Back in February, Amazon released a new feature to make it easy to quickly control your Fire TV from your phone. This new feature let you scan a QR code to bring up a remote control and keyboard on your phone. This made entering passwords, for example, very easy by letting you use your phone’s keyboard.
Now, Amazon has removed this feature after the tech firm Green Line Analytics says they found a way for people to take over your Fire TV using this system, according to a report from AFTVNews.
In a statement sent to Cord Cutters News, Amazon said, “We appreciate the work of independent researchers to help bring issues to our attention. While we’re still reviewing this research, we immediately disabled the QR feature at issue for Fire TV customers, which fully mitigates the scenario described by the researchers. We look forward to bringing this feature back for customers soon.”
With this feature there was no login or verification code required, unlike the initial setup process for the Fire TV Remote app. This seems to be the main issue allowing others to take over your fire TV.
While the browser-based remote offered basic functionality, including directional controls and a select button, it does lack some fairly critical features found in the more robust Fire TV Remote app, such as the Back, Home, and Menu buttons. These omissions could limit the effectiveness of navigating through apps and settings. However, the inclusion of a text entry field on the virtual remote’s webpage compensates for this by simplifying text input, such as passwords and URLs, using a physical keyboard. Also, as an evolving model, there’s no reason this option can’t find itself in future updates.
For now though you will need to download the Fire TV app to offer this feature or use the onscreen keyboard.
Update: Green Line Analytics supplied this statement about the issues they found:
“Green Line Analytics wishes to clarify certain aspects of recent news coverage about our company that includes your recent article on Amazon removing the remote control QR feature from the Fire TV based on my company’s bug report. It is actually our contention that the underlying security vulnerability represents perhaps the most egregious exploit ever released on Fire TVs.
It is our belief that Amazon does NOT have an interest in releasing an honest assessment of the risk posed by a feature explicitly designed to allow off-site remote control of Fire TVs without user authentication or other industry-standard security protocols. As a result, the public has been misled by erroneous or otherwise vague details about what may be the most significant security threat ever pushed to Fire TVs.
The blogger (Elias Saba at AFTVNews.com) who originated the trending story
dramatically misinterpreted the Green Line Analytics report by overlooking its central premise and minimizing the security risk. Additionally, he did not inform my company about his article or request comment. We only contacted him originally to help bring the security threat to the attention of the Fire TV development team (his former employer), which he declined to do at the time evidently because his misconception of the vulnerability led him to believe the threat was so insignificant that Amazon would not take action.
Although we found your article to represent the most even-handed coverage of the subject, we wish to inform you about several findings from our report about the recently removed QR-code feature that may upgrade the importance of this issue by persuasively contradicting the blogger Saba’s key contentions in his originating article,
Amazon’s Motivation: Severity Rating
The official assessment by HackerOne (Amazon’s official assessor) rated the vulnerability’s severity as Medium on the day of the report’s submission on March 25, 2024. Amazon accepted this assessment and, hours later on March 25th, promptly removed the vulnerable feature with the sense of urgency attributed to significant security threats. Contrary to these facts, Saba’s posting suggests that the vulnerability was officially assessed as Low and Amazon only removed the feature “out of an abundance of caution”. HackerOne is even currently considering upgrading the Medium severity rating based on our contention that their rationale, “user interaction is required to sync QR code”, overlooks the following considerations in our report that also contradict the Saba post.
QR Code Acquisition
- User’s can text the QR link, and the recipient(s) can then simply click on that link in order to access remote control of the owner’s Fire TV without ever seeing the owner’s TV screen.
- Previous owners of a Fire TV can acquire the QR code on their own screen before they transfer ownership, and then transfer ownership of the Fire TV without any trace of malware, and then download malware off-site after ownership the transfer during the 1-2 week period before expiration of the QR code. This is particularly relevant in the cases of Airbnbs and resales or gifts of Fire TVs. In this manner, an attacker can access remote control of the owner’s Fire TV without ever seeing the owner’s TV screen, and without the current owner taking any action whatsoever.
- The average user has no sense of screen-visibility or sharing discretion for the pseudo-master password that is the Fire TV remote control QR code because they are oblivious to the new security threat suddenly posed by the appearance of the on-screen keyboard and the newly adjoined QR code, both of which are ubiquitous tools that users do not normally associate with a security risk. Compounding this user-ignorance factor, Amazon does not provide a way to hide (as they do with a normal password), disable or manually reset the QR code within the generous expiration time period. Nor did Amazon inform users about its forced addition of this off-site remote control feature with the standard change-log screen frequently employed for past Fire OS updates that include new features.
Off-Site Navigation
- The process of remotely navigating the Fire TV without line of sight to the connected TV screen does not involve a difficult and complicated series of button clicks, as the originating Saba article contends, because an attacker can simply use the same model of Fire TV (identified on the QR-code web page) as a visual mirror for navigation. They need only emulate on the QR page, one click at a time, the simple series of clicks that they perform on their own Fire TV beginning from the universal wake position on the Amazon home screen.
- With this virtual-mirroring mechanism prepared, the attacker simply waits until a time period (between 3 am – 5am, for example) when they anticipate the Fire TV to be in sleep mode, and it will awaken at the same location as their own Fire TV device (of the same model) awakens on their own TV screen.
- Emulating in the QR-page interface the clicks on their own remote control from this universal start position, the attacker begins the navigation process by authorizing administrator access. They next wait 15 minutes for the Fire TV to go to sleep and reset the UI to the universal start position, then proceed to download / open a download-capable browser (like Saba’s Downloader, as explicitly mentioned in our report), and finally download and install malware. A click-automation program can facilitate the process for multiple simultaneous attacks without the need for manual navigation. Notably, this navigation does not require the missing Home, Menu or Back buttons. The simple process exclusively requires the directional and Select buttons present on the QR-code remote control web page. Enable administrator access, wait 15 minutes, download Downloader, download malware. 4 simple steps, 20 minutes total time.
Interestingly, Saba’s February 2024 posting about the introduction of this QR-code remote control feature explicitly contradicts his own contentions in this March post in question. He states in the title of the February article that the
“Fire TV gains new web-based virtual remote and keyboard for quick and simple control from anywhere”.
He concedes here that someone CAN ACQUIRE the QR-code for a particular Fire TV WITHOUT EVER SEEING the connected TV screen.
“The unique URL encoded in the QR code can be copied and pasted to any device with a browser and it will work.”
“If a non-tech savvy friend or relative needs help with their Fire TV, you can bookmark their QR code URL and control their Fire TV over a video call with them from anywhere.”
By intentionally allowing off-site remote control without necessary and industry-standard security protocols, Amazon allowed this attack vector to render Fire TVs highly vulnerable to attack until our company fortuitously informed Amazon promptly about this exploit before reports of attack victims emerged. It is our belief that this security lapse represented the most egregious vulnerability ever pushed to Fire TV’s by Amazon. We are grateful that we were able to inform Amazon in a timely manner and that Amazon responded promptly by removing the vulnerable feature within hours of receiving our report. We hope that Amazon appreciates the full extent of the vulnerability’s severity, including the attack vector detailed in our report, so that the Fire TV Development Team can properly patch the remote-control feature with the necessary safeguards to allow the reintroduction of this valuable utility reflective of the innovation that has defined the Fire TV product line as the industry-leading streaming device.”
Please follow us on Facebook and X for more news, tips, and reviews. Need cord cutting tech support? Join our Cord Cutting Tech Support Facebook Group for help.