The proliferation of smart devices has revolutionized the way we consume media, with TV set-top boxes becoming an integral part of our entertainment ecosystem. However, recent reports have raised concerns about the sale of malware-infected set-top boxes on popular online marketplaces like Amazon and AliExpress. The Electronic Frontier Foundation (EFF), a leading advocate for digital rights, has called on the Federal Trade Commission (FTC) to take action against resellers who knowingly distribute these compromised devices1.
The Threat of Malware-Infected Set-Top Boxes
Malware-infected set-top boxes pose a significant risk to consumers. These devices, particularly those manufactured by Chinese companies AllWinner and RockChip, come pre-loaded with malware before being sold to unsuspecting customers1. Once connected to the internet, these devices immediately start communicating with botnet command and control servers, enabling them to join a vast click-fraud network without the buyer’s knowledge1.
Click-fraud involves artificially inflating the number of clicks on online advertisements, generating revenue for the attackers at the expense of advertisers. This nefarious activity not only siphons advertising dollars but also exposes buyers to legal risks. The compromised devices use the buyer’s internet connection as a proxy, making it appear as though the malicious activities originate from their network1.
The Call for FTC Intervention
In a letter addressed to the FTC, the EFF highlights the responsibility of resellers in addressing this issue. They argue that resellers should be held accountable for selling devices known to contain harmful malware1. Additionally, the EFF emphasizes the need for resellers to promptly remove these compromised devices from the market once their malicious nature is revealed and confirmed1.
The EFF also raises concerns about the challenges faced by security researchers and consumers in reporting these issues to resellers. Daniel Milisic, a security researcher, found it difficult to reach out to Amazon and report the malware-infected devices1. The EFF’s own attempts to contact Amazon yielded no significant action, as the products continue to be available for purchase1.
Protecting Consumers and Addressing Legal Risks
Consumers who unknowingly purchase malware-infected set-top boxes face both immediate and long-term risks. These devices not only participate in click-fraud schemes but also expose the buyers to legal consequences. Any malicious activities conducted through the device’s proxy appear to originate from the buyer’s internet connection, potentially leading to legal repercussions1.
To address these risks, the EFF urges the FTC to take several actions. Firstly, they call for sanctions against resellers who advertise and sell devices without disclosing the inherent dangers they pose1. Secondly, the EFF requests the FTC to facilitate a more accessible reporting process for consumers who encounter compromised devices, either by directly notifying the vendors or through the commission itself1.
The Rising Threat of Compromised Consumer Devices
The presence of malware-infected set-top boxes in the consumer supply chain is a concerning trend. Threat actors can exploit vulnerabilities in the supply chain and deliver infected devices to unsuspecting users1. While supply-chain attacks on consumer devices are relatively rare compared to general attacks, they can have devastating consequences1.
Eliminating supply-chain issues can be a challenging task, often requiring device recalls or redesigning hardware and firmware1. Traditional vulnerabilities can be addressed through patching or configuration updates, but supply-chain attacks necessitate a more comprehensive approach to ensure the security of consumer devices1.
Choosing Trusted Brands for Enhanced Security
Given the risks associated with malware-infected set-top boxes, consumers are advised to purchase devices from trusted and recognizable brands. Larger brands have a vested interest in securing their devices and promptly addressing any security vulnerabilities1. They allocate resources to provide ongoing updates and support, reducing the likelihood of compromised devices reaching the market.
In contrast, off-brand devices may lack the resources necessary to address security vulnerabilities or may be challenging to trace back to their manufacturers1. Consumers with Android devices should also ensure that their devices are Play Protect-certified, as uncertified devices may be more susceptible to fraudulent apps and malicious activities1.
