The title qualifies "Android TV" with a "Streaming Box" right after. Lots of service providers supply such a box to subscribers (similarly to how ISPs provide all-in-one firewall-router-modems.) Even then these are extremely cheaply made, underpowered and largely unmaintained internet connected devices. And indeed you can purchase one such box yourself (including with piracy features as described here,) but I'd be surprised if the vast majority of these devices aren't supplied by the service providers.
I'd expect pirate TV stuff to be mainly available through mail order, it's surprising you can buy it off the shelf at big box stores like Best Buy. I wonder how they weighed the income they'd get from stocking pirate TV boxes vs. how it would negatively impact their relationships with TV and streaming providers.
I think the fact that regular stores are now stocking high-seas set top boxes is more proof that streaming is too overpriced now and media companies are too greedy.
I don't think they're stocking these boxes. A lot of retailers let anyone list products on their website - just as Amazon allows third party sellers to list products. The one I found on BestBuy's website says "Sold & shipped by
Evolution Blazed Inc"
Article seems to indicate at least one model can (or, could... maybe Censys has notified them and they were pulled) be bought off the shelf in store at Best Buy
> In a recent video interview, Ashley showed off several Superbox models that Censys was studying in the malware lab — including one purchased off the shelf at BestBuy.
Trusting a random vendor, even on your home network, seems crazy. But how do you secure a home network? Are we all supposed to be running Nagios, Grafana, Splunk, and have a personal CISO?
Use multiple VLANs and SSIDs, and only punch holes or route between them (and to the WAN) if/when absolutely necessary.
It does make it harder to use these things. Some things may even become impossible to use effectively.
The simpler method is just to never trust anything, ever, but that's just a long-winded path that asymptotically approaches having a completely disconnected (airgapped) home.
But the usual default method is even easier. Just use the stuff on the default WLAN that is provided by the ISP like a commoner, have no local services at all (what homelab? what file server? what printer?), and fuhgetaboutit.
So what if the botnet spreads from the Android TV box to the light bulbs? As long as all of the things keep performing their primary roles (rule #1 of a successful infection: don't kill the host), then the bliss of ignorance will be complete.
Consumer vendors for routers/firewall combos are trash, but I think they'd go a long way in helping people by having an easy to turn on IoT vlan.
Matter devices run without internet access (at least this is the whole point of the spec, some manufacturers have fewer features without using the cloud based app, but to be Matter certified it must run locally to some extent), so blocking the vlan should be okay with a lot of IoT devices.
Random dodgy streamer box does need internet access though, so I think at best having a vlan (probably one just for it sadly) that doesn't have access to the rest of your internal network would be the only realistic solution. Still won't help prevent it from using your connection as part of a botnet though. It's a hard problem.
Unfortunately users are very adverse to learning anything about how their devices work, so I don't have any idea what can be done about the problem.
Maybe we have to rely on the state going after sellers of such pre-compromised devices? I'd say hold the users somewhat liable, maybe a small fine, when they are part of a botnet, and wave them when it's a "legit brand" that gets compromised outside of the users control? Pressure would need to be done on "legit" consumer manufacturers to actually provide security updates to somewhat older devices and not abandon them the minute the latest model is released.
> Unfortunately users are very adverse to learning anything about how their devices work, so I don't have any idea what can be done about the problem.
They are.
But there's precedent: Manufacturers spent years shipping consumer routers that worked out-of-the-box with default wide-open networks with SSIDs like "NETGEAR" or "linksys," which was gloriously insecure.
Some folks were sure back then that this could never change, but it has changed. These days, such devices generally reasonably-secure by default.
It can presumably change for Matter and IoT, too.
(Except the rabbit hole is kind of interesting, because... The usual method of setting up a Matter device means scanning a QR code with a pocket supercomputer to begin the process of connecting the Matter device to whatever wifi network it is that the pocket supercomputer is currently using.
And this does work for getting a Matter device online, but it doesn't allow for easy separation of network roles.
So the routers will need to change, and the Matter setup process will also need to change. Shouldn't take more than another decade or two for both things to get accomplished, I suppose.)
