back to article TV streaming stick brings the movies and the network backdoors

Vulnerabilities in the EZCast TV streaming stick can allow a hacker to take full control of home networks, steal data and plant bots, researchers at security firm Check Point have warned, with the TV device's flaws effectively handing over root shell control over networks in users’ homes or offices. EZCast is a HDMI dongle- …

  1. Anonymous Custard Silver badge
    Headmaster

    Sadly not only them...

    They're hardly unique in that area of the market for such an issue.

    I have a similar DLNA renderer stick which also hotspots and has a fixed and unchangeable password of 12345678. Contacted the manufacturer (also Chinese), and for some strange reason they didn't see this as a problem or a security risk.

    For some strange and unaccountable reason I only ever use it when travelling, and it's blacklisted from connection to my home network.

    Wouldn't it be nice if such stuff was under some sort of requirement for import license or similar that it didn't open up such gaping backdoor holes in the network if used by Joe Public?

    1. Drone Pilot

      Re: Sadly not only them...

      odd that there has been a van with Chinese guys outside your houses since then...

    2. Anonymous Coward
      Anonymous Coward

      Re: Sadly not only them...

      and for some strange reason they didn't see this as a problem or a security risk.

      I do wonder if the pervasive Internet surveillance in China influences the mindset of product designers based there, so that they really don't see security and privacy as important issues.

  2. Anonymous Coward
    Anonymous Coward

    Brute force ...

    Surely it's possible, nay desireable, to have a device lock up/brick after so many failed attempts. Or just enforce a 1 minute delay between attempts ?

    Like what my combination safe does.

    1. Frank Bitterlich
      Facepalm

      Re: Brute force ...

      Do you really think that a company whose idea of security is an 8-digit numeric root password would ever implement anti-bruteforce methods?

    2. Anonymous Coward
      Anonymous Coward

      Re: Brute force ...

      An enforced delay between connection attempts wouldn't help, since you don't need to keep attempting to connect to a WiFi network to carry out a brute force attack. You just need to capture the handshake traffic and test your password dictionary against that offline.

  3. ZSn

    Raspberry pi

    Raspberry pi with get_iPlayer and cclive, a bit more expensive but infinitely more flexible and secure.

    1. Ugotta B. Kiddingme

      Re: Raspberry pi

      get_iPlayer seems to be pretty specific to the BBC. Any suggestions for those of us on the left side of the pond?

      I've looked at some of these "computing sticks" and darn near bought one several times. These do a couple things my Roku can't, but not enough extra to justify even the cost of a cheap Android version.

      1. Michael Habel Silver badge

        Re: Raspberry pi

        get_iPlayer seems to be pretty specific to the BBC. Any suggestions for those of us on the left side of the pond?

        Oh I dunno how about Kodi (formally of XBMC fame), for Raspberry Pi, add, a decent VPN, and you'd also have access to their BBPlayer.

        Kinda makes me wonder whos at fault here, Allwinner, Amalogic, Rockchip, or some other.

        There would have been a time when I would have said they all kinda suck om the support side. Since the bulk of this crap is likely running 4.4.2 Android IF THAT! But, the bigger boys *cough* Samsung* are starting to pull the same sorta crap on there Devices now too. And are refusing to at least update the bulk of their Tab Pro (2014), line to 5.1.1 Lollipop. Seems like nobody cares about updates, or the abillity (if needs be), to complile custom ROMs for said Devices that ultimately fix these stupid issues.

      2. Anonymous Coward
        Anonymous Coward

        vpn

        You can use a vpn such as privateinternetaccess. However the BBC is reputedly trying to shut down the VPN links by blocking the relevant ip numbers so apparently it's a game of whack-a-mole currently. You can even route the stream via TOR - well that worked eight years ago when I tried it last not sure if it still works. However the TOR method breaks the ethos of TOR so it's up to you if you want to try it.

        Alternatively most programmes seem to end up on YouTube albeit briefly.

      3. ZSn

        pink floyd

        Ugotta B. Kiddingme: I'm sorry but I don't know much about the US television/streaming options. The times I've been there and watched the television I've been deeply disappointed; it reminded me of the Pink Floyd lyrics 'thirteen channels of sh*t on the T.V. to choose from'. Except that there are much more than thirteen now. I presume that the streaming options in the states are more watchable.

        I don't think that netflix works on a raspberry pi, but it may be possible to use Amazon prime video on it (if there is anything to watch that is).

  4. Anonymous Coward
    Anonymous Coward

    Public security ratings

    All new network devices should receive a "security rating" that is publicly displayed on the box.

    1. Michael Habel Silver badge

      Re: Public security ratings

      All new network devices should receive a "security rating" that is publicly displayed on the box.

      And praytell us whos going to actually enforce said raitings on Security? Sans the issue of actuall trust that the Chinese aren't just rolling through the motions. Besides even if the Vuln is real. I'd have to assume that the chances of 'infection' are only slightly better then hitting tonights PowerBall $700M Jackpot. So Storm in a Tee Cup much? No? What of thst IoT Boiler you have that supposedly selling your Mom up the Data Path?

      And here I thought, this is what we had Firewalls for.

  5. PhilipN

    So?

    Many a broadband router/modem has a factory reset button and prints the login credentials on a label stuck to the thing.

    Not that the login credentials count for much. Try "admin" to kick off with.

    1. Richard 12 Silver badge

      Re: So?

      The reset button requires physical access.

      If the attacker has physical access then it's already Game Over - at least for normal levels of security.

      This type of attack seems to only require the attacker to be in wifi range.

      So the van parked outside, your neighbours, or someone a bit further away with a good directional antenna can look at everything on your network.

      That could then be used as a springboard for another more serious attack.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022