Android TV has access to your entire account—but Google is changing that
Google says it has patched a nasty loophole in the Android TV account security system, which would grant attackers with physical access to your device access to your entire Google account just by sideloading some apps. As 404 Media reports, the issue was originally brought to Google’s attention by US Sen. Ron Wyden (D-Ore.) as part of a “review of the privacy practices of streaming TV technology providers.” Google originally told the senator that the issue was expected behavior but, after media coverage, decided to change its stance and issue some kind of patch.
“My office is mid-way through a review of the privacy practices of streaming TV technology providers,” Wyden told 404 Media. “As part of that inquiry, my staff discovered an alarming video in which a YouTuber demonstrated how with 15 minutes of unsupervised access to an Android TV set-top box, a criminal could get access to private emails of the Gmail user who set up the TV.”
The video in question was a PSA from YouTuber Cameron Gray, and it shows that grabbing any Android TV device and sideloading a few apps will grant access to the current Google account. This is obvious if you know how Android works, but it’s not obvious to most users looking at a limited TV interface.