Account Takeover of Google with Android TV
on Android, Tv, Security, Account, Takeover, Google, Password, Google-account-takeover
Home devices are getting smarter with the help of Internet of Things deployments and Google TV is one example product of this example. One of the LG Netcast TVs gets old and it is not able to open 4K videos on YouTube, for this reason, I started to look for a cheap solution to mitigate the freezing issues on YouTube. Google TV is recommended by my friend, and I have experimented with the gadget on their TV. At first glance, It has a very responsive UI, has good integration with the Android device, and is easy to use with the help of good HDMI-CEC integration to TV, so I bought one Google TV for myself.
Bad Multi-Account Integration
When my Google TV arrived I started to set up the device. It requires to Google account to start using the device, otherwise, you will not use the device. The experience was very good like at my friend’s house until I started to integrate with the Other home member account setup and the account in a family member mode is a child account. The setup process is painful if we compare the first account setup because it is not done with the QR Code, it requires username and password setup. After the second account has enabled the TV, I notice that Android TV is not designed to use for public use. I expect one owner for the device and it manages the settings of the device and applications to switch each account easily by default if there is no device used in casting mode, I expect them to tv switch to the guest mode for privacy but this does not happen. There is no Guest account available for Android TV.
Google Account SYNC
I wanted to use Discord on Google TV to collaborate with my friends, so for this purpose, instead of installing the Discord APP, Google Chrome will be better used for multi-purpose, but Google Chrome is not available for the Android TV’s Google Play store.
As you know, the easy way to install applications for Android devices is by providing APK by hand. So to do this, I enable developer mode by just visiting the settings menu and clicking the kernel version a few times.
After Installing Google Chrome on the tv, It is asking about enabling SYNC with your Google account and I pressed to Enable button. Then I visit a website where passwords are saved on Google passwords. The password is prefilled on TV like your computer or phone. Isn’t it a nice feature of multi-device sync?
Did you realize something?
We can easily access passwords on TV by just enabling Developer mode and installing Google Chrome. Due to Android and Google Chrome integration, even password and MFA is not asked by Google Chrome client while enabling account SYNC because your device is already authenticated.
There is no password or pin protection to access systems settings, you are left your account at home without any protection, and if the attacker wants to access your Google Drive (Photos, Docs, Passwords) and if it has physical access, just requires to enables developer mode on your TV and installs Google Chrome on TV.
Due to having no guest mode and a system very dependent on Google Account, I remove my and other accounts on this device and created an additional account to Google Chrome for this purpose.