Android-based TV set-top boxes sold online are most likely running outdated operating systems that have not received security updates for at least a year, according to research published today by US cyber-security firm Tripwire.

The experiment consisted of Tripwire’s Vulnerability and Exposure Research Team (VERT) researchers buying and testing ten Android-based TV set-top boxes.

“In accordance with Tripwire’s responsible disclosure process, we are not yet naming specific vendors, Craig Young, senior security researcher at Tripwire and the one who led the experiment, told Bleeping Computer via email.

“I will say though that I see several of the tested devices on the first page of results when I search for ‘Android TV box’ on Amazon US, Amazon UK, and eBay,” he added.

Devices run old OS versions, don’t receive updates

The Tripwire VERT team says that all of the devices they tested were running very old and insecure versions of Android.

Further, Young says that the most recent Android monthly security update on any system was almost a year old.

For all devices, updates had to come from the Android TV set-top box vendor, not directly from Google, similar to how most Android phone owners are trapped into using devices running antiquated Android OS versions because mobile carriers fail to deliver upgrades and security patches.

Another big security lapse the researchers noted was the fact that all devices came configured by default to allow the installation of Android apps from untrusted sources, the primary means through which most Android-based devices get infected with malware, especially…

Continue ….