Certain Android TV Box models from manufacturers AllWinner and RockChip, available for purchase on Amazon, come pre-loaded with malware from the BianLian family, a variant of which we investigated last year. The malware, discovered by security researcher Daniel Milisic, adds your smart set-top box to a botnet for initiating coordinated attacks. Affected models include the AllWinner T95, AllWinner T95Max, RockChip X12-Plus, and RockChip X88-Pro-10.

By looking at the traffic being sent by these devices, the researcher was surprised to find a number of DNS requests being sent for domains publically known to be botnet Command and Control (C&C) servers. The researcher also extracted a Stage-1 payload for the malware and contacted Linode, who had been hosting some of the C&C servers, getting them to shut them down. Having reached out to AllWinner, the researcher received a response denying the presence of malware and attributing the malicious traffic observed to the presence of Logcat on the system—a fact which is wholly unrelated. EFF was able to independently confirm the researcher’s findings.

What's more, the T95 smart set-top box came out-of-the-box with the Android Debugger (adb) wide open and available over WiFi. The Android Debugger gives access to control a device, including issuing commands and installing apps. The device firmware was signed with a testing key, and no clean or production-ready firmware was made available to consumers. Without access to a clean version of the system firmware, consumers are left without a clear way to clean their system of the malware.

The widespread availability of these low-end devices present a danger to consumers, their networks, and the security and stability of the internet at large. Though it would be impractical to conduct a thorough security audit for all merchandise sold on Amazon, a more thorough vetting process could be introduced before selling consumer-grade IoT devices. For instance, a basic network analysis would have found these devices communicating with C&C servers and having wide-open adb ports.

The sale of these devices reveals some glaring holes in public cybersecurity infrastructure. The devices, manufactured by little-known third-party vendors based in China, have little reputation to protect. As opposed to the larger brands, they can sell their products cheaply by cutting costs on quality control and device security without incurring a reputational cost. Faced with the absence of any rigorous security certification for consumer-grade IoT devices and the widespread availability of these devices, purchasers are forced to make a choice which is too often driven by price rather than information.

Recently, CISA Director Jen Easterly commented that software vendors “should own the security outcomes for their customers.” This signals the federal government’s recognition of serious lapses in consumer-grade cybersecurity and its willingness to mitigate the threats posed by consumer devices and software. Such initiatives will create market incentives for companies to take product security more seriously. To complement this, we call on large IoT marketplaces such as Amazon to do more thorough testing of devices before making them available to the public.