In a surprising move, Amazon has swiftly disabled its newly introduced web-based remote feature for Fire TV devices, following the discovery of security vulnerabilities that could allow unauthorized access and control.
Last month, Amazon introduced a new feature for its popular Fire TV devices, allowing users to control their streaming experience through a web-based virtual remote and keyboard.
By scanning a QR code displayed on the Fire TV screen, users could access the virtual remote via their smartphone’s web browser, eliminating the need for the physical remote or the Fire TV Remote app.
The new feature aimed to simplify tasks such as typing passwords or navigating the Fire TV interface, particularly useful when assisting others with their devices remotely.
Although the functionality was limited, with the virtual remote lacking some navigation buttons and compatibility with many popular streaming apps, it was a promising start.
However, just weeks after its introduction, Amazon removed the web-based remote feature from Fire TV devices due to security concerns.
Amazon’s Fire TV devices are a popular choice among UK consumers for streaming media, offering access to a wide range of content and services.
With most of the major UK streaming apps available for the Fire TV, it’s an improved replacement for the often slow and limited “Smart TV” interfaces. (At this point, The Fire TV’s main competition are the Roku streaming devices – see my reviews here.)
Along with the Fire TV Cube, there are now five Amazon Fire TV devices being officially sold in the UK: The Amazon Fire TV 4K Max (2nd Gen), the Amazon Fire TV 4K Stick (2nd Gen), the Amazon Fire TV Stick (3rd Gen), The Amazon Fire TV Stick Lite (Full HD), and the Amazon Fire TV Cube (3rd Gen,) which is a pricier product that combines the Fire TV with an Echo device (see my review of it here).
Web Remote’s Security Concerns
As first reported by the Fire TV news website AFTVNews, the web remote feature disappeared from Fire TVs last week.
Checking on a Fire TV stick in the UK, I was able to confirm that, at this point, the QR code either does not appear on search screens at all or leads to an “under maintenance” error message when scanned.
According to tech firm Green Line Analytics, which approached Amazon with its findings, the web-based remote posed a significant security risk.
In a report sent to AFTVNews, the firm stated, “If an unauthorized person were to acquire the virtual keyboard/remote QR code somehow, it would allow them to hijack the device by installing unwanted apps.”
The security firm explained that controlling a Fire TV device using the QR code does not necessitate being connected to the same WiFi network as the Fire TV itself, and it also doesn’t require logging into any account.
This means that if someone was able to scan the QR code from your screen just once – they would then be able to access your Fire TV devices indefinitely (though only on certain screens and at certain times – which, in practice, makes the risk hard to take advantage of).
While installing apps through this method might be complicated (the web remote doesn’t even have Back, Home, and Menu buttons, for example), the vulnerability could still allow bad actors to control a user’s Fire TV device remotely, changing apps and channels without the owner’s consent.
This mischievous scenario brings back memories of those cheeky folks who had IR remotes built into their watches, allowing them to play pranks by turning on TVs in high street store windows.
We reached out to Amazon regarding the security concerns, and the company had this to say: “While we’re still reviewing this research, we immediately disabled the QR feature at issue for Fire TV customers, which fully mitigates the scenario described by the researchers.
“We look forward to bringing this feature back for customers soon.”
While the web-based remote feature showed promise in terms of convenience and accessibility, its current implementation exposed users to potential risks.
As Amazon works to resolve these issues, Fire TV owners can continue to rely on their physical remotes and the Fire TV Remote app for a secure streaming experience.
Official Press Release From Green Line Analytics:
“Researchers at Green Line Analytics have concluded that the recently removed off-site remote represented perhaps the most egregious security vulnerability ever released on Fire TVs. The lack of any obvious change-log notification about the feature or user authentication as well as the inability to disable, hide or reset the QR code within the 1-2 weeks before it expired created a security threat that allowed attackers the capability to install malicious apps on Fire TV’s without seeing the target’s TV screen or requiring any user interaction on the targeted Fire TV.
Amazon explicitly designed the troubleshooting feature so that recipients of the QR link in text or email messages who never actually saw the QR code could control the corresponding Fire TV device from a different location. Previous owners of a specific Fire TV and Airbnb renters could transfer possession of the device clean of any malware and then have this capability within the 1-2 week period without the current owner or renter taking any action. Compounding the threat posed by these scenarios, the user’s false impression of the innocuous nature of the ubiquitous Fire TV on-screen keyboard and standard QR codes instilled an absence of user screen-visibility discretion when this pseudo master password displayed on-screen in the presence of others or when they transmitted the QR link by phone.
Attackers could remotely navigate the Fire TV without line of sight to the connected TV screen through a simple process in which they use the same model of Fire TV (identified on the QR-code web page) as a visual mirror for directional navigation from the universal wake position. They need only emulate on the QR page, one click at a time, the simple series of clicks that they perform on their own Fire TV at a time when they anticipate the target’s device to be asleep. The attacker would first enable administrator access, wait fifteen minutes for the device to go to sleep, download and open a download-capable browser like Downloader from the Amazon app store, and then download malware. Notably, this simple navigation does not require the Home, Menu or Back buttons not included in the QR-code remote control web page.
The absence of industry-standard security protocols and the unusual use of a QR code for off-site remote control of a device combined to produce these attack vectors that posed one of the most significant security threats ever pushed to Fire TVs.”