@xmas Thanks, that's interesting. Hadn't heard about that.
Discussion
Loading...
Discussion
@briankrebs i might end up middle-ing this little fscker when I get back to Iowa on Monday; Unifi doesn't inspect encrypted traffic but like any OG hacker I've got mirrors and spans on switches specificaclly for this reason 😂 there's a lot of typical stuff I would expect for this thing but I'm curious what goes on inside those encrypted connections that aren't to streaming platforms. #householdIT #privacy #androidTV
@briankrebs
Are there any reputable EU brands for streaming boxes.
For consumer it is quite hard to be buying good stuff when we only hear "China is bad" but every box I have reads made in china, even Apple.
@briankrebs I bought a Chrome Streaming brick for $20 a few years ago after Linus Tech Tips reviewed a bunch of them. It was the only one that was bog-standard android with nothing added. Granted he didn't do a binary compare against a build he created himself, but it was $20 and seemed a reasonable backup if my Roku became problematic.
Fast forward to November and I can't find the thing. "It's here SOMEWHERE" is happening more and more. But as a rule, I don't like IoT crap and tend to not allow it on my network. But this warning is worth noting anyway.
@briankrebs All of this is down to the greed of the big media companies creating demand for their products.
Products that many people in the world do not have the financial resources to pay for.
A bit like your local dealer creating demand for illicit drugs produced in Central and South America.
Such problems are caused by the inherent inequality of oligarch and mafia based capitalism.
The poor do not have the means to comprehend the consequences of their attempts to save money.
@briankrebs I suspect that label means "The firmware doesn't contain the mandatory hooks for the Chinese government.".
@briankrebs And why, exactly, would Chinese TV box vendors ship malware from someone who's clearly bigoted towards Chinese people, as per the article that you link?
This feels like a rather tenuous, and frankly sinophobic, connection that you're drawing here to the "overseas use only" phrasing, which has also appeared on eg. travel adapters and is far more likely to have to do with non-compliance to certain regulations in certain countries.
For the record, I am mainly interested in seeing the major US retailers moving to stop selling these devices, period. That seems to be happening, at least on the ones that are being called out. But the only reason that's happening now is because more people (present company included) are starting to make a lot more noise about it.
https://bsky.app/profile/did:plc:ije2xwkpyayz53imvbibvuqf/post/3marmcx23cc2f
@briankrebs the best roku is $100 how far into the barrel do you gotta be scraping to find one of these?
Since I started writing about these particular video devices, I've gotten a lot of messages from readers asking, okay, but what about *this* model, as if just having a different model number or brand makes a difference. The underlying hardware and software is functionally the same.
@briankrebs my in-laws have one they refuse to give up. The language barrier means I have trouble translating “evil malware ridden box” into Cantonese.
Saving grace? Power is expensive so they turn it off whenever they aren’t watching TV.
@briankrebs
Since all the boxes will probably be dumped soon, is the hardware any good to format and repurpose?
I'll add that pro-piracy advocates are militant in their observation that technology is not inherently this or that, that it's all just how the technology is used. The subtext is, okay, maybe these things are designed w/ zero security and are a major security liability, but hey you can still flash them with whatever you want and run your own stock firmware or hardware, etc. No reason to distrust these devices at a more fundamental level, even though every single point of evidence about their design, manufacture and sale points to the opposite conclusion being the correct one.
Also, the people saying the loudest that this is a nothingburger are the same people who think flashing firmware and running custom ROMs is a thing they want to do. Most people who buy these devices a) have no clue what a liability they are and b) wouldn't begin to know how to do that, or that they might need to. To me, it's a form of class snobbery.
@briankrebs Recently the Slovenian police did a house search and siezed an Android TV device from a very surprised person that had no idea that often these cheap dongles come ready with several infections pre-installed. And earlier this month I had a pleasure of listening to the excellent talk on the subject of residential proxies by Fyodor from Trend Micro at the Ljubljana FIRST TC. Here is the article on the subject: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-rise-of-residential-proxies-and-its-impact-on-cyber-risk-exposure-management
@xmas Thanks, that's interesting. Hadn't heard about that.
