Some Android-powered TVs can expose the contents of users’ email inboxes if an attacker has physical access to the TV. Google initially told the office of Senator Ron Wyden that the issue, which is a quirk of how software is installed on these TVs, was expected behavior, but after being contacted by 404 Media, Google now says it is addressing the issue. 

The attack is an edge case but one that still highlights how the use of Google accounts, even on products that aren’t necessarily designed for browsing user data, can expose information in unusual ways, including TVs in businesses or ones that have been resold or given away.

“My office is mid-way through a review of the privacy practices of streaming TV technology providers. As part of that inquiry, my staff discovered an alarming video in which a YouTuber demonstrated how with 15 minutes of unsupervised access to an Android TV set top box, a criminal could get access to private emails of the Gmail user who set up the TV,” Senator Ron Wyden told 404 Media in a statement.

In the video from January, YouTuber Cameron Gray laid out the issue while setting up an Android TV. He describes the video as “somewhat of PSA about why you should never log into an Android TV device using a Google account that contains anything sensitive.” As well as being able to access things you might expect an Android TV to access, such as YouTube, Gray explains someone could also “access basically anything about your Google account, and that includes email through Gmail, files through Google Drive, or even services where you’ve signed in through Google into an external service.”

“And it’s not very clear it’s possible,” he says.

The issue is that although Google mostly locks down functionality of Android TVs, with not even a web browser being installed and Chrome not being available to be downloaded from the Google Play Store, it still allows users to download third party browsers.

“This is an interesting issue since it's not necessarily a bug or security flaw in the traditional sense but more a form of intended behaviour that is extremely non-obvious to the average end user,” Gray told 404 Media in an email.

In his video Gray downloads another web browser called TV Bro. He then navigates to APK Pure, a popular APK archive, and downloads a copy of Chrome. After opening that, Chrome does not ask him to provide the password to his Google account. Instead, it uses the persistent login from the underlying Android OS itself that he created at setup. This version of Chrome isn’t designed to work with Android TVs and a remote control, so attackers would then need to plug in a USB keyboard and mouse. Gray then navigates to Gmail in Chrome and can view the Google account’s emails.

“Oh look, my Gmail inbox,” Gray says in the video. From here, an attacker could try to access other accounts which send password reset links to this Gmail address.

As Gray says, most people using an Android TV may log in with their Google account, then have the TV sitting in their business or home without a PIN or other form of authentication. This could also apply to a TV in an office, or one that a user sells or otherwise gives away with the Google account still signed in. Another case is when people may sign into an Android TV with their Google account in holiday accommodation.

In the video Gray recommends people use a throwaway Google account for their Android TV rather than their main Google account. 

Senator Wyden said “My staff promptly sent Google the video. Unfortunately, Google's initial response indicated that this was expected behavior and not a security problem.”

404 Media then approached Google for comment. A Google spokesperson said in a statement that “We are constantly working to improve our protections to help keep Google TV and Android TV OS users safe. We are aware of this potential scenario where bad actors who have obtained physical access to a TV device can manually override the default settings to sideload Google apps normally restricted on a TV and access Google services on the signed-in account.”

The statement added that “Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of devices. As a best security practice, we always advise users to update their devices to the latest software.”

Wyden added “I'm glad Google has now changed course, acknowledged that this is a security problem and is beginning to fix it.”

Gray added “I'm pleased that it's been fixed, although it does feel as though it should have been fixed sooner since the issue has been known about publicly for long before I decided to make a video about it!”

Update: This piece has been updated to include comment from Gray.

California schools may soon need to provide halal and kosher meal options for students.

Dubbed the Halal and Kosher School Meals Act, a proposed bill in the California Legislature would require schools to provide kosher or halal meals if more than 5% of their students request such.

Both kosher and halal meals follow specific Jewish and Islamic dietary practices, respectively, for how food is prepared and served. For kosher meals, dairy and meat cannot be mixed, and only certain animals can be eaten. Halal requires animals to be slaughtered in a particular way and does not permit the consumption of pork products.

Sen. Josh Newman, D-Fullerton, said every student, no matter religion or culture, deserves to feel “supported and included at school” and his bill is one way that schools can do that.

“Kids shouldn’t have to choose between hunger and adhering to their religious beliefs,” Newman said. “This bill creates a more equitable system for students who observe halal or kosher dietary practices.”

“When suitable meals aren’t available for these students,” he said, “they often have to go without eating at school, something that is fundamentally unfair and clearly detrimental to their educational experience.”

For Shaykh Mustafa Umar, the senior religious director of the Islamic Center in Irvine, the bill is personal.

Umar’s children attend an elementary school in the Newport-Mesa School District. There have been times when his children would bring lunches from home so they wouldn’t have to worry if their meals at school were halal. When they don’t bring meals from home, they skip eating at school and just have a later meal at home.

