Data leak: Android TV can expose users' emails and files
Gmail mailboxes and cloud storage can be spied on on smart TVs with Android. Physical device access is necessary, but the issue is still problematic.
(Bild: Alberto Garcia Guillen/Shutterstock.com)
Some smart TVs, set-top boxes and streaming sticks with the Android TV operating system can reveal the content of email inboxes and other services linked to a Google account, such as cloud storage. An attacker needs physical access to the device to do this. Nevertheless, a recent case shows how careless handling of Google accounts can lead to unwanted data leaks, even for products beyond PCs or smartphones that are not primarily designed to process personal information. The security gap could be particularly problematic for Android TVs in companies that are resold, given away or disposed of improperly. Another scenario is devices that are more or less publicly accessible, for example in waiting areas such as a doctor's surgery.
YouTuber Cameron Gray noticed the possibility of an attack a few months ago when configuring an Android TV. However, Google has only now acknowledged the problem after politicians and the media became involved. Gray warns in the video that "you should never log in with a Google account to an Android TV device that contains sensitive data". Far beyond using typical and desired TV functions such as YouTube, cybercriminals could "essentially access anything through your Google account, and that includes emails through Gmail, files through Google Drive, or even services where you've signed in to an external service through Google".
Chrome gets onto Android TV via a detour
The exploit relies on the Google account login of Android. In principle, this allows users to automatically log in to their apps without having to enter login data each time. With Android TV, Google has deliberately left out the Chrome browser in order to limit the account functions to streaming and social media activities as far as possible. However, there are workarounds. Gray first installed the "TV Bro" browser on his set-top box with Android TV and then used it to download Chrome from APKPure, a download archive specializing in Android software. When he started Chrome, he noticed that he was not prompted to enter the password for his Google account. Instead, the browser used the existing login of the Android operating system itself, which Gray had initially entered when setting up the device. This opened up all applications linked to Chrome.
The demonstration drew the attention of US Senator Ron Wyden of the Democratic Party, among others. "My office is in the midst of a review of the privacy practices of streaming TV technology providers," the politician told the online magazine 404 Media. The team had also become aware of the "alarming video" of unsupervised access to an Android TV device. Google initially told Wyden's employees that the matter was expected behavior. It was only when reporters from 404 Media contacted the company that it became more specific. The company stated that "most Google TV devices running the latest software versions no longer allow this behavior". It is also in the process of "providing a solution for the remaining devices". It is not clear from the report which versions of Android TV are involved and which may no longer be patched.
(nie)