Matter-over-thread can be added typically without any WAN connection. Just need the QR code. And in a recent revision to the spec they added provisioning via NFC, which will be great since some devices have easy to lose QR codes.
Shoutout to Mikrotik for being the only consumer vendor with good router/firewall combos. I recommend getting one if you're comfortable doing a bit of work to setup a secure home network.
EnGenius EWS377AP WiFi 6 4x4... Been pretty good for a few years now... Considering going back to Ubiquiti for Wifi 7 at some point, but this has been good enough for my needs, and my work/personal desktops are all wired 10/2.5gb so no real issues practically.
It doesn't reach as far outside of my home as my older Ubiquiti AP seemed to reach though... I could get almost a block away before my phone would drop when driving. Now it cuts out in the driveway... and less than halfway into the back yard... single AP on middle of second floor ceiling. Had considered additional unit for back yard coverage.
I'm surprised how many people are happily buying and using WiFi smart lamps from questionable origin. It would be somewhat hilarious if Western internet gets sabotaged by lightbulbs in the case of a military conflict.
But yeah, it's hard to secure home networks. One step would be if expert users and ISP boxes would make a separate WiFi network/VLAN for IoT devices. Second, there should be more regulation and education about not connecting crap devices to your network and/or Western sellers (Amazon, Best Buy, etc.) should be liable if they continue selling a device once it is known that it is malicious.
> Trusting a random vendor, even on your home network, seems crazy.
Random vendors who promise unlimited free streaming, no less. Even if they're pirating the content, video streaming infrastructure still costs good money to run, so they're obviously making up for it by monetizing the boxes in some other way.
You can use a diy mini pc with OpnSense for a router along with a dedicated AP box... most commercial AP boxes can configure for separate SSIDs and VLAN configurations... this can allow you to monitor, configure and block certain access to the devices on your network into different trust groups.
Also, just having a pihole configured for your dhcp dns helps a lot with some traffic, but it can interfere with some legit services (CBS was a really bad one in my experience).
That said, if you don't have the technical skills or desier to learn these things... as you said, don't buy anything that gives you "easy" or "cheap" access to pirate content. It is pretty crazy.
Not being glib, but by not buying "smart" devices whatsoever. Manual streaming boxes might actually stop being viable for Linux as different services crack down. But, if you cared about privacy or security you wouldn't roll the dice with this stuff. I don't mean that in a rude or self-righteous way. Rather, I think people don't really care about privacy or security very much. Giving up streaming sounds like a big sacrifice to a lot of people, but if you contrived some scenario (really just for the sake of the argument) where your streaming devices were giving your kids mercury poisoning, you'd have no trouble giving them up. (and giving them up would really be the least of your worries) You might complain that mercury poison is not even remotely similar in severity it privacy or security concerns, and you'd be correct. But, that's the point I'm making. If people really cared about these issues then abstaining would be an easy decision. People claim to care, but don't actually take any action, and so I think they don't actually care that much.
I use vyos instead of OpenWRT, but I'd presume OpenWRT can mirror a port? It'd be better to do it on your switch of course. But you could mirror your traffic going across the LAN-WAN barrier and direct it to a security onion install, it's an opensource IDS. It has pretty heavy demands, but traffic analysis is not an easy, computationally cheap task.
At the very least it seems critical to treat such android devices as a hostile device on a segmented network (Guest network, or dedicated IoT Network).
Don't love the scare title, but particularly don't love the inclusion of "Android TV," which has gone back-and-forth with "Google TV" as the brand name for Google's smart TV experience. (Even Wikipedia has a hard time following the chronology: https://en.wikipedia.org/wiki/Google_TV_(operating_system), https://en.wikipedia.org/wiki/Android_TV#Google_TV_interface)
The title makes it sound like the TV you bought at Best Buy might be part of a botnet. The article is about some drop-shipped piracy-box.
The title qualifies "Android TV" with a "Streaming Box" right after. Lots of service providers supply such a box to subscribers (similarly to how ISPs provide all-in-one firewall-router-modems.) Even then these are extremely cheaply made, underpowered and largely unmaintained internet connected devices. And indeed you can purchase one such box yourself (including with piracy features as described here,) but I'd be surprised if the vast majority of these devices aren't supplied by the service providers.
