Google says it has patched a nasty loophole in the Android TV account security system, which would grant attackers with physical access to your device access to your entire Google account just by sideloading some apps. As 404 Media reports, the issue was originally brought to Google’s attention by US Sen. Ron Wyden (D-Ore.) as part of a “review of the privacy practices of streaming TV technology providers.” Google originally told the senator that the issue was expected behavior but, after media coverage, decided to change its stance and issue some kind of patch.
“My office is mid-way through a review of the privacy practices of streaming TV technology providers,” Wyden told 404 Media. “As part of that inquiry, my staff discovered an alarming video in which a YouTuber demonstrated how with 15 minutes of unsupervised access to an Android TV set-top box, a criminal could get access to private emails of the Gmail user who set up the TV.”
The video in question was a PSA from YouTuber Cameron Gray, and it shows that grabbing any Android TV device and sideloading a few apps will grant access to the current Google account. This is obvious if you know how Android works, but it’s not obvious to most users looking at a limited TV interface.
The heart of the issue is how Android treats your Google account. Since the OS started on phones, every Android device starts with the assumption that it is a private, one-person device. Google has built on top of that feature with multiuser support and guest accounts, but these aren’t part of the default setup flow, can be hard to find, and are probably disabled on many Android TV boxes. The result is that signing in to an Android TV device often gives it access to your entire Google account.
Android has a centralized Google account system shared by a million Google-centric background and syncing processes, the Play Store, and nearly all Google apps. When you boot an Android device for the first time, the guided setup asks for a Google account, which is expected to live on the device forever as the owner’s primary account. Any new Google app you add to your device automatically gets access to this central Google account repository, so if you set up the phone and then install Google Keep, Keep automatically gets signed in and gains access to your notes. During the initial setup, where you might install 10 different apps that use a Google account, it would be annoying to enter your username and password over and over again.
This centralized account system is hungry for Google accounts, so any Google account you use to sign in to any Google app gets sucked into the central account system, even if you decline the initial setup. A common annoyance is to have a Google Workspace account at work, then sign into Gmail for work email and then have to deal with this useless work account showing up in the Play Store, Maps, Photos, etc.
For TVs, this presents a unique gotcha because, while you will still be forced to log in to download something from the Play Store, it’s not obvious to the user that you’re granting this device access to your entire Google account—including to potentially sensitive things like location history, emails, and messages. To the average user, a TV device just shows “TV stuff” like your YouTube recommendations and a few TV-specific Play Store apps, so you might not consider it to be a high-sensitivity sign-in. But if you just sideload a few more Google apps, you can get access to anything. Further confusing matters is Google’s OAuth strategy, which teaches users that there are things like scoped access to a Google account on third-party devices or sites, but Android does not work that way.
In the video, Gray simply grabs an Android TV device, goes to a third-party Android app site, then sideloads Chrome. Chrome automatically signs in to the TV owner’s Google account and has access to all passwords and cookies, which means access to Gmail, Photos, Chat history, Drive files, YouTube accounts, AdSense, any site that allows for Google sign-in, and partial credit card info. It’s all available in Chrome without any security checks. Individual apps like Gmail and Google Photos would immediately start working, too.
As Gray’s video points out, Android TV devices can be dongles, set-top boxes, or code installed right into a TV. In businesses and hotels, they can be semi-public devices. It’s also not hard to imagine a TV device falling into the hands of someone else. You might not worry too much about forgetting a $30 Chromecast in a hotel room, or you might sign in to a hotel TV and forget to delete your account, or you might throw out a TV and not think twice about what account it’s signed in to. If an attacker gets access to any of these devices later, it’s trivial to unlock your entire Google account.
Google says it has fixed this problem, though it doesn’t explain how. The company’s statement to 404 says, “Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of the devices. As a best security practice, we always advise users to update their devices to the latest software.”
Many Android TV devices, especially those built-in to TV sets, are abandonware and run an old version of the software, but Google’s account system is updatable via the Play Store, so there’s a good chance a fix can roll out to most devices.
https://arstechnica.com/?p=2020252