@briankrebs We had another presentation at the mentioned TC by Lindsay Kaye from HUMAN Security (US) on BadBox2 infections of TV devices: https://www.first.org/events/colloquia/ljubljana25/program#pWhen-Your-CTV-Box-Goes-Rogue-How-Millions-Were-Tricked-Into-Aiding-a-Global-Cybercrime-Operation We’re also investigating cases like these at @sicert HTH
Even knowing how to flash (err, brick) a device, I've better things to do nowadays.
@briankrebs I wonder how many advertising/display systems are using this. I know of at least one that was based on Android TV boxes.
@briankrebs
You're absolutely correct about the class/tech snobbery, as a reformed snob myself.
While it's intellectually useful to have an open platform, we have to ask ourselves how that freedom is used to help? Is it? Or is it mostly used to absolve ourselves of responsibility?
At the same time it's also worth noting that a vertically integrated platform is not inherently more secure.
It's also absolutely wild how the intersection of "pay me more" (a la carte) streaming and cable and greed is exactly what pushes this kind of crap directly to, say, retired folk. This isn't the first time someone's asked me: are these even legal? (Answer: sort of, not really, it's a loophole they'll close eventually)
These devices are a symptom of a much larger issue - networks and technology designed to be flexible and resilient and run by professionals (ie. The internet) being repurposed and used by for-profit entities (both the video streaming providers and those who prey on them) with basically no regulation or protections on the technical side. Laws and regulations are insufficient with international networks. NAT ain't enough. TCP/IP wasn't designed for security or copyright - it was designed for sharing and robustness. And both law and practice lag very far behind people exploiting this openness for both innovation and profit.
When you use the wrong tools for the job, this sort of thing happens.
Since we, as consumers, are nearly always seen as prey - walking wallets to be milked and/or dupes who will willingly host a bot net - I have no moral qualms about repurposing their hardware for goodness and justice. There is a poetry in pwning the pwner and giving my family hardware that I can personally vouch for the safety of, because it's my OS and config. What we need education and tools to help the normals recognize the dangers and protect themselves from *all* of those who would exploit their very reasonable desire to not be a tech dork.
I can drive my car safely without being a mechanic - It'd be nice if my relatives could drive a set-top box safely too.
@briankrebs I think there are quite some assumptions here that might be valid in some parts of the world, but they are not here.
Where I am, these cheap devices are an alternative for Smart TVs (or a way to avoid replacing an outdated Smart TV entirely) and people tend to run applications on them that require a subscription and offer only licensed content.
I agree they should not be sold as they are, but I do think it's valid to provide existing owners with options for re-use.
Question is - how locked down are they? Because if they're cheap enough, they might be viable hardware to re-purpose for all sorts of fun things. If you have a sub-$100 box that can reliable stream 4k video and can be lobotomized and re-purposed, you have Pi competition.
I really wish you made it clearer why you mentioned China in the first place. I get your meaning that it shows the device doesn't meet local quality/security standards (and thus that it shouldn't be accepted by ours), but as shown by several of the threads replying to your post, the ongoing politics in the USA -- on both sides of the aisle -- have fostered an environment where if something might be taken in a sinophobic direction, it will be.
Still, thanks for spreading the warning.
For everyone else who read the post and felt inclined to respond with some variation on "government spyware", deep shame on you. The linked article doesn't even mention anything remotely related to that -- the only references to China are in blocks of stats-by-country, and a very brief mention of a (derogatory) log message the virus output. At least you've revealed yourselves as people who only read the headlines, who are eager to be casually racist, and who can be swiftly blocked.
re: @briankrebs@infosec.exchange
@briankrebs Same applies to "made in <own country>" but not marked for overseas usage, right?
A lot of imported products from many countries are labelled "for overseas use" or similar.
This is usually because taxes like VAT were not paid in those products. A lot of products from the UK and EU have similar labels.
Sometimes it relates to intellectual property rights. The manufacturer pays a lower royalty rate for tech or creative works for exported goods.
This isn't to say that those products aren't insecure. But the label is more likely related to taxes and royalties than to hacking and surveillance.
@briankrebs or, maybe, it's for tax purposes.
@briankrebs What do you recommend in order to not end up running infected Chinese hardware? Most things are built in China these days, it's shocking.
@oneloop The biggest problematic category of consumer tech goods that have this problem (by far) are video streaming devices, many of which advertise the ability to get something for nothing. My recommendation is to be extremely wary of these devices full stop.
