Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series

Streaming devices have become increasingly popular in recent years, and for good reason. Portable, frequently updated and relatively inexpensive when compared to a new smart TV, these devices offer a convenient, cost-effective, and customizable way to access a vast selection of content from the comfort of your own home. Smart TVs and streaming devices account for a whopping 20% [pdf] of all connected IoT devices, and potential vulnerabilities in firmware could affect a significant user base.

As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program and aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers the Amazon Fire TV Stick and the Insignia
FireOS TV products. The research discloses vulnerabilities affecting the following products and versions:

• Insignia TV with FireOS versions before 6.2.9.5
• Fire TV Stick 3rd gen. with FireOS versions before 7.6.3.3

Note: the vulnerabilities presented in this report have been responsibly disclosed to the vendor through their Bug Bounty program. Amazon has released fixes for these issues on Fire TV devices and the Fire TV remote app, and the company has no evidence that this issue has been used against customers. Bitdefender has been working closely with the Amazon Fire TV team through all stages of vulnerability disclosure. We would like to extend our thanks for the prompt response time, communication, transparency and escalation.

Vulnerabilities at a glance

• Unauthorized authentication through local network PIN brute forcing. This vulnerability was caused by improper implementation of the Password Authenticated Key Exchange by Juggling (or J-PAKE) protocol that could have resulted in attackers gaining control of the device. (CVE-2023-1385)
• A vulnerability in the setMediaSource function on the amzn.thin.pl service allowed for arbitrary Javascript code to be executed. It could be used to load arbitrary HTTP URLs in the webview. (CVE-2023-1384)
• A vulnerability in the exchangeDeviceServices function on the amzn.dmgr service allowed an attacker to register services that are only locally accessible. (CVE-2023-1383)

Disclosure timeline

• Dec 16, 2022 - Bitdefender researchers submit the findings to the bug bounty program
• Dec 19, 2022: Bug bounty program submits the report for vendor to review
• Dec 20, 2022: Amazon team acknowledges the findings and starts an internal investigation
• Apr 12, 2023: Amazon delivers the fix to the public
• Apr 13, 2023: A bounty is awarded for the findings
• May 2, 2023: This report is published as part of the coordinated disclosure

Download the research paper

Best practices for IoT devices

Home users should closely monitor IoT devices and isolate them as much as possible from the local network. This can be done by setting up a dedicated network exclusively for IoT devices.

Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices, identify and highlight vulnerable ones. IoT device owners should also make sure that they check for newer firmware and update devices as soon as the vendor releases new versions.

To minimize risks of compromise, smart home users should consider adopting a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.