Android TVs Can Expose User Email Inboxes (404media.co)
- Reference: 0173648364
- News link: https://yro.slashdot.org/story/24/04/26/151228/android-tvs-can-expose-user-email-inboxes
- Source link: https://www.404media.co/android-tvs-can-expose-user-email-inboxes/
> The attack is an edge case but one that still highlights how the use of Google accounts, even on products that aren't necessarily designed for browsing user data, can expose information in unusual ways, including TVs in businesses or ones that have been resold or given away.
>
> "My office is mid-way through a review of the privacy practices of streaming TV technology providers. As part of that inquiry, my staff discovered [2]an alarming video in which a YouTuber demonstrated how with 15 minutes of unsupervised access to an Android TV set top box, a criminal could get access to private emails of the Gmail user who set up the TV," Senator Ron Wyden told 404 Media in a statement.
[1] https://www.404media.co/android-tvs-can-expose-user-email-inboxes/
[2] https://www.youtube.com/watch?v=QiyBXXO8QpA
Do not use (Score:5, Insightful)
DO NOT USE THE SAME ACCOUNT FOR EVERYTHING.
Don't use the same account for youtube and email. Don't use the same account for email and gaming. Don't use the same account for gaming and business. Don't use the same account for business and television.
Wait. Why on earth are you using an account for television.
Re: (Score:3)
at this point just don't use anything. why bother.
Re: (Score:3)
Exactly. I created a -video account specifically for TV-related things. Besides not giving my entertainment devices free reign to mess with internal network resources, I don't tell my TV or set-top box the address and password needed for access to my personal email.
Re: (Score:2)
Yes. To all of that. But people are lazy and most people are not IT security experts and usually not even IT experts. They do not realize what risks they are exposing themselves to.
If your TV needs your email address (Score:2)
...get a different television.
It has one job - take signals and turn them into images and sound. Maybe not even sound if you have an audio system.
Re: (Score:2)
It's also combined with the Android part in order to stream content. Which certainly means third party content, but also it will heavily push it's own Google content/store. Which is why it's better, thought getting more difficult, to keep the streaming device independent of the TV.
Another option. (Score:3)
I have an Android TV. It was cheap. I connected to a wired network when I set it up, and unplugged it as soon as it completed the inital setup, and downloaded software updates. It has not been connected to the internet since. About once a month the Android instance reboots, and it pops up a warning on the screen about no configured internet, but that is all. Warning lasts about 30 seconds.
It is getting really difficult to find a non "Smart" TV these days. so this approach has saved me real money. My TV has a fire stick, and my gaming computer connected to it, so I really only use 2 HDMI inputs.
Physical not Internet Access (Score:2)
> It has not been connected to the internet since.
The summary only mentions vulnerability to physical access so disconnecting it is not enough - did you wipe any account information as well? Generally it is much harder to protect something when you have physical access to it and I suspect most Android devices would fail under those conditions. However, by the time someone else has physical access to your TV they are in your home and have access to a lot of sensitive information.
Re: (Score:2)
>> It has not been connected to the internet since.
> The summary only mentions vulnerability to physical access so disconnecting it is not enough - did you wipe any account information as well? Generally it is much harder to protect something when you have physical access to it and I suspect most Android devices would fail under those conditions. However, by the time someone else has physical access to your TV they are in your home and have access to a lot of sensitive information.
I used a junk gmail account that I keep around for such things. Has nothing to connect it to my "real" accounts.
Re: (Score:2)
You wasted money on the Fire stick (granted, not much), since the TV can do everything it can, and more. Okay, it looks like it can maybe do a little bit too *much* more (Gmail access), but it sounds like that was an oversight that is being fixed.
Re: (Score:2)
> You wasted money on the Fire stick (granted, not much), since the TV can do everything it can, and more. Okay, it looks like it can maybe do a little bit too *much* more (Gmail access), but it sounds like that was an oversight that is being fixed.
I was able to put SmartTube on the fire stick, and watch YouTube without ads. That makes the Firestick well worth the money.
Also I kind of trust Amazon. Kindof. I certainly trust them more than I trust some cheap TV manufacturer. I don't recall which version of Android was on the TV when I bought it, but I doubt it was current, and I really doubt that have been any updates since. (I have had it about 2 years.)
Why would I give my TV access? (Score:2)
I mean it is a TV. It should decidedly not be within my main security perimeter and it should decidedly not have my passwords.
Sounds like a big risk. (Score:2)
My Android tv has never been connected to the internet or logged in to anything and I donâ(TM)t have any form of Google account. I wonder how seriously I should take this risk.
I will still never buy another Android TV because of the âoefinish setting up Googleâ nag messages that pop up over my content.
Google's Worst Explanation (Score:2)
> which is a quirk of how software is installed on these TVs
In other words, when you log into your Google Account on the TV, it gives an unrestricted login token to the TV. Instead of having a scope that makes sense for the fact that TVs don't fit in your pocket. If you manage to sideload Google Chrome, I'm sure Google wants to automatically sign you in using that token before even opening a web page, and then you already have a login session to use for email.
It's a feature (Score:2)
Not a bug
Separate components (Score:4, Interesting)
I've always believed in using separate components for my home entertainment system to the greatest extent possible, and while not specifically for this particular scenario I still maintain that it makes sense to keep the system modular.
If nothing else, it means that if one part of the modular system becomes obsolete, only that module has to be replaced. And with the heightened pace of obsolescence of cloud-connected personal electronics these days it even makes sense from an e-waste perspective. It's a lot less wasteful to dispose of something the size of a Roku box or a Fire TV stick than to dispose of a whole TV. Plus it means from a security point of view that if one does need to protect one's accounts, even physically destroying the small object is a lot less wasteful or polluting.
Re:Separate components (Score:5, Interesting)
> I've always believed in using separate components for my home entertainment system to the greatest extent possible, and while not specifically for this particular scenario I still maintain that it makes sense to keep the system modular.
I agree with you. I'd add that 'bundling' in general is a bad idea. For example- A company like Spectrum (formerly Time Warner Cable) would offer you both cable AND internet, and offer a discount for using them both. The problem with that? If your TV service suffers (like ... too many ads, for example) then you're compelled to try to weather it because you won't give up your internet and suddenly that discount is a BFD. My stress level went down a LOT when I split up my TV and internet services, cell services as well.
That said, that's not really the big issue here. Google is sucking up all your data. That is their goal as a corporation. Everything of theirs that you log into is more surface area for a potentially-damaging attack. Did I mention they trust zillions of third parties?
Re: (Score:2)
Heh. I was in the cablemodem pilot neighborhood in the mid-nineties, and somehow managed to convince Dad to sign up for it. A few months later COX called trying to upsell, they got down as low as something like $1.50 more per month for cable TV on top of our Internet service and he still said no.
It was probably a good thing really, we already watched too much TV and that would have only compounded the problem, but I couldn't help but be amazed at how cheap he was being at that particular moment.