@briankrebs Since I don't trust the big TV brands with their smart TVs, why should I install such a device?
For giving more information about everything I do?
Sorry, even if it's just a "personalized" advertisement, NO
Smart is the new stupid for me. Maybe I connect devices in my home, but let them communicate with some kind of "control server" in the cloud? Never, it brings everything for others but no advantage for me. No matter what any marketing departments want to tell me.
@briankrebs The Main reason for this are the differences in alotted frequency bands and the related limits. What's compliant in the US often is absolutely not in the EU or China or India for that matter. Not everything is a conspiracy.
note you're talking about something carrying a proprietary, remotely-controlled operating system. are you not concerned about its universal backdoor?
@briankrebs
If you're going to trash that, can I have the ram please?
@briankrebs Apple does the same shit, you despicable person!
@briankrebs i wish more mainstream consumer routers ran proper firewall software and that mainstream users knew how to use it to create no-WAN networks for these things
@briankrebs while your wider point is valid, based on extensive experience around networks and travel, I would suspect that the "overseas use only" equipment lacks censoring capabilities which domestic products would contain.
A German ISP once lost subscriber access to Google because Huawei accidentally put the wrong firmware on their DSLAM? GPON? I forget, but it's equipment you would not have expected to do DNS-level-anything as it was ISO/OSI layer one or two.
@briankrebs But .... but .... but it's cheap! And it's pretty! It comes in 6 different colors!
@briankrebs bot net is bad sure, but I can only think of when all of Hesbolas beepers exploded suddenly without warning.
@briankrebs In this context, this might be interesting as well: https://youtu.be/R82pt4rLhBQ?si=Wd_mqQMDJD6Mowbo
It's the first video of a series of reversing a so called Superbox S6 Pro.
"Cuando toda una clase de tecnología indica en el empaque que fue fabricada en China, pero destinada "solo para uso en el extranjero", deberías pensarlo dos veces antes de conectarla a tu red.
Encontrarás esta información en muchos dispositivos de streaming Android TV a la venta en las principales tiendas. Hay una muy buena razón por la que el país que fabrica esta basura no la quiere en sus propias redes. Mi consejo: si tienes uno de estos dispositivos de streaming Android en tu red o te lo regalan, tíralo a la basura. Hablaré mucho más sobre esto en Año Nuevo, pero estos dispositivos son responsables de la creación de una botnet que actualmente cuenta con unos 2 millones de dispositivos y está creciendo rápidamente. https://blog.xlab.qianxin.com/kimwolf-botnet-en/ "
@briankrebs it is good advice not to let any Android TV or any smart TV connect to your network
China is up to a lot of doggy stuff. As is Google, Amazon, [insert any number of private actors]
And as far as stare actors go the USA is by far the most dangerous and disingenuous of the lot.
I do think being skeptical of Chinese network appliances is good. But not because they are Chinese, because they are network appliances
@briankrebs Huawei 5G hardware has been rejected for some reasons. However, central government transferred the objectives onto others (still in use) suppliers. The west (so called) is proud of its systematic thinking while The East thinks in systems... In this case...bravo China :)
@briankrebs ok but 4Gb of RAM
@briankrebs
So I’ve never read any of these security things…. Just read the one you shared. #thanksforsharing
I had to ask a LLM to explain it to me. Then I asked how I might determine if any of my devices are bots….
We’re screwed.
@briankrebs question: we have a Sony TV that has smart features. We do _not_ provide it with Internet connectivity. We do use a Roku and OTA broadcast. Yes, the Roku has a mic, but no camera.
Are we still being cyber-risky?
@Blueteamsherpa I really have not looked at the Roku devices, but my sense is that they are in a completely different category than the vast majority of these many no-name streaming boxes which are kind of made for pirated TV and movies.
My TV is from before smart TV
I use it with a laptop beside it connected via HDMI
For my next TV there seems to be no choice, so I will do the same thing. No internet connection directly but via a Linux laptop and an HDMI cable
@briankrebs I think the "Overseas Use Only" is because a device for use in China would have to comply with the Great Firewall and not try to connect you to streaming services that are banned in China.
