Set-Top Box RE: 6-part series (1 of 6)

August 26th, 2024 by Brian

The following is a 6-part series detailing the examination of the security of Set-Top Boxes. The research was conducted by Om and Jack, two of our interns this past summer. Enjoy!

Blog Post 1: Introduction and Overview

As malware and botnets have become more prevalent in recent years, one can’t help but wonder, “Are any of my devices part of a botnet?”. With the exponential growth in the number of small devices with internet capabilities on the market and the fact that security probably isn’t a top priority for products such as a $20 smart set-top box, there is a nonzero chance of having an infected device.

In recent years, there have been several blog posts outlining that some Android-based “smart” TV boxes have been shipped with pre-installed malware. They tested several set-top boxes (STBs) and published indicators of compromise. Links were also found to large botnets such as PEACHPIT.



source: Badbox Peachpit Malware on Android Devices

Although PEACHPIT has mostly died down, it is possible that some TV boxes are still infected and part of different botnets. In this blog series, we will survey 6 different STBs and determine if they have been compromised. This will involve an initial hardware triage for console access and filesystem extraction. We will then use a variety of tools and techniques to analyze the Linux/Android filesystems for signs of malware. Then we will use this information to craft an exploit and see how easy it would be for a bad actor to infect these boxes and make a botnet.

Common Tools

To get the most out of this report it is important to be familiar with tools that played an important role in our process.

Depthcharge

To understand Depthcharge we first need to understand U-Boot. U-Boot is an open-source bootloader commonly used on embedded CPUs to load Android. It offers a shell that can be accessed by stopping the autoboot process (`Hit any key to stop autoboot: 0`) and used to perform a variety of actions including reading and writing to memory and flash, modifying environment variables, running arbitrary code, and mounting MMC devices as USB mass storage (UMS).

Depthcharge is an easy and flexible Python package used to interface with U-Boot and provide scripting access along with an extensible API.

Android Debug Bridge (ADB)

Android Debug Bridge is a 3-part tool that facilitates installing and debugging apps, providing a Unix shell, rebooting into various modes, sideloading OTA packages, and more. On the phone, it runs the ADB daemon (adbd) in the background which runs commands sent to it on the device. On the computer, it runs a server that communicates with the daemon and the client which sends commands.

Conclusion

This blog was a quick overview of some common tools we will use throughout this blog. See our next blog post for hardware teardowns and target review.