UPDATE 11/18:In a Nov. 16 statement, TCL said it "quickly took steps to investigate, thoroughly test, develop patches, and implement a plan to send updates to resolve the matter," though it acknowledged that improvements to its bug-reporting process are needed.
"Going forward, we are putting processes in place to better react to discoveries by 3rd parties [and] performing additional training for our customer service agents on escalation procedures on these issues as well as establishing a direct reporting system online," TCL says.
"Updating devices and applications to enhance security is a regular occurrence in the technology industry, and these updates should be distributed to all affected Android TV models in the coming days," TCL adds. "TCL takes privacy and security very seriously, and particularly appreciates the vital role that independent researchers play in the technology ecosystem."
TCL says the problem affects "a limited number" of its TVs—model numbers 32S330, 40S330, 43S434, 50S434, 55S434, 65S434, and 75S434.
Of the two bugs, CVE-2020-24703 does not affect products sold in North America. A fix for that one started rolling out on Oct. 30 via an APK upgrade. It concerned the T-Cast (Magic Connect) app, which allows for streaming via mobile devices.
"This vulnerability allowed content directories to be viewed through the LAN, however there is no permission to write or execute," TCL says. "T-Cast was never installed on televisions distributed in the USA or Canada and therefore this vulnerability did not exist on those products."
The second bug, however, does impact TVs sold in the US and Canada. "The TCL lab is working around the clock to test the solution for a system upgrade to address CVE-2020-28055 to complete the modification of directory permissions. Pending successful testing, it is expected that updates will start being distributed in the coming days," TCL said on Monday.
As for what type of access TCL has to its TVs, the company says it's "able to remotely operate most functions of the television remotely ONLY if the user requests such action during the diagnostic session. The process must be initiated by the user and a code provided to TCL customer service agents in order to have diagnostic access to the television. This functionality was never implemented in the North America market."
Original Story 11/15:Android-based TCL smart TVs have a security problem, according to two security researchers.
A three-month investigation from security researcher "Sick Codes" and Shutterstock application security engineer John Jackson discovered that it's possible to access a TCL smart TV file system over Wi-Fi via an undocumented TCP/IP port, and then collect, delete, or overwrite files without the need for any sort of password or security clearance. The problem does not affect Roku-based TCL TVs.
One TCL TV app, known as Terminal Manager Remote, is a "Chinese backdoor," Sick Codes alleged in an interview with Tom's Guide, though he doesn't know if it's sending or receiving info. Sick Codes and Jackson provided the site with a URL that granted the writer access to a TCL smart TV in Zambia, where they were able to browse the TV's directories until, presumably, the user turned off the unit.
The researchers tried to alert TCL to their findings, but received no reply. A TCL support employee told Sick Codes she had "no contact info [for] the Security team, and didn't even think/know if TCL had a Security team." They also contacted the US Computer Emergency Response Team (US-CERT), which took some time to reply but ultimately told the pair to disclose the flaw if they were receiving no response from TCL.
Eventually the problem was fixed on Sick Codes' TV with a "silent patch." TCL "basically logged in to my TV and closed the port," he told The Security Ledger. This patch did not apply to every TCL model, however, and as Sick Codes states, this "backdoor" means the company may as well have full access to consumer models.