Originally published at: Firestick Keyboard Remote Tool Removed for Security Reasons
In February of this year, Amazon added a new feature to Firestick and Fire TV devices that would allow remote access to the keyboard via web browser. The tool was built to make it easier for device owners to type long URLs or insert usernames and passwords instead of using the Firestick remote that does…
Official Press Release From Green Line Analytics
"Researchers at Green Line Analytics have concluded that the recently removed off-site remote represented perhaps the most egregious security vulnerability ever released on Fire TVs. The lack of any obvious change-log notification about the feature or user authentication as well as the inability to disable, hide or reset the QR code within the 1-2 weeks before it expired created a security threat that allowed attackers the capability to install malicious apps on Fire TV’s without seeing the target’s TV screen or requiring any user interaction on the targeted Fire TV.
Amazon explicitly designed the troubleshooting feature so that recipients of the QR link in text or email messages who never actually saw the QR code could control the corresponding Fire TV device from a different location. Previous owners of a specific Fire TV and Airbnb renters could transfer possession of the device clean of any malware and then have this capability within the 1-2 week period without the current owner or renter taking any action. Compounding the threat posed by these scenarios, the user’s false impression of the innocuous nature of the ubiquitous Fire TV on-screen keyboard and standard QR codes instilled an absence of user screen-visibility discretion when this pseudo master password displayed on-screen in the presence of others or when they transmitted the QR link by phone.
Attackers could remotely navigate the Fire TV without line of sight to the connected TV screen through a simple process in which they use the same model of Fire TV (identified on the QR-code web page) as a visual mirror for directional navigation from the universal wake position. They need only emulate on the QR page, one click at a time, the simple series of clicks that they perform on their own Fire TV at a time when they anticipate the target’s device to be asleep. The attacker would first enable administrator access, wait fifteen minutes for the device to go to sleep, download and open a download-capable browser like Downloader from the Amazon app store, and then download malware. Notably, this simple navigation does not require the Home, Menu or Back buttons not included in the QR-code remote control web page.
The absence of industry-standard security protocols and the unusual use of a QR code for off-site remote control of a device combined to produce these attack vectors that posed one of the most significant security threats ever pushed to Fire TVs.”