@briankrebs As easy as it is to hate on China, let's please recheck. They are behind their firewall that renders anything unusable or at least close to unusable that is connecting from outside to inside and vice versa.
Not that cheap TV boxes are to be expected high quality, that is.
@CyReVolt Okay. Everyone here is such an expert. Can't wait for next year.
@briankrebs @CyReVolt Haven't forgotten about Naomi Wu @SexyCyborg and the Chinese keyboard spyware she discovered. Govt came down on her pretty quick.
There's also a reason why Tiktok had two totally separate versions (domestic and export).
@briankrebs Interestingly enough, you also find that kind of label on some American foods. "For sale only in the United States, overseas territories, and military bases". Surely WE'RE not the botnet.... are we??
@briankrebs You're right, all chinese made TVs should block youtube, all things google, wikipedia, yandex video, twitch and all things amazon by default, just like they have to in mainland china.
@briankrebs Also, a brief list of TV networks that should not be viewable on any chinese made TV:
ABC, ABC (au), CBC, All BBC channels, NBC, HBO, Bloomberg, WION, TIME and so on.
I guess what I'm saying is that this is the stupidest fucking take out of all the stupid takes you've ever had.
@briankrebs don't worry, America has been doing the same and releasing software and hardware with backdoors in it to everyone for decades.
@briankrebs Fairly interesting too that according to "reports" some AndroidTVs have not had a software update in ages. I'm yet to make a fuss about it but...
@briankrebs The cited article makes this sound more like the boxes get infected with something through post-purchase install.
The TVs that are packaged for overseas have the software for overseas that includes access to stuff that their own citizens are not allowed to access. The main google app stores and such.
Stuff like CE and FCC marks are for the whole package. Software included.
The botnet is a worry and these things are NOT secure, but this stamp doesn't say anything worrisome for us
Page won't load for me. archive.org to the rescue : https://web.archive.org/web/20251221132941/https://blog.xlab.qianxin.com/kimwolf-botnet-en/
"Investigations found that the author of Kimwolf shows an almost "obsessive" fixation on the well-known cybersecurity investigative journalist Brian Krebs, leaving easter eggs related to him in multiple samples.
For example, in sample 2078af54891b32ea0b1d1bf08b552fe8, the domain fuckbriankrebs[.]com is embedded in both its udp_dns and mc_enc attack methods, used to generate DNS request payloads."
😂🤣
@briankrebs I looked through the article, but I don't see how China-produced products are related to this botnet. Doesn't the malware focus on Android streaming boxes regardless of where they were produced? As far as I can see, the article didn't link the botnet to China either. (There are genuine questions btw.)
telling people to waste perfectly good TV boxes that can run Linux is absolutely the wrong takeaway
@burnoutqueen ok. that's fine. I recognize there are some people who think piracy is a right and anyone saying otherwise is ill-informed, a tech noob, or a fear monger.
Look at this guy taking a shot at the entire Copyleft movement 😆
You should stick to something safe, like an Amazon Firestick.
They're made in...
China!
https://www.accio.com/supplier/amazon-fire-stick-manufacturer
@briankrebs@infosec.exchange
I do find it funny that "FOR OVERSEAS ONLY" is written in ENGLISH and not Mandarin. You would think if a product was not designed for the Chinese market, would warn the Chinese that the product is for export only, in Chinese. Most Chinese are not bilingual. LOL.
@briankrebs Krebs is on mastodon! Awesome! Following.
@briankrebs How do those devices (along with all the fridges and IOT cameras that make up most botnets) get infected? Aren't most of them behind NAT? I understand "default passwords", but for that to be a problem, there has to be a way for the attacker to connect to a device in the first place, and that is the part I don't get.
@miki this is the subject of my reporting in the New Year. Stay tuned.
@briankrebs I don't think China is a country. I think it's a stateless territory infested by a criminal communist terrorist organization whose kingpin is Xi Jin Ping.
@briankrebs I don’t own one but my understanding is that these Android TV boxes are typically used for watching pirated content. I can’t see any company putting heavy efforts into the security of their product when it’s used for this purpose. Whether they’re intended to be a Trojan horse or not, the risk their use brings is too high in my humble opinion and I agree with Brian, they should be binned.
