Three security vulnerabilities have been discovered on Amazon’s popular Fire TV Sticks. If left unpatched, these software flaws could have allowed attackers to take control of affected Fire TV devices.
The security vulnerabilities were discovered by Cybersecurity firm Bitdefender back in December 2022, and were then sent to Amazon through the company’s Bug Bounty programme.
Last month, Amazon released a software patch that was able to fix those vulnerabilities – and therefore, this week, Bitdefender published its findings.
This means, however, that owners of the affected Fire TV devices need to make sure their software has been updated, otherwise the security issues may still be present (see full details below).
According to Amazon, however, there’s no evidence that these flaws have been used against existing owners of any Fire TV devices.
Amazon’s Fire TV devices are among the most popular streaming devices in the world, dating back to the launch of the first Fire TV box, back in 2014.
They’re especially successful in the UK, where the Fire TV is the most popular streaming stick, according to Amazon.
With most of the major UK streaming apps available for the Fire TV, and an easy to use interface, the Firestick is an improved replacement to the often slow-and-limited “Smart TV” interfaces.
There are several different models of Fire TV devices sold in the UK – from the low-cost Fire TV Lite, to the Fire TV Cube that combines a streaming stick with an Echo voice assistant. Amazon also sells TVs with Fire TV built into them – such as the new Omni line.
Security Vulnerabilities On The Fire TV
Cybersecurity firm Bitdefender regularly audits internet-connected devices, such as streaming sticks, for vulnerabilities – which is how it managed to identify three security flaws on Amazon’s Fire TV OS.
The company says that the vulnerabilities “have been responsibly disclosed to the vendor through their Bug Bounty program” back on December 19, 2022.
A software bug bounty scheme, in simple terms, is a program where companies invite security researchers, ethical hackers, or anyone with technical skills to find and report security flaws in their software.
In return, the company often rewards the person who finds the vulnerability with a cash prize or other incentives.
This encourages people to responsibly disclose security issues, helping the company improve its software security and protect its users from potential cyber-attacks.
Bitdefender says it “has been working closely with the Amazon Fire TV team through all stages of vulnerability disclosure.”
Amazon then released fixes for these issues – with software updates for the Fire TV devices and the Fire TV remote (which has its own software) – on April 12, 2023.
The vulnerabilities themselves are quite technical in nature – one involved unauthorized authentication on Fire TV devices by brute-forcing (and guessing) a PIN, the second one could force the device to load any website or online content, potentially exposing users to malicious sites or activities, and the third could let attackers gain unauthorized access to restricted services and potentially compromise the device or user’s data.
According to Amazon, there’s no evidence that these flaws have been used against customers.
Which Fire TV Devices Are Affected?
The affected devices, according to Bitdefender, are:
- The Fire TV Stick 3rd Gen (Which was released in 2021, and is sold in the UK).
- Insignia TV with Fire TV built-in (This model is not normally sold in the UK).
Bitdefender also mentions two specific Fire OS software versions – 220.127.116.11 for the Fire TV Stick and 18.104.22.168 for the Insignia TV.
Any version prior to these versions should be considered vulnerable – but, as Fire TV news site AFTV mentions, different models of Fire TV devices often have different version numbers that are considered the latest – therefore relying on these numbers alone isn’t enough.
To make sure you are protected – you need to confirm your Fire TV stick is patched with the most recent software version from Amazon.
Normally, Amazon pushes software updates to its Fire TV devices automatically. But to make sure, go to your Fire TV Settings page, then to My Fire TV >> About.
In there, select “Check For Updates” – and install any software updates that are still pending.
However, since the updates have been released back in April, there’s a very good chance your device is already patched.
An Amazon spokesperson told Cord Busters:
“Security is foundational to how we design devices, features, and experiences. We have released fixes for this issue on Fire TV devices and the Fire TV remote app.
“We have no evidence that this issue has been used against customers, and we appreciate the work of researchers who help bring potential issues to our attention.”
- For more news about the Fire TV and streaming devices, Subscribe to our free newsletter.