“It has always been a struggle when it comes to food and public schools,” Umar said, adding that he is “extremely happy” to see such a bill that considers both Muslims and Jews.

“It hasn’t been easy,” he added. “Teachers would often say all the food is halal if there wasn’t any pork being served so the kids would get confused and tell me the teacher and the lunch lady said the food is halal when it actually was not. That was pretty frustrating.”

Umar had to teach his children how to explain halal to adults, which is “a lot for a second grader to take on.”

“I wish it wasn’t that way and they could just have good, healthy, halal options where there is no confusion,” Umar said.

The proposed bill, should it pass, would take effect in the 2025-2026 school year. If at least 5% of a school’s students request halal or kosher options, the school would need to provide them. If less than 5% request alternative options, a school could still provide those options but would not be mandated to do so.

The bill allows school districts or schools to survey students for their meal preferences, however they deem best.

Rabbi Dov Wagner, director of the Chabad Jewish Student Center at USC, said the bill would open up meal options for all students, something that has been tough for children in the past.

“Without access to kosher and halal meals, students are often put in a situation where they have to choose between their education and their religious traditions and heritage,” Wagner said. “That is an unfair choice to need to make.”

“All other students are being provided with meals that meet their dietary needs,” Wagner said. “Jewish and Muslim students deserve the same.”

California’s education code requires public school districts, county offices of education and charter schools serving students from transitional kindergarten to twelfth grade to provide two meals free of charge during each school day to students requesting a meal, regardless of their free or reduced-price meal eligibility. If a child is vegan, gluten-free or has any other allergies, they will be given a meal that fits their dietary needs after discussing them with the school.

But there are no standardized policies for providing meals tailored to a person’s diet for religious purposes, Newman’s spokesperson Brian Wheatley said.

“For students that keep halal or kosher, they were either limited to cherry-picking specific items from the cafeteria, bringing meals from home or, worst case, not eating at all,” Wheatley said. “We had testimony from one student that said that if she didn’t arrive in the cafeteria early enough, everything she could eat was gone.”

Just how much the bill would cost schools is not yet known, said Wheatley.

The bill will need to get the OK from the Senate Appropriations Committee to progress; a hearing has been set for Monday, April 29. It recently passed unanimously out of the Senate Education Committee.

After tensions led USC to drop its valedictorian and keynote speaker from its main commencement ceremony, the school canceled its largest graduation event.

Microsoft is starting to enable ads inside the Start menu on Windows 11 for all users. After testing these briefly with Windows Insiders earlier this month, Microsoft has started to distribute update KB5036980 to Windows 11 users this week, which includes “recommendations” for apps from the Microsoft Store in the Start menu.

“The Recommended section of the Start menu will show some Microsoft Store apps,” says Microsoft in the update notes of its latest public Windows 11 release. “These apps come from a small set of curated developers.” The ads are designed to help Windows 11 users discover more apps, but will largely benefit the developers that Microsoft is trying to tempt into building more Windows apps.

Microsoft only started testing...

Continue reading…

The Department of Transportation (DOT) finalized rules that will soon require airlines to quickly refund passengers if they cancel or delay flights or make significant changes.

Airlines must pay passengers back either in cash or in the original form of payment, no matter the reason they cancel their flight. Alternatively, passengers can choose to accept travel credit, other kinds of transportation, or another flight offered by the airline.

Airlines must also refund passengers if their flight itinerary is “significantly changed” and they don’t accept the airline’s alternative travel options. Specifically, this means that you can get your money back if your flight changes its arrival or departure time by three or more hours for domestic...

Continue reading…

Enlarge (credit: boonchai wedmakawand)

California's electric grid, with its massive solar production and booming battery installations, is already on the cutting edge of the US's energy transition. And it's likely to stay there, as the state will require that all passenger vehicles be electric by 2035. Obviously, that will require a grid that's able to send a lot more electrons down its wiring and a likely shift in the time of day that demand peaks.

Is the grid ready? And if not, how much will it cost to get it there? Two researchers at the University of California, Davis—Yanning Li and Alan Jenn—have determined that nearly two-thirds of its feeder lines don't have the capacity that will likely be needed for car charging. Updating to handle the rising demand might set its utilities back as much as 40 percent of the existing grid's capital cost.

The lithium state

Li and Jenn aren't the first to look at how well existing grids can handle growing electric vehicle sales; other research has found various ways that different grids fall short. However, they have access to uniquely detailed data relevant to California's ability to distribute electricity (they do not concern themselves with generation). They have information on every substation, feeder line, and transformer that delivers electrons to customers of the state's three largest utilities, which collectively cover nearly 90 percent of the state's population. In total, they know the capacity that can be delivered through over 1,600 substations and 5,000 feeders.

Read 12 remaining paragraphs | Comments