14 DAY TRIAL // A Chromecast-like TV streaming device manufactured by EZCast comes with a few security flaws that allow attackers access to a user's home network.
EZCast devices are HDMI-based TV dongles that can be connected to any regular TV and transform it into a smart appliance. The stick contains all the necessary brain power to allow apps to run on the device, and stream audio and video files from the local network or the Internet.
Check Point security researcher Kasif Dekel discovered bugs in the EZCast device's firmware, flaws that the manufacturer failed to address, even after Check Pointed contacted them.
EZCast has weak passwords, susceptible to brute-force attacks
According to Mr. Dekel, the first major issue he saw is that the device created its own WiFi network to allow the user to connect various devices (laptops, desktops, mobiles) to the dongle and start streaming content.
The issue was the fact that this WiFi network was only protected by an 8-digit password. The device had no protection against brute-force attacks, and Mr. Kessel successfully cracked a dongle's WiFi password.
Additionally, using simple social engineering tricks, the researcher also created malicious links, which could be sent to the user via Skype or Facebook messages. If these messages were opened from the TV, while surfing the Web via their EZCast, the attacker would also gain access to the dongle's network.
If the dongle is connected to your TV, it doesn't mean your PC is safe
Giving an attacker access to the dongle's network would also grant them access to any laptop or mobile connected to that network, and indirectly to all the data hosted on them.
According to Google statistics, the EZCast device has about 5 million users.
"The EZCast device was never designed with security in mind. We were able to uncover a number of critical vulnerabilities, and we barely scratched the surface," Check Point researchers say. "Would you sell a root shell in your network for $25 dollars? Because that’s what you’re essentially doing when you buy and use this device."
After he was all done, Mr. Dekel found 2 remote code execution vulnerabilities, 1 command injection, and 1 unrestricted file upload flaw, with some flaws allowing execution of code as the root user.
