@briankrebs note that you can run Armbian on some of these. Be sure to look at the Armbian forums for unofficial builds if there's no official build.
Discussion
Loading...
Post
@briankrebs while your wider point is valid, based on extensive experience around networks and travel, I would suspect that the "overseas use only" equipment lacks censoring capabilities which domestic products would contain.
A German ISP once lost subscriber access to Google because Huawei accidentally put the wrong firmware on their DSLAM? GPON? I forget, but it's equipment you would not have expected to do DNS-level-anything as it was ISO/OSI layer one or two.
@briankrebs But .... but .... but it's cheap! And it's pretty! It comes in 6 different colors!
@briankrebs bot net is bad sure, but I can only think of when all of Hesbolas beepers exploded suddenly without warning.
@briankrebs In this context, this might be interesting as well: https://youtu.be/R82pt4rLhBQ?si=Wd_mqQMDJD6Mowbo
It's the first video of a series of reversing a so called Superbox S6 Pro.
"Cuando toda una clase de tecnología indica en el empaque que fue fabricada en China, pero destinada "solo para uso en el extranjero", deberías pensarlo dos veces antes de conectarla a tu red.
Encontrarás esta información en muchos dispositivos de streaming Android TV a la venta en las principales tiendas. Hay una muy buena razón por la que el país que fabrica esta basura no la quiere en sus propias redes. Mi consejo: si tienes uno de estos dispositivos de streaming Android en tu red o te lo regalan, tíralo a la basura. Hablaré mucho más sobre esto en Año Nuevo, pero estos dispositivos son responsables de la creación de una botnet que actualmente cuenta con unos 2 millones de dispositivos y está creciendo rápidamente. https://blog.xlab.qianxin.com/kimwolf-botnet-en/ "
@briankrebs it is good advice not to let any Android TV or any smart TV connect to your network
China is up to a lot of doggy stuff. As is Google, Amazon, [insert any number of private actors]
And as far as stare actors go the USA is by far the most dangerous and disingenuous of the lot.
I do think being skeptical of Chinese network appliances is good. But not because they are Chinese, because they are network appliances
@briankrebs Huawei 5G hardware has been rejected for some reasons. However, central government transferred the objectives onto others (still in use) suppliers. The west (so called) is proud of its systematic thinking while The East thinks in systems... In this case...bravo China :)
@briankrebs ok but 4Gb of RAM
@briankrebs
So I’ve never read any of these security things…. Just read the one you shared. #thanksforsharing
I had to ask a LLM to explain it to me. Then I asked how I might determine if any of my devices are bots….
We’re screwed.
@briankrebs question: we have a Sony TV that has smart features. We do _not_ provide it with Internet connectivity. We do use a Roku and OTA broadcast. Yes, the Roku has a mic, but no camera.
Are we still being cyber-risky?
@Blueteamsherpa I really have not looked at the Roku devices, but my sense is that they are in a completely different category than the vast majority of these many no-name streaming boxes which are kind of made for pirated TV and movies.
My TV is from before smart TV
I use it with a laptop beside it connected via HDMI
For my next TV there seems to be no choice, so I will do the same thing. No internet connection directly but via a Linux laptop and an HDMI cable
@briankrebs I think the "Overseas Use Only" is because a device for use in China would have to comply with the Great Firewall and not try to connect you to streaming services that are banned in China.
@briankrebs As easy as it is to hate on China, let's please recheck. They are behind their firewall that renders anything unusable or at least close to unusable that is connecting from outside to inside and vice versa.
Not that cheap TV boxes are to be expected high quality, that is.
@CyReVolt Okay. Everyone here is such an expert. Can't wait for next year.
@briankrebs @CyReVolt Haven't forgotten about Naomi Wu @SexyCyborg and the Chinese keyboard spyware she discovered. Govt came down on her pretty quick.
There's also a reason why Tiktok had two totally separate versions (domestic and export).
@briankrebs Interestingly enough, you also find that kind of label on some American foods. "For sale only in the United States, overseas territories, and military bases". Surely WE'RE not the botnet.... are we??
@briankrebs You're right, all chinese made TVs should block youtube, all things google, wikipedia, yandex video, twitch and all things amazon by default, just like they have to in mainland china.
@briankrebs Also, a brief list of TV networks that should not be viewable on any chinese made TV:
ABC, ABC (au), CBC, All BBC channels, NBC, HBO, Bloomberg, WION, TIME and so on.
I guess what I'm saying is that this is the stupidest fucking take out of all the stupid takes you've ever had.
@briankrebs don't worry, America has been doing the same and releasing software and hardware with backdoors in it to everyone for decades.
@briankrebs Fairly interesting too that according to "reports" some AndroidTVs have not had a software update in ages. I'm yet to make a fuss about it but...
@briankrebs The cited article makes this sound more like the boxes get infected with something through post-purchase install.
The TVs that are packaged for overseas have the software for overseas that includes access to stuff that their own citizens are not allowed to access. The main google app stores and such.
Stuff like CE and FCC marks are for the whole package. Software included.
The botnet is a worry and these things are NOT secure, but this stamp doesn't say anything worrisome for us
Page won't load for me. archive.org to the rescue : https://web.archive.org/web/20251221132941/https://blog.xlab.qianxin.com/kimwolf-botnet-en/
"Investigations found that the author of Kimwolf shows an almost "obsessive" fixation on the well-known cybersecurity investigative journalist Brian Krebs, leaving easter eggs related to him in multiple samples.