I know we're not supposed to make RTFA comments here on HN, but what about RTFT?!
I'd expect pirate TV stuff to be mainly available through mail order, it's surprising you can buy it off the shelf at big box stores like Best Buy. I wonder how they weighed the income they'd get from stocking pirate TV boxes vs. how it would negatively impact their relationships with TV and streaming providers.
I think the fact that regular stores are now stocking high-seas set top boxes is more proof that streaming is too overpriced now and media companies are too greedy.
I don't think they're stocking these boxes. A lot of retailers let anyone list products on their website - just as Amazon allows third party sellers to list products. The one I found on BestBuy's website says "Sold & shipped by Evolution Blazed Inc"
Article seems to indicate at least one model can (or, could... maybe Censys has notified them and they were pulled) be bought off the shelf in store at Best Buy
> In a recent video interview, Ashley showed off several Superbox models that Censys was studying in the malware lab — including one purchased off the shelf at BestBuy.
Back in the heyday of torrents and burnable optical disks, retail DVD players could usually play random video files procured from the high seas.
They sure did, but what they didn't have is a built-in mail-order bootleg DVD catalog!
Trusting a random vendor, even on your home network, seems crazy. But how do you secure a home network? Are we all supposed to be running Nagios, Grafana, Splunk, and have a personal CISO?
Use multiple VLANs and SSIDs, and only punch holes or route between them (and to the WAN) if/when absolutely necessary.
It does make it harder to use these things. Some things may even become impossible to use effectively.
The simpler method is just to never trust anything, ever, but that's just a long-winded path that asymptotically approaches having a completely disconnected (airgapped) home.
But the usual default method is even easier. Just use the stuff on the default WLAN that is provided by the ISP like a commoner, have no local services at all (what homelab? what file server? what printer?), and fuhgetaboutit.
So what if the botnet spreads from the Android TV box to the light bulbs? As long as all of the things keep performing their primary roles (rule #1 of a successful infection: don't kill the host), then the bliss of ignorance will be complete.
Consumer vendors for routers/firewall combos are trash, but I think they'd go a long way in helping people by having an easy to turn on IoT vlan.
Matter devices run without internet access (at least this is the whole point of the spec, some manufacturers have fewer features without using the cloud based app, but to be Matter certified it must run locally to some extent), so blocking the vlan should be okay with a lot of IoT devices.
Random dodgy streamer box does need internet access though, so I think at best having a vlan (probably one just for it sadly) that doesn't have access to the rest of your internal network would be the only realistic solution. Still won't help prevent it from using your connection as part of a botnet though. It's a hard problem.
Unfortunately users are very adverse to learning anything about how their devices work, so I don't have any idea what can be done about the problem.
Maybe we have to rely on the state going after sellers of such pre-compromised devices? I'd say hold the users somewhat liable, maybe a small fine, when they are part of a botnet, and wave them when it's a "legit brand" that gets compromised outside of the users control? Pressure would need to be done on "legit" consumer manufacturers to actually provide security updates to somewhat older devices and not abandon them the minute the latest model is released.
> Unfortunately users are very adverse to learning anything about how their devices work, so I don't have any idea what can be done about the problem.
They are.
But there's precedent: Manufacturers spent years shipping consumer routers that worked out-of-the-box with default wide-open networks with SSIDs like "NETGEAR" or "linksys," which was gloriously insecure.
Some folks were sure back then that this could never change, but it has changed. These days, such devices generally reasonably-secure by default.
It can presumably change for Matter and IoT, too.
(Except the rabbit hole is kind of interesting, because... The usual method of setting up a Matter device means scanning a QR code with a pocket supercomputer to begin the process of connecting the Matter device to whatever wifi network it is that the pocket supercomputer is currently using.
And this does work for getting a Matter device online, but it doesn't allow for easy separation of network roles.
So the routers will need to change, and the Matter setup process will also need to change. Shouldn't take more than another decade or two for both things to get accomplished, I suppose.)
Matter-over-thread can be added typically without any WAN connection. Just need the QR code. And in a recent revision to the spec they added provisioning via NFC, which will be great since some devices have easy to lose QR codes.
