Sick Codes and the other researcher, John Jackson, who works at photo-licensing service Shutterstock, discovered that they could access the entire filesystem of a TCL smart TV over a Wi-Fi connection using an undocumented TCP/IP port. They found that they could also overwrite files on the TV.
All of this could be done without entering a username, a password or any kind of authorization at all. The flaws were assigned the Common Vulnerability and Exposure catalog numbers CVE-2020-27403 and CVE-2020-28055 after the researchers notified the U.S. Computer Emergency Response Team (US-CERT) at Carnegie Mellon University in Pittsburgh.
The flaws were patched on the TV model that Sick Codes and Jackson were analyzing — more on that below — but apparently not all on TCL smart TV models.