@fellows @briankrebs Usually, only one manufacturing run is done, and the units are dumped on the market. Sometimes subsequent runs are marketed as the same unit (just different revs).
@briankrebs Evidence that "these things are responsible for building out a botnet that currently has ~2M devices and is growing rapidly"?
@clock are you asking for evidence? Read the story I linked from XLAB.
@briankrebs You seem to be implying this violates some chinese security regulations and isn't approved for domestic sale, but the much more likely explanation is that these boxes are banned in China due to state media control concerns: https://www.ibtimes.com/china-cracks-down-set-top-box-market-bans-popular-streaming-apps-2189776
@briankrebs note that you can run Armbian on some of these. Be sure to look at the Armbian forums for unofficial builds if there's no official build.
@jschwart AFAIK, there's no way to use these devices securely.
@briankrebs it's not clear to me why replacing the entire software wouldn't make them secure.
It might possibly even work to simply kill the offending applications. I have a very cheap box (was around $25) which became quiet with regards to traffic after I stopped various applications (mainly a torrent one that was there with a preconfigured torrent was establishing a lot of connections).
When I insert an SD card with Armbian, it just boots that instead of Android.
@briankrebs the XLAB article mentions the X96Q which matches the model on my box (there are different boxes with that model though).
It also mentions that the culprit is in some so files from a particular apk. This means running Armbian should be fine if you have an affected box:
Working images can be found on the forums: https://forum.armbian.com/search/?q=X96Q
I'll check if my box has those apk/so files when I get an opportunity.
Generally the hardware itself should be fine though, wasteful to just bin it.
@briankrebs @jschwart How about not hooking it to the Internet and just using it at a display device? (Honest question.)
@machinaecrire @jschwart If I told you a certain brand of Christmas tree lights could burn your house down, would you then pull out all the lights from the strand and use it as an extension cord?
It could be the other way around: less spying for foreigners? After all, China spies on its own citizens more than anyone else.
Meant to link to my previous reporting on this topic, which briefly touches on some of the challenges w/ the ubiquity and sheer insecurity-by-design of most of these Android TV/movie streaming devices
https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/
@briankrebs so are they just out of date with patches, or do they have a RAT pre-installed, or do they have a hardware OMB?
@briankrebs you know I suspected that it's because I've been testing some AI browsers like strawberry, but I am occasionally getting challenged while browsing around and I hadn't considered that it might be related to that I'm gonna look for all flows going to and from an android TV box that i was sent so i wouldn't return a projector. If anything interesting is going on with that thing i will be loud about it
@briankrebs I have one of these things (without any pirate apps on it.) Loaded ConnectBot, plugged in a keyboard, typed su, got a root prompt. Zero security on those boxes.
@briankrebs I switched to Roku...I hope thats good. I haven't heard anything about Roku yet
@MikeImBack @briankrebs Roku reports your usage every few minutes and shows ads, though both can be subverted with DNS blocks.
@mansr @briankrebs if that's it, I guess i'm okay with that. 99% of the time it's either PlutoTV or Netflix, and 99% of the ads I get are for PlutoTV channels, so they ain't learning very much about me
@mansr @MikeImBack @briankrebs i believe Roku TVs also do Automatic Content Recognition (ACR) on _any_ input and report that as well. Built in Google TV reports to Google. Im not sure that Apple TV works as hard to make surveillance a revenue stream but i dont really know.
It all sucks out there and the best from a privacy perspective is probably just a computer and browser with uBlock, but that doesnt work well with a remote from the couch
@raven667 @mansr @MikeImBack @briankrebs
Get a hand sized USB keyboard
Or a infra red remote and dingle for your computer
@briankrebs I think you're reading too much into this one Brian. This is most likely because of the different voltage, the US uses 120v, China uses 240v like Europe.
@briankrebs Feels weird that they write "overseas use only" in English...seems like Mandarin might be a better choice perhaps? 🤣🤷🏼♂️
@tdp_org @briankrebs Respectively: why would they warn at all?
BT Free Social
BT Free is a non-profit organization founded by @ozoned@btfree.social . It's goal is for digital privacy rights, advocacy and consulting. This goal will be attained by hosting open platforms to allow others to seamlessly join the Fediverse on moderated instances or by helping others join the Fediverse.
Automatic federation enabled