For example, in sample 2078af54891b32ea0b1d1bf08b552fe8, the domain fuckbriankrebs[.]com is embedded in both its udp_dns and mc_enc attack methods, used to generate DNS request payloads."
😂🤣
@briankrebs I looked through the article, but I don't see how China-produced products are related to this botnet. Doesn't the malware focus on Android streaming boxes regardless of where they were produced? As far as I can see, the article didn't link the botnet to China either. (There are genuine questions btw.)
telling people to waste perfectly good TV boxes that can run Linux is absolutely the wrong takeaway
@burnoutqueen ok. that's fine. I recognize there are some people who think piracy is a right and anyone saying otherwise is ill-informed, a tech noob, or a fear monger.
Look at this guy taking a shot at the entire Copyleft movement 😆
You should stick to something safe, like an Amazon Firestick.
They're made in...
China!
https://www.accio.com/supplier/amazon-fire-stick-manufacturer
@briankrebs@infosec.exchange
I do find it funny that "FOR OVERSEAS ONLY" is written in ENGLISH and not Mandarin. You would think if a product was not designed for the Chinese market, would warn the Chinese that the product is for export only, in Chinese. Most Chinese are not bilingual. LOL.
@briankrebs Krebs is on mastodon! Awesome! Following.
@briankrebs How do those devices (along with all the fridges and IOT cameras that make up most botnets) get infected? Aren't most of them behind NAT? I understand "default passwords", but for that to be a problem, there has to be a way for the attacker to connect to a device in the first place, and that is the part I don't get.
@miki this is the subject of my reporting in the New Year. Stay tuned.
@briankrebs I don't think China is a country. I think it's a stateless territory infested by a criminal communist terrorist organization whose kingpin is Xi Jin Ping.
@briankrebs I don’t own one but my understanding is that these Android TV boxes are typically used for watching pirated content. I can’t see any company putting heavy efforts into the security of their product when it’s used for this purpose. Whether they’re intended to be a Trojan horse or not, the risk their use brings is too high in my humble opinion and I agree with Brian, they should be binned.
@briankrebs Evidence that "these things are responsible for building out a botnet that currently has ~2M devices and is growing rapidly"?
@clock are you asking for evidence? Read the story I linked from XLAB.
@briankrebs You seem to be implying this violates some chinese security regulations and isn't approved for domestic sale, but the much more likely explanation is that these boxes are banned in China due to state media control concerns: https://www.ibtimes.com/china-cracks-down-set-top-box-market-bans-popular-streaming-apps-2189776
@briankrebs note that you can run Armbian on some of these. Be sure to look at the Armbian forums for unofficial builds if there's no official build.
@jschwart AFAIK, there's no way to use these devices securely.
@briankrebs it's not clear to me why replacing the entire software wouldn't make them secure.
It might possibly even work to simply kill the offending applications. I have a very cheap box (was around $25) which became quiet with regards to traffic after I stopped various applications (mainly a torrent one that was there with a preconfigured torrent was establishing a lot of connections).
When I insert an SD card with Armbian, it just boots that instead of Android.
@briankrebs the XLAB article mentions the X96Q which matches the model on my box (there are different boxes with that model though).
It also mentions that the culprit is in some so files from a particular apk. This means running Armbian should be fine if you have an affected box:
Working images can be found on the forums: https://forum.armbian.com/search/?q=X96Q
I'll check if my box has those apk/so files when I get an opportunity.
Generally the hardware itself should be fine though, wasteful to just bin it.
@briankrebs @jschwart How about not hooking it to the Internet and just using it at a display device? (Honest question.)
@machinaecrire @jschwart If I told you a certain brand of Christmas tree lights could burn your house down, would you then pull out all the lights from the strand and use it as an extension cord?
It could be the other way around: less spying for foreigners? After all, China spies on its own citizens more than anyone else.
Meant to link to my previous reporting on this topic, which briefly touches on some of the challenges w/ the ubiquity and sheer insecurity-by-design of most of these Android TV/movie streaming devices
https://krebsonsecurity.com/2025/11/is-your-android-tv-streaming-box-part-of-a-botnet/
@briankrebs I have one of these things (without any pirate apps on it.) Loaded ConnectBot, plugged in a keyboard, typed su, got a root prompt. Zero security on those boxes.
@briankrebs I switched to Roku...I hope thats good. I haven't heard anything about Roku yet
@MikeImBack @briankrebs Roku reports your usage every few minutes and shows ads, though both can be subverted with DNS blocks.
@mansr @briankrebs if that's it, I guess i'm okay with that. 99% of the time it's either PlutoTV or Netflix, and 99% of the ads I get are for PlutoTV channels, so they ain't learning very much about me
@mansr @MikeImBack @briankrebs i believe Roku TVs also do Automatic Content Recognition (ACR) on _any_ input and report that as well. Built in Google TV reports to Google. Im not sure that Apple TV works as hard to make surveillance a revenue stream but i dont really know.
It all sucks out there and the best from a privacy perspective is probably just a computer and browser with uBlock, but that doesnt work well with a remote from the couch
@raven667 @mansr @MikeImBack @briankrebs
Get a hand sized USB keyboard
Or a infra red remote and dingle for your computer
@briankrebs I think you're reading too much into this one Brian. This is most likely because of the different voltage, the US uses 120v, China uses 240v like Europe.
@briankrebs Feels weird that they write "overseas use only" in English...seems like Mandarin might be a better choice perhaps? 🤣🤷🏼♂️
Bonfire community
This is a bonfire demo instance for testing purposes
Automatic federation enabled