Security flaws in firmware used by 30+ popular TV brands

The independent security software tester AV-Comparatives joint up with sigma star gmbh and has decided to inform the general public of several critical vulnerabilities in Vestel firmware. Vestel is one of the largest manufacturer of electronics components in the world. Vestel components are used in more than 30 popular TV brands, including Medion.

Wikileaks tale turns into real life security threat

In March 2017 Wikileaks revealed news about the CIA and MI5 hacking Smart-TV’s to spy on you. At AV-Comparatives we decided to fact check this story by performing a quick security check on the Medion smart-TV we use in our conference room. To our surprise, we discovered real security issues and decided to ask sigma star gmbh (specialized in IoT) to analyze these issues in detail. sigma star gmbh confirmed the severity of these security issues. We informed Medion on April 4th 2017 about these flaws. After warning Medion that the 90-day responsible disclosure period had passed, Medion formally responded:

We respect Medion’s request to further investigate two critical vulnerabilities and will not disclose them for an additional period of 30 days. Although the formal response of Medion is correct and polite, the best outcome seems to be to provide a solution for newer models only. Existing owners are not offered a solution (firmware update) which solves those critical security vulnerabilities.

Appeal to consumers to and smart TV-vendors

We advise consumers to ask the ‘latent defects’ consumer protection clause to be applicable for firmware also when buying smart-TV’s. A list of possible affected products can be obtained from Wikipedia. Hopefully the affected smart-TV vendors will persuade Vestel to provide a firmware update for these severe security issues.

For more details, please download the PDF report from here.