Void captures over a million Android TV boxes

> such devices often run on outdated Android versions,

Ah the new economical divide.

Most "real people" also have phones which aren't receiving updates for a few years by now.

In south america the median android version is 8.

And phones are not optional as most countries already jumped into both digital government and money transfer.

> such devices often run on outdated Android versions, which have unpatched vulnerabilities and are no longer supported with updates.

Many of them NEVER received a single update ever. There are so many shady companies producing TV boxes with no plan to ever provide any updates.

Unless one of the larger brands make such a device, I don't see any reason to recommend anything but the ChromeCast or whatever Google calls it now. Or a Roku or an AppleTV, if you swing that way.

I wonder what SoC these are running?

Quite a few of them actually end up configured to preference SD boot over internal flash and/or have easily accessible buttons or shortable pads to trigger bootrom recovery modes.

Which at least, stops them being automatically consigned to e-waste.

Although, customising a LibreELEC image for the dozens of different models of TV box isn't great. Typically involves sorting out the dts for the device and remapping the remote.

Some of my hard requirements for a media device are that it must not share any of my personal information with any third party and it must fully cache the full-resolution and complete media content prior to beginning playback. If it's going to be connected to the Internet it must receive regular security updates for anything that's not written in a memory- and type-safe language like Go or Rust.

While Go and Rust aren't necessarily magic pixie-dust that can account for all types of security vulnerabilities, if I'm going to be faced with the possibility of some project being abandoned at some point for the next new shiny thing that everyone would rather work on, I'd at least like to give it a fighting chance of remaining secure for some time after abandonment without any updates. Ideally it would be a Rust userspace media management package running on Debian Stable getting unattended upgrades every night.

Since nothing like that exists I've recently decided to give CoreELEC/Kodi a try on an ODROID-N2+, albeit disconnected from any network. I was surprised at how seamless and integrated everything was.

The remote control for my television "just worked" with it out of the box thanks to HDMI CEC support. Arrow buttons, play/pause, back, etc. all did just what I expected them to do. It's a marked improvement from the last time I built a custom media box, which I had running MythTV on Gentoo, when I needed to jump through hoops to set up an IR blaster. And you can't argue with a 12v/2a power supply.

For now I'm keeping it off my home network and am "sneaker-netting" content on a USB drive between my trusted devices and the ODROID. When I get tired of doing that I might add some firewall rules to my router to only allow it to talk to a locked-down VM doing nothing but hosting a read-only file share. But some day I hope to look forward to building a similar form-factor box that has all the media gadgets and gizmos with a Rust userspace that respects my privacy and auto-updated Debian Stable so I can actually connect it to the Internet.

There’s always one thread where we are discussing how everything needs to auto-update for security/stability forever, and another thread (currently crowdstrike) where that approach has caused the problem we wanted to avoid. Would be nice to see more discussion of this basic tension in the abstract since $current_issue is often just a distraction.

Auto updates also have a reputation for harming the user at least as often as helping (removing features, adding ads, whatever) and so trust in that is declining while the need for decent security (smart cars/homes) is increasing. Not sure what to conclude from this except that we need more focus on secure-by-design systems and maybe immutability guarantees rather than autoupdates, app stores, and plugin/extension frameworks but these things are sometimes impractical fundamentally and sometimes just inconvenient for surveillance capitalism.

What's going to be even more fun is when the cars gets hacked, given that their are 100+ (200+) car makers, specially with ev cars (WSJ claimed 140+ makers in China) Bloomberg claimed 500+. I'm not dissing Chinese makers. I'm only sure that like everything there's an exponential curve of how serious companies take security. I'm guessing, of the car makers out there, Tesla and Rivan are near the top since they are new and have people with security experience? I'd expect traditional car makers (Ford, Chevy, Chrysler, Toyota, Honda, Nissan) to all be pretty mediocre. And then I'd expect all the tiny companies to be no different than the tiny companies that made the TVs above.

Given the nature of some (most?) of the generic tv boxes running random AOSP, I would not be at all surprised if these didn’t ship with so basic C&C malware already installed.

This was apparently found due to seeing some changed files, so they didn’t ship with void, but it wouldn’t have been hard to push it out to pre-comprised boxes.

It's not Android TV boxes. It's TV boxes running Android.

This is the result of giving your Android TV WIFI access. Use it like a dumb monitor and such exploits go away.

How does this work? Are those TV boxes not running behind routers with firewalls?