EZCast TV streaming stick leaves home networks vulnerable to attack

Check Point researchers have discovered a vulnerability in the EZCast TV streaming stick that enables hackers to take full control of home networks.

EZCast, which has five million users, is a HDMI dongle-based TV streamer that converts a TV into a smart TV, enabling users to connect to the Internet and other media and is controlled a smartphone device or PC. The device also allows users to easily connect the TV with a PC to view and transfer videos, photos, music and files.

Since the EZCast dongle runs on its own Wi-Fi network, entering the network is straightforward. This network is secured only by an 8-digit numeric password, which can be easily cracked.

Check Point conducted a successful brute-force attack which allowed researchers to gain full unauthorized access to the network. They were also easily able to use social engineering to gain additional network access, by sending the user a malicious link through most messaging services, such as email, Facebook and Skype.

The vulnerabilities leave all information stored on personal networks exposed to possible theft, including tax returns, bank statements, credit cards and other sensitive personal information, making the EZCast device a potentially lucrative attack vector for identity theft for cyber-criminals.

Researchers warned that any EZCast users or potential customers would essentially be selling access to their network for the cost of the device.

“This research provides a glimpse of what will be the new normal in 2016 and beyond – cyber criminals using creative ways to the exploit the cracks of a more connected world,” said Oded Vanunu, security research group manager, Check Point. “The Internet of Things trend will continue to grow, and it will be important for consumers and businesses to think about how to protect their smart devices and prepare for the wider adoption of IoT.”

The team uncovered a number of critical vulnerabilities in the device earlier this year, leading them to the conclusion that the device was never designed with security in mind. Check Point has reached out to EZCast several times since their discovery to alert them of the findings but at time of publication (7th January 2016) Check Point has received no response.