Shoutout to Mikrotik for being the only consumer vendor with good router/firewall combos. I recommend getting one if you're comfortable doing a bit of work to setup a secure home network.
My AP has a default "guest" ssid/vlan that has a weparate address block on it... I use that for untrusted devices.
It's a dedicated prosumer/commercial ap though.
Is it HPE Aruba Instant On? Great APs.
EnGenius EWS377AP WiFi 6 4x4... Been pretty good for a few years now... Considering going back to Ubiquiti for Wifi 7 at some point, but this has been good enough for my needs, and my work/personal desktops are all wired 10/2.5gb so no real issues practically.
It doesn't reach as far outside of my home as my older Ubiquiti AP seemed to reach though... I could get almost a block away before my phone would drop when driving. Now it cuts out in the driveway... and less than halfway into the back yard... single AP on middle of second floor ceiling. Had considered additional unit for back yard coverage.
I'm surprised how many people are happily buying and using WiFi smart lamps from questionable origin. It would be somewhat hilarious if Western internet gets sabotaged by lightbulbs in the case of a military conflict.
But yeah, it's hard to secure home networks. One step would be if expert users and ISP boxes would make a separate WiFi network/VLAN for IoT devices. Second, there should be more regulation and education about not connecting crap devices to your network and/or Western sellers (Amazon, Best Buy, etc.) should be liable if they continue selling a device once it is known that it is malicious.
You should not assume that no one on your network is compromised. This is part of the thinking behind 0 trust.
> Trusting a random vendor, even on your home network, seems crazy.
Random vendors who promise unlimited free streaming, no less. Even if they're pirating the content, video streaming infrastructure still costs good money to run, so they're obviously making up for it by monetizing the boxes in some other way.
Most consumers would assume that the $400 they paid for the box is how they monetized it. Naive perhaps, but not necessarily unreasonable.
You can use a diy mini pc with OpnSense for a router along with a dedicated AP box... most commercial AP boxes can configure for separate SSIDs and VLAN configurations... this can allow you to monitor, configure and block certain access to the devices on your network into different trust groups.
Also, just having a pihole configured for your dhcp dns helps a lot with some traffic, but it can interfere with some legit services (CBS was a really bad one in my experience).
That said, if you don't have the technical skills or desier to learn these things... as you said, don't buy anything that gives you "easy" or "cheap" access to pirate content. It is pretty crazy.
>But how do you secure a home network?
Not being glib, but by not buying "smart" devices whatsoever. Manual streaming boxes might actually stop being viable for Linux as different services crack down. But, if you cared about privacy or security you wouldn't roll the dice with this stuff. I don't mean that in a rude or self-righteous way. Rather, I think people don't really care about privacy or security very much. Giving up streaming sounds like a big sacrifice to a lot of people, but if you contrived some scenario (really just for the sake of the argument) where your streaming devices were giving your kids mercury poisoning, you'd have no trouble giving them up. (and giving them up would really be the least of your worries) You might complain that mercury poison is not even remotely similar in severity it privacy or security concerns, and you'd be correct. But, that's the point I'm making. If people really cared about these issues then abstaining would be an easy decision. People claim to care, but don't actually take any action, and so I think they don't actually care that much.
That's a little over reaction.
Most wifi routers have a guest network mode, that does the first few good steps.
Devices on the guest network can't see or ping devices on your main home network.
But... if appropriately configured the home network should be able to see the devices on the guest network.
There's a few great guides out there that help plan out your home network for such undertakings.
Is there some software I can run on my OpenWrt to detect suspicious traffic?
I guess the big problem here is analysis, because a modern home network moves a massive amount of traffic, to many endpoints.
I use vyos instead of OpenWRT, but I'd presume OpenWRT can mirror a port? It'd be better to do it on your switch of course. But you could mirror your traffic going across the LAN-WAN barrier and direct it to a security onion install, it's an opensource IDS. It has pretty heavy demands, but traffic analysis is not an easy, computationally cheap task.
At the very least it seems critical to treat such android devices as a hostile device on a segmented network (Guest network, or dedicated IoT Network).
[dead]