Acting Department of Homeland Security Secretary Chad Wolf said his federal agency was looking into whether Chinese television maker TCL had built security-bypassing “backdoors” into its Android-powered TV sets, as reported in Tom’s Guide last month.
“DHS is reviewing entities such as the Chinese manufacturer TCL,” Wolf said Monday (Dec. 21) in a speech to the conservative think-tank The Heritage Foundation in Washington, D.C.
“This year it was discovered that TCL incorporated backdoors into all of its TV sets exposing users to cyber breaches and data exfiltration,” Wolf added.
“TCL also receives CCP [Chinese Communist Party] state support to compete in the global electronics market, which has propelled it to the third largest television manufacturer in the world.”
We’re not sure how much government aid TCL actually gets from the Chinese government, and its market ranking depends on whose statistics you use. But we do know that the flaws we wrote about last month don’t affect TCL sets running Roku’s operating system, which are most TCL sets sold in North America.
TCL told Tom’s Guide last month that it was fixing two issues in TCL sets running Android that had been found by two hackers, John Jackson and Sick Codes. (Sick Codes was the first person to alert us of Wolf’s speech.)
One was a flaw that let anyone browse the file system of a TCL TV without entering a password. The other was a hidden feature that seemed to be sending screenshots and logs of user activity to servers in China, which hacker Sick Codes, one of the flaws’ finders, told us amounted to a “Chinese backdoor.”
Even more alarming, Sick Codes said, TCL patched these flaws in TV sets across the world in a “silent patch,” without notifying set owners or seeking their authorization. As Sick Codes told Tom’s Guide, that means that TCL had “full access” to the devices in people’s homes.
‘A civilizational conflict’
Granted, we don’t know if DHS is launching a real investigation into TCL, or if Wolf is just blowing smoke.
Wolf’s mention of TCL came in an over-the-top speech in which he accused China of nearly every possible evil under the sun, including election interference, espionage, cyberattacks, copyright piracy, theft of trade secrets, drug dealing, slavery, illegal immigration, fake medicine, counterfeiting, religious oppression, genocide, totalitarianism, spreading Covid-19 and generally planning to take over the world.
Many of these accusations against the Chinese government have substantial merit. But Wolf’s us-vs-the-forces-of-eeeeeevil speech is unlikely to make TCL TV sets any safer, or less safe, to use.
“China threatens the livelihood, prosperity, and well-being of each and every American,” Wolf said rather undiplomatically near the end of his speech. “Your homes, your schools, your jobs, your retirement accounts, and your health are all at risk. Our struggle with China is nothing short of a civilizational conflict.”
Tom’s Guide has reached out to TCL for comment, and we will update this story when we receive a reply.
Update: TCL replies
A TCL representative provided us with a company statement, which follows in full.
“In general, we are concerned that the recent comments about TCL appear to originate from inaccurate descriptions of our products, features, and capabilities in recent weeks, and unfortunately, have led to speculative conclusions and a rush to judgment.
TCL has been conducting business in the United States for more than 15 years, and we’ve earned a stellar reputation among our technology partners, retailers, and users. TCL is broadly regarded as a model citizen and good actor for our adherence to local laws and customs in the U.S. and throughout the world and for our record of profound respect for intellectual property and privacy.
All TCL televisions sold in North America rely on either the Roku or the Android operating system. In both cases, these companies hold manufacturers to a very high standard in terms of security and privacy.
While there was a security vulnerability recently discovered in a limited number of TCL televisions (less than 2% of TCL televisions in the United States), the company quickly took steps to disclose, investigate, thoroughly test, develop patches, and send updates to resolve the matter.
Updating devices and applications to enhance security is a regular occurrence in the technology industry, and this vulnerability has been corrected and is no longer an issue. Any of these affected televisions, when connected to the internet, will prompt the user to update the firmware, thereby correcting the vulnerabilities.
Simply, our conduct is forthright and beyond reproach, and we firmly reject the unsupported characterizations and speculative conclusions from this speech. It misleads the public about who we are and how we conduct ourselves. TCL’s success in the U.S. is due to the hard work and commitment from our dedicated teams of employees and is entirely earned.
We have not been approached by the DHS or any other similar agency to investigate or even discuss these allegations.”