The security holes appear to have been patched by the manufacturer in early November. However the manner in which the holes were closed is raising further alarm among the researchers about whether the China-based firm is able to access and control deployed television sets without the owner's knowledge or permission.
A report into the affair describes two serious software security holes affecting TCL brand television sets. First, a vulnerability in the software that runs TCL Android Smart TVs allowed an attacker on the adjacent network to browse and download sensitive files over an insecure web server running on port 7989.
That flaw, CVE-2020-27403, would allow an unprivileged remote attacker on the adjacent network to download most system files from the TV set up to and including images, personal data and security tokens for connected applications.
The flaw could lead to serious critical information disclosure, the researchers warned. Second, the researchers found a vulnerability in the TCL software that allowed a local unprivileged attacker to read from and write to critical vendor resource directories within the TV's Android file system, including the vendor upgrades folder. That flaw was assigned the identifier CVE-2020-28055.
One of the security experts behind the report, John Jackson, an application security engineer for Shutter Stock, said the flaws amount to a "back door" on any TCL Android smart television.
"Anybody on an adjacent network can browse the TV's file system and download any file they want", said Jackson. That would include everything from image files to small databases associated with installed applications, location data or security tokens for smart TV apps like Gmail.
If the TCL TV set were exposed to the public Internet, anyone on the internet could connect to it remotely, he said, noting that he had located a handful of such TCL Android smart TVs using the Shodan search engine.