Void captures over a million Android TV boxes

Original Article ↗ Hacker News Discussion ↗

Car and IoT Security Concerns

  • Several comments extrapolate from hacked TV boxes to future car hacks, especially with many EV manufacturers and widely varying security maturity.
  • Disagreement on which carmakers are “better” at security; some point to Tesla’s strong software update capabilities, others cite flash wear, unlock issues, and poor protocol implementations as evidence of weak practices.
  • Concern that V2V/V2X plus the “sorry state of IoT security” could enable catastrophic, large-scale vehicle attacks; one commenter frames all commercial IT security as fundamentally inadequate against well-funded attackers.
  • Speculation about self-driving car theft and remote repossession; some think theft will be easy once cars are more autonomous and cloud‑managed.

Android TV vs Android-on-TV-Boxes

  • Multiple posts clarify these are cheap TV boxes running generic AOSP builds, not Google-certified “Android TV” with Play Store.
  • Some note that even certified Android TV devices can be old and unpatched, but the exploit in question targets vendor AOSP firmware.

Updates, Fragmentation, and Economic Divide

  • Many low-cost Android devices (phones and TV boxes) ship with old Android versions and often never receive a single update.
  • This is framed as a new “economic divide”: in regions like South America, median Android versions are claimed to be very old, while phones are essential for government and payments.
  • Debate over responsibility: hardware makers, Google’s architecture (kernel/driver ABI), Qualcomm’s business model, and Google’s priorities all get blamed.
  • Some argue the core problem is locked-down devices: users can’t replace or upgrade the OS independently, unlike PCs.

Infection Vectors and Piracy Ecosystem

  • Firewalls/NAT don’t help if users install sketchy IPTV/piracy apps or visit malicious streams/sites.
  • Many suspect these boxes are sold primarily for piracy and often ship with preinstalled or base-image malware; this exploit piggybacks on an already-compromised ecosystem.

Auto-Update Tradeoffs

  • Tension noted between “everything must auto-update for security” and incidents where automatic updates (e.g., CrowdStrike) cause massive outages.
  • Growing distrust that vendors use “security updates” to add ads, telemetry, or push obsolescence.

User Mitigations and Alternatives

  • Recommendations include Chromecast/Google TV, Roku, Apple TV, Nvidia Shield, or HTPCs, which tend to get longer support.
  • Some users prefer fully controlled setups: CoreELEC/Kodi or Linux-based media boxes, strict network isolation (VLANs, proxies), or even fully offline “sneaker-net” media to avoid ongoing trust in vendors.