Set-top tuner boxes have become the infection vector in the spread of Internet of Things malware.
This came out of a report from mobile security house WootCloud, which said its team has caught a botnet called Ares, targeting Android entertainment boxes from Huawei, Cubetek, and Qezy Media.
The WootCloud malware detectives said the Ares infection preys on the poorly secured configurations many set-top boxes use with the ADB debugging interface in Android. In many of the boxes, TCP port 5555 has been opened for both ADB and remote management commands, making it an easy target to any attacker able to scan the open internet.
When a vulnerable device is detected, the malware then attempts to install itself via the remote commands over port 5555. From there, the bots connect to a command-and-control server, then scan for other vulnerable Android devices within reach, thus spreading the infection. From there, the infected machines are sent crypto-mining tools and other unspecified malware payloads.
The Ares outbreak marks the intersection of two rapidly growing malware arenas: Android mobile devices and embedded IoT gear. The attacks on IoT devices in particular have proven startlingly effective in recent years with the rise of massive botnets like Mirai that make quick work of poorly guarded appliances and network gear.
WootCloud said it saw the biggest risk from Ares in the potential for the malware to use the pwned set-top boxes as the jumping-off point for attacks on other Android devices, particularly smart TVs, which in many cases use the same vulnerable ADB policies to manage their connections.
"The biggest threat associated with these Android set-top boxes, apart from the Ares vulnerability that we discovered, is the presence of an open and unauthenticated ADB service running on internet-connected devices," said WootCloud founder and CTO Srinivas Akella.
"Unless we stay vigilant, the probability is huge that any enterprise or consumer could find themselves a victim to hacking attacks through these set-top boxes and, down the line, even by way of the smart TVs and other consumer IoT devices."
Those with the technical prowess can protect against attacks by locking down ADB access to only authorized IP addresses and keeping an eye on outgoing network traffic from the set-top boxes. Users are also advised to set passwords on their devices for interfaces like Telnet, SNMP, and web. ®