Amazon Fire TV security patch stops crypto-miners from hacking your set-top box

null

Earlier this year, older Amazon Fire TV models were overtaken by a malicious worm that spread from between devices using the set-top box's ADB (Android Debug Bridge) connection. Today, Amazon has released a patch that will plug the hole in the vulnerability and stop the infection in its tracks.

The software update – version 5.2.6.6 – is now available for Amazon Fire TV, Amazon Fire TV Stick and Amazon Fire TV Edition televisions, and it'll disable ADB by default. It'll also prompt users every time a device wants to install a new piece of software on their device. In the past, once you approved one ADB connection, any device could then connect to your Fire TV and install some code without asking. 

The offending exploit from February helped spread a pretty vicious malware worm called ADB.miner and the unchecked vulnerability of Amazon Fire TVs was used to mine cryptocurrency. This caused massive slow downs on infected devices, leading to long install times and abrupt crashing in the middle of streamed content.

The silver lining in all this is that newer devices, like the Amazon Fire TV Cube and latest version of the Amazon Fire TV, weren’t impacted by the malware as the protocol of asking before installing any software was built in from the start. 

So why have ADB in the first place?

This all raises the question: If ADB is such a vulnerability, why even allow it to exist on Amazon Fire TV devices? 

The answer is that ADB gives users some customizability options for their Fire TV – allowing you to install apps that aren't available on Amazon's limited Fire TV store (called sideloading). 

Sideloading is most often used by the KODI/XMBC crowd to install the app on the Fire TV, creating an even more robust streaming device that can stream local video content as well as content from traditional sources like Netflix and Amazon Video. 

Now that the ADB vulnerability is fixed, you'll be prompted before any additional software is installed on the device, quashing bugs like ADB.miner in its tracks.

Source: AFTVnews