EZCast Smart TV Dongle May Threaten Home Network Security

10 Healthcare Wearables, Devices Dominating CES

EZCast's Smart TV Dongle, used by an estimated 5 million households, enables consumers to easily convert a regular TV into a smart TV to stream images and content. But in an analysis of the device, security software firm Check Point reported that EZCast's device also creates an easily exploited pathway into the home network.

Check Point Software Technologies issued a report today, Jan. 7, outlining that pathway and warning that the consumer Internet of Things will need to be built with a greater concern for security than evidenced to date.

EZCast "wants to make it easy for the users, and a smart TV does provide wonderful services," Kellman Meghu, head of Check Point's team of security architects concerned with virtual data center infrastructure, told InformationWeek in an interview.

Consumers who adopt devices that don't have basic security in place risk having their identities stolen and opening their home networks to intruders when they connect those devices to the Internet, Meghu said. He also said EZCast's dongle isn't the only device with vulnerabilities, but Check Point researcher Kasif Dekel and Security Group research manager Oded Vanunu say it's a particularly graphic example of how a connected consumer device can go wrong.

Check Point notified EZCast in July and again in August of the vulnerabilities it had found in the dongle but did not get a response from the company. It rechecked the device's vulnerability status multiple times before publishing its report, "EZHack -- Popular Smart TV Dongle Remote Code Execution."

[Want to learn more about consumer devices on the IoT? See IoT Innovations at CES 2016: What to Expect.]

The dongle's vulnerabilities can enable an intruder to access the Smart TV Dongle's internal Linux server with root or superuser privileges. "You can patch your (home) PC all you want, but [the intruder is] still sitting on your network," said Meghu.

The EZCast dongle is actually a small Linux server and Web server that plugs into the back of a TV set. To work, it must set up a temporary WiFi network under the protection of WPS or WiFi Protected Setup, requiring the entry of an eight-digit router PIN. The PIN is easier to break than most such passwords because it's accepted by the router in two four-digit segments.

Meghu said it would take about 20 minutes of repeated guessing by an automated system firing number combinations at the router to come up with the two segments.

The temporary network established by EZCast for the dongle automatically bridges to the user's home WiFi network. Unfortunately, it remains in place and available, even though the consumer will not need it again or be aware that it's a potential opening to his home network, Meghu said.

An even simpler method of breaking into the temporary EZCast network is to send a link to the target home that invites the dongle's owner to click on it. The link could be sent through a Facebook address connection, email, Skype, or other avenues.

"If I know you have one of these EZCast devices in your house, all I have to do is get a user in the house to click on a link," Meghu said. That link could connect to a website that launches injection code over the user's home network that tells the EZCast Linux server to accept the intruder.

Once the intruder has succeeded in landing on the server, additional instructions and commands can be launched from the server over the temporary WPS WiFi bridge onto the home network. An intruder's ability to land there doesn't automatically compromise things such as online banking passwords or healthcare account connections, but it is a vantage point from which such things may be searched for or attacked.

Another outcome of an intruder on the Linux server might be that the dongle's server itself could be confiscated and directed to launch spam, phishing attempts, or denial of service attacks over the Internet. "I want to use your server to send spam, not my own. When the FBI shows up, they'll be knocking on your door, not mine," continued Meghu, outlining the consequences of an unsecured network opening.

The report delves further into the possibilities of exploiting the dongle.

Researcher Dekel reported after getting on the device, an intruder could opt to extract the firmware code by asking the EZCast site for a code update, offered on the device's menu. From that update, the intruder can examine the file system and look for CGI files in use, a known vector for further intrusion. The CGI files can be run on an open source QEMU emulator to see what they do and how the intruder might wish to modify them.

Meghu said Check Point hasn't gotten any response from the company, despite the two notifications. The EZCast dongle is priced at $15 to $30. It's sometimes described as a low-cost alternative to Google's Chromecast smart TV converter. Applications have been written for the device enabling it to receive content from Android phones, iPhones and other iOS devices, Chrome OS devices, and Windows PCs.

"IoT vendors must understand that if they put a piece of software on a connected hardware device, they must address the security risks at the design level. Otherwise, their customers will be exposed to remote exploitation," Vanunu wrote in the report.

Elite 100 2016: DEADLINE EXTENDED TO JAN. 15, 2016 There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 15, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.