Beware, Android TV users: Your email could be at risk
Certain smart TVs powered by Android may inadvertently expose users' email inboxes to potential attackers who gain physical access to the device. This vulnerability arises from the software setup on these TVs, a feature initially deemed normal by Google, following a query from Senator Ron Wyden's office. However, after being alerted by 404 Media, Google has shifted its stance and is now actively working to address this problem.
Issue was recently raised by a YouTuber
YouTuber Cameron Gray recently flagged this issue while configuring an Android TV. He characterized the video as "somewhat of PSA about why you should never log into an Android TV device using Google account that contains anything sensitive." Beyond the typical functionalities like accessing YouTube, Gray highlighted someone could also "access basically anything about your Google account, and that includes email through Gmail, files through Google Drive, or even services where you've signed in through Google into an external service."
Bypassing passwords with third-party browsers
Gray installed a web browser called TV Bro on his Android TV and downloaded Chrome from APK Pure, a well-known APK archive. Upon launching Chrome, he noticed that the browser did not prompt him to input his Google account password. Instead, it used the existing login from the Android OS itself, which he initially provided during device setup. Gray was then able to navigate to Gmail using Chrome and gain access to the emails associated with his Google account.
Using a disposable Google account recommended
Gray highlights that many Android TV users log in with their Google account, leaving the TV unsecured without a PIN or any authentication method. This scenario extends to TVs in residential/commercial settings, including offices, or when users pass on or sell TV with their Google account still active. Similarly, individuals may sign into Android TVs with their Google account while staying in holiday accommodations. In the video, Gray advises viewers to utilize a disposable Google account rather than primary one.
Scanner on Google's tight control over functionality of Android TVs
The problem arises from Google's tight control over the functionality of Android TVs. Despite restrictions like absence of a pre-installed web browser and inability to download Chrome from Play Store, users are still permitted to download third-party browsers. In an email to 404 Media, Gray explained, "This is an intriguing issue because it's not exactly a bug or security vulnerability in the conventional sense." "Rather, it's a type of intended behavior that is highly non-apparent to the typical end user."
Vulnerability underscores potential risks of using Google accounts
The vulnerability underscores the potential risks of using Google accounts on devices not specifically designed to protect user data. It brings to light unexpected ways in which personal information can be compromised. This includes TVs in commercial settings or those that have been resold or donated, emphasizing the need for robust data protection measures. The issue, while seemingly isolated, brings attention to the broader implications for data security on such devices.
Google has addressed the security concern
A spokesperson from Google told 404 Media, "We acknowledge the potential scenario where unauthorized individuals, having physical access to a TV device, may override default settings to sideload Google apps typically restricted on TVs and access Google services on the signed-in account." The statement further noted, "The majority of Google TV devices with up-to-date software versions already prevent such behavior. We are currently implementing a solution for the remaining devices."
