devices, when first powered on and connected to the internet, will immediately begin communicating with botnet command and control servers. From there, the devices connect to a vast click-fraud network. All this happens in the background of the device, without the buyer’s knowledge.
“We believe the resellers of these devices bear some responsibility for the broad scope of this attack and for failing to create a reliable pathway for researchers to notify them of these issues,” the EFF wrote.
It noted that security researcher Daniel Milisic, who deeply researched and published his findings on the malware infecting the devices, mentioned finding it difficult — if not impossible — to reach out to Amazon and report the issue.
It added that EFF also reached out to Amazon, yet the products are still available.
“While it would be impractical for resellers to run comprehensive security audits on every device they make available,” the letter said, “they should pull these devices from the market once they are revealed and confirmed to include harmful malware.”
Legal Exposure for Consumers Unaware of Malware
The EFF warned that consumers with the infected devices could face legal perils.
“These devices put buyers at risk not only by the click-fraud they routinely take part in, but also the fact that they facilitate using the buyers’ internet connections as proxies for the malware manufacturers or those they sell access to,” the letter explained.
“This means that any nefarious deeds done using this proxy will look as though they were originating from the buyers’ internet connection, possibly exposing them to significant legal risk,” it continued. “This can result in real harm to buyers of these devices, presenting an unacceptable risk which must be addressed.”
The EFF called on the FTC to sanction sellers of the devices because they present “a clear instance of deceptive conduct: the devices are advertised without disclosure of the harms they present.”
It also urged the FTC to use its regulatory power to make it easier for customers to report compromised devices either directly to the device vendors or to the commission itself, which can then inform the vendor and ensure it takes remedial action.
Rising Threat of Compromised Consumer Devices
Attacks on the consumer supply chain are a highly concerning threat, noted Gavin Reid, CISO of Human Security, the international cybersecurity company that discovered the Badbox click-fraud network used by the malware on the poisoned set-top boxes.
“Threat actors can insert themselves into the supply chain and send infected devices to trusted e-commerce platforms and retailers that can end up in the hands of unsuspecting users,” he told TechNewsWorld.
“Cybercriminals and fraudsters are well attuned to consumer trends, and in the case of Badbox, were able to exploit consumers who bought off-brand Android devices — devices that were not Android TV OS devices or Play Protect certified,” he said.
“Consumers are being duped into being a middleman and hosting cybercrime attacks out of their home or organizational network,” he added. “They are unwillingly enabling activities that look like they come directly from them.”
While true supply-chain attacks on consumer devices are rare relative to the number of general attacks against consumer-based devices, they can be devastating, observed Steve Povolny, director of security research at Exabeam, a global threat detection, investigation, and response company headquartered in Foster City, Calif.
“Traditional vulnerabilities are generally relatively straightforward to fix through patching, configuration updates, or network restrictions,” he told TechNewsWorld.
“With supply-chain attacks,” he continued, “eliminating the issue can be a much more difficult challenge, requiring, in extreme cases, recalling devices or even redesigning hardware or firmware.”
Stick to Known Brands
Exabeam Director of Product Marketing Jeannie Warner declared, “The ugly truth is that any software or firmware update creates the possibility of a Solarigate issue, where the core download site can be hacked and the binaries altered.”
“For the end user,” she told TechNewsWorld, “both Google Play and Apple Store have scans to try and protect the software being distributed on their sites. The truth is, any OS or system can be corrupted, any check bypassed.”
“It’s a constant game of cat and mouse played by adversaries versus security teams, and the game will continue,” she added.
Reid advised that the best way for consumers to insulate themselves from attacks is to buy devices from familiar and recognizable brands.
“While larger brands do get targeted and can be exploited by cybercriminals, these brands have a vested interest to secure their devices long after they are purchased and work quickly to find solutions to address any security vulnerabilities,” he said.
“Off-brand devices, on the other hand, may not have the resources to update security vulnerabilities or be difficult to trace back to a manufacturer,” he continued.
“Consumers with Android devices should also check if their device is Play Protect-certified,” he added. “Otherwise, they might not be secure and may have fraudulent apps.”