Vik
TL;DR: Google has patched a critical Android TV security flaw that granted attackers access to users’ entire Google accounts by sideloading apps. The issue was brought to light by a US senator, prompting Google to change its stance and issue a fix.
Google has fixed a big issue in the Android TV account security system. This issue would allow attackers with physical access to your device to get into your whole Google account by simply sideloading some apps.
The issue was originally brought to Google’s attention by US Sen. Ron Wyden as part of a review of the privacy practices of streaming TV technology providers. Google first told the senator that the issue was expected behaviour but, after media coverage, decided to change its stance and issue a patch.
This is a big deal.
The heart of the issue is how Android treats your Google account. Android devices start with the assumption that it is a private, one-person device. Google has built on top of that feature with multiuser support and guest accounts, but these aren’t part of the default setup flow, can be hard to find, and are probably disabled on many Android TV boxes.
The result? Signing in to an Android TV device often gives it access to your entire Google account.
Android has a central Google account system shared by a million Google-centric background and syncing processes, the Play Store, and nearly all Google apps. When you boot an Android device for the first time, the guided setup asks for a Google account, which is expected to live on the device forever as the owner’s primary account.
Any new Google app you add to your device automatically gets access to this central Google account repository. So if you set up the phone and then install Google Keep, Keep automatically gets signed in and gains access to your notes.
This central account system is hungry for Google accounts.
Any Google account you use to sign in to any Google app gets sucked into the central account system, even if you decline the initial setup.
For TVs, this presents a unique gotcha because, while you will still be forced to log in to download something from the Play Store, it’s not obvious to the user that you’re granting this device access to your entire Google account—including potentially sensitive things like location history, emails, and messages.
To the average user, a TV device just shows “TV stuff” like your YouTube recommendations and a few TV-specific Play Store apps, so you might not consider it to be a high-sensitivity sign-in. But if you just sideload a few more Google apps, you can get access to anything.
Further confusing matters is Google’s OAuth strategy, which teaches users that there are things like scoped access to a Google account on third-party devices or sites, but Android does not work that way.
In the video demonstrating the issue, the YouTuber simply grabs an Android TV device, goes to a third-party Android app site, and then sideloads Chrome. Chrome automatically signs in to the TV owner’s Google account and has access to all passwords and cookies, which means access to:
- Gmail
- Photos
- Chat history
- Drive files
- YouTube accounts
- AdSense
- Any site that allows for Google sign-in
- Partial credit card info
It’s all available in Chrome without any security checks. Individual apps like Gmail and Google Photos would immediately start working, too.
As the video points out, Android TV devices can be dongles, set-top boxes, or code installed right into a TV. In businesses and hotels, they can be semi-public devices.
It’s not hard to imagine a TV device falling into the hands of someone else. You might not worry too much about forgetting a $30 Chromecast in a hotel room, or you might sign in to a hotel TV and forget to delete your account, or you might throw out a TV and not think twice about what account it’s signed in to.
If an attacker gets access to any of these devices later, it’s trivial to unlock your entire Google account.
Google says it has fixed this problem, though it doesn’t explain how. Many Android TV devices, especially those built-in to TV sets, are abandonware and run an old version of the software, but Google’s account system is updatable via the Play Store, so there’s a good chance a fix can roll out to most devices.
Add comment