Amazon and other online resellers are selling TV set-top box infected by malware. Electronic Frontier Foundation Wants the Federal Trade Commission (FTC) to stop it.
In a Tuesday letter to the FTC, the EFF stated that “recent reports have revealed that various Android TV set-top box models and mobile devices being sold by resellers Amazon AliExpress and smaller vendors may contain malware before point of sale.”
The letter went on to say that malware was also found in devices made by Chinese manufacturers AllWinner RockChip. “We call on the FTC to use its power…to sanction resellers of devices widely known to include harmful malware.”
The EFF revealed in May that several set-top box models — AllWinner T95, AllWinner T95Max, RockChip X12-Plus, and RockChip X88-Pro-10 — were infected out of the box with malware from the BrianLian family. Bill Buddington, EFF Senior Technologist and Staff Member, stated that Amazon and others sold these devices despite widespread reports of malware.
“We wanted the resellers to remove the devices, and ensure that their customers are protected,” said he in a TechNewsWorld interview. “Unfortunately, this is not what we observed, and we felt it was important to raise the issue with regulatory bodies.”
Julianna Gruenwald Henderson from the FTC said that they had no comments to make about the letter.
Adam Montgomery, a spokesperson for Amazon, told TechNewsWorld that security was of the highest importance. We’re working to learn more, and we will take the appropriate action if required.
Malware-Infected boxes: A gateway to click-fraud
The EFF explained in its letter that, once the devices have been powered up and connected to the Internet, they immediately begin communicating with the botnet command servers. From there, devices are connected to a click-fraud network. All of this occurs in the background, without the knowledge of the purchaser.
The EFF said: “We believe that resellers are partly responsible for this broad attack. They also failed to provide a reliable method for researchers and researchers to alert them to these issues.”
It noted that security researcher Daniel Milisic, who deeply researched and published his findings on the malware infecting the devices, mentioned finding it difficult — if not impossible — to reach out to Amazon and report the issue.
EFF has also contacted Amazon and the products are still on sale.
In the letter, it said that “it would be impossible for resellers and distributors to perform comprehensive security assessments on each device they sell.” They should remove these devices once it is confirmed they contain harmful malware.
Consumers not aware of Malware: Legal Exposure
The EFF warned consumers who have infected devices that they could be subject to legal consequences.
The letter explained that “these devices place buyers at risk, not only because they participate in click fraud but also because they allow malware makers or those to whom they sell access to use the internet connections of the buyers as proxy servers.”
This means that any illegal acts performed using the proxy will appear as if they originated from the buyers internet connection. They could be exposed to significant legal risks,” it added. This can cause real harm to purchasers of these devices. It is an unacceptable risk that must be addressed.
The EFF asked the FTC to punish sellers of these devices for “clear deceptive conduct”: they are advertised without disclosing the harms that they cause.
The FTC was also asked to use its regulatory powers to make it easier to report compromised devices, either directly to device vendors or the commission. This would allow the commission to inform the vendor of the problem and take remedial measures.
The threat of compromised consumer devices
Gavin Reid, CISO at Human SecurityInternational cybersecurity company, which discovered the Badbox network of click-fraud used by malware on poisoned Set-Top Boxes.
TechNewsWorld reported that “Threat actors could insert themselves into supply chains and send infected gadgets to trusted ecommerce platforms or retailers, which may end up in users’ hands.”
“Cybercriminals and fraudsters are well attuned to consumer trends, and in the case of Badbox, were able to exploit consumers who bought off-brand Android devices — devices that were not Android TV OS devices or Play Protect certified,” he said.
He added: “Consumers have been duped into becoming a middleman, hosting cybercrime out of their own home or organization network.” “They are unwittingly enabling actions that appear to come directly from themselves.”
Steve Povolny is the director of security at ExabeamA global threat detection and investigation company with headquarters in Foster City, Calif.
TechNewsWorld reported that traditional vulnerabilities can be easily fixed through configuration updates, patching or network restrictions.
“With supply chain attacks,” he added, “eliminating this issue can be more difficult, requiring in extreme situations, the recalling of devices or even redesigning software or hardware.”
Stick to known brands
Jeannie W. Warner, Exabeam’s Director of Marketing Product, stated that “the ugly truth is any software or Firmware update can create the possibility for an attack.” Solarigate The core download site could be hacked, and the binary files altered.
She told TechNewsWorld that “for the end-user,” both Google Play and Apple Store had scans in place to protect the software distributed on their websites. Truthfully, any OS, system, or software can be corrupted.
“It will be a continuing game of cat and mice between adversaries and security teams,” she said.
Reid suggested that the best protection against attacks for consumers is to buy products from familiar brands.
“While bigger brands can be targeted by cybercriminals to exploit their devices, these brands also have a vested interested in protecting their devices even after they’ve been purchased and are quick to work on solutions to address any vulnerabilities,” he stated.
He continued, “Off-brand products, on the contrary, may lack the resources to address security flaws or make it difficult to track back to the manufacturer.”
He added that consumers with Android devices must also verify if the device has been Play Protect certified. They might not be safe and have malicious apps.