According to two security researchers, Android-based TCL smart TVs have a security problem.
A three-month investigation from security researcher “Sick Codes” and Shutterstock application security engineer John Jackson revealed that it is possible to use a TCL smart TV file system over Wi-Fi via an uncompressed TCP / IP port, and Then collect, delete, or overwrite files without requiring any type of password or security clearance. The problem does not affect Roko-based TCL TV.
A TCL TV app, known as Terminal Manager Remote, is a “Chinese backdoor”, which is allegedly sick code in an interview with Tom’s guide, though he does not know whether it is sending information or Is receiving Sick Code and Jackson provided the site with a URL that gave the author access to a TCL Smart TV in Zambia, where they were able to browse the TV’s directories, presumably, the user turned the unit off.
Researchers tried to alert TCL to their findings, but received no response. A TCL support worker told the sick code that it had no contact information [for] Security team, and did not even know if TCL had a security team. “They also contacted the US Computer Emergency Response Team (US-CERT), which took some time to respond but eventually asked the pair to disclose the defect. If they were not getting any response from TCL.
Eventually the problem was fixed on Sick Codes’ TV with “silent patch”. TCL “basically logged into my TV and switched off the port,” he told Security Ledger. However, this patch did not apply to every TCL model, and as the sick code states, this “backdoor” means that the company may have full access to the consumer model.
TCL has not yet publicly commented on the problem.