Some Android-powered TVs can expose the contents of users’ email inboxes if an attacker has physical access to the TV. Google initially told the office of Senator Ron Wyden that the issue, which is a quirk of how software is installed on these TVs, was expected behavior, but after being contacted by 404 Media, Google now says it is addressing the issue.
The attack is an edge case but one that still highlights how the use of Google accounts, even on products that aren’t necessarily designed for browsing user data, can expose information in unusual ways, including TVs in businesses or ones that have been resold or given away.
“My office is mid-way through a review of the privacy practices of streaming TV technology providers. As part of that inquiry, my staff discovered an alarming video in which a YouTuber demonstrated how with 15 minutes of unsupervised access to an Android TV set top box, a criminal could get access to private emails of the Gmail user who set up the TV,” Senator Ron Wyden told 404 Media in a statement.
In the video from January, YouTuber Cameron Gray laid out the issue while setting up an Android TV. He describes the video as “somewhat of PSA about why you should never log into an Android TV device using a Google account that contains anything sensitive.” As well as being able to access things you might expect an Android TV to access, such as YouTube, Gray explains someone could also “access basically anything about your Google account, and that includes email through Gmail, files through Google Drive, or even services where you’ve signed in through Google into an external service.”
“And it’s not very clear it’s possible,” he says.
The issue is that although Google mostly locks down functionality of Android TVs, with not even a web browser being installed and Chrome not being available to be downloaded from the Google Play Store, it still allows users to download third party browsers.
“This is an interesting issue since it's not necessarily a bug or security flaw in the traditional sense but more a form of intended behaviour that is extremely non-obvious to the average end user,” Gray told 404 Media in an email.
In his video Gray downloads another web browser called TV Bro. He then navigates to APK Pure, a popular APK archive, and downloads a copy of Chrome. After opening that, Chrome does not ask him to provide the password to his Google account. Instead, it uses the persistent login from the underlying Android OS itself that he created at setup. This version of Chrome isn’t designed to work with Android TVs and a remote control, so attackers would then need to plug in a USB keyboard and mouse. Gray then navigates to Gmail in Chrome and can view the Google account’s emails.
“Oh look, my Gmail inbox,” Gray says in the video. From here, an attacker could try to access other accounts which send password reset links to this Gmail address.
As Gray says, most people using an Android TV may log in with their Google account, then have the TV sitting in their business or home without a PIN or other form of authentication. This could also apply to a TV in an office, or one that a user sells or otherwise gives away with the Google account still signed in. Another case is when people may sign into an Android TV with their Google account in holiday accommodation.
In the video Gray recommends people use a throwaway Google account for their Android TV rather than their main Google account.
Senator Wyden said “My staff promptly sent Google the video. Unfortunately, Google's initial response indicated that this was expected behavior and not a security problem.”
404 Media then approached Google for comment. A Google spokesperson said in a statement that “We are constantly working to improve our protections to help keep Google TV and Android TV OS users safe. We are aware of this potential scenario where bad actors who have obtained physical access to a TV device can manually override the default settings to sideload Google apps normally restricted on a TV and access Google services on the signed-in account.”
The statement added that “Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of devices. As a best security practice, we always advise users to update their devices to the latest software.”
Wyden added “I'm glad Google has now changed course, acknowledged that this is a security problem and is beginning to fix it.”
Gray added “I'm pleased that it's been fixed, although it does feel as though it should have been fixed sooner since the issue has been known about publicly for long before I decided to make a video about it!”
Update: This piece has been updated to include comment from Gray.