Signing into Android TV at an Airbnb could leave your Gmail inbox exposed

Summary

• Don’t log into personal Google accounts on Android TV devices you don’t own, as it poses a security risk for identity fraud.
• Attackers can exploit Chrome auto-sign in on Android TV, but most Google TV devices are already being updated to fix the issue.
• Consider creating a separate Google account for Android TV use and ensure your device is up-to-date to stay safe from potential hacks.

By now, most people know that Google has access to just about everything you do online, especially if you own an Android device, but for the most part, our Google accounts are sacrosanct. And given how many services rely on having a Google account to control access and authentication, people have come to rely on the general security it provides along with the ease of not having to remember dozens of passwords for every site that requires an account. That’s why it’s unsettling to see how easy it is for a bad actor to access a Google account via an Android TV device that previously been signed in to.

How the attack works

A video posted to YouTube by Cameron Gray earlier this year details how anyone with access to an Android TV box can compromise the Google account (including Gmail and Google Drive) of the last person to sign in to the device (via @MishaalRahman). This happens because Google Chrome will automatically sign in to any Google services you navigate to if it detects a Google account on the device onto which it’s installed. No one raised a stink about this before because there is no official way to install Chrome on an Android TV device. But you can sideload it.

From the attacker’s point of view, there are a few quirks to overcome to pull this off (such as installing a browser to sideload a browser), but just about anyone with a basic understanding of modern smartphone or computer technology could manage this exploit. If you only use Android TV from the comfort of your home, you shouldn’t have anything to worry about, unless you want to hack yourself just for fun. On the other hand, if you sign in to Android TV from a hotel or an Airbnb, you are putting yourself at risk for identity fraud.

404 Media (which broke the story Thursday morning) spoke to Senator Ron Wyden, a member of the Senate Select Committee on Intelligence, whose office is investigating the privacy practices of streaming TV providers and had seen the video. Wyden told 404 Media that his staff informed Google about the video but “Google’s initial response indicated that this was expected behavior and not a security problem.” Once it became clear that the story was gaining some traction, Google clarified its position to 404 Media, stating that it was aware of the issue, adding “Most Google TV devices running the latest versions of software already do not allow this depicted behavior. We are in the process of rolling out a fix to the rest of [the] devices. As a best security practice, we always advise users to update their devices to the latest software.”

Update your devices

Cameron Gray, the content creator who initially uploaded the video, suggests that Android TV users create a Google account just for their Android TV to avoid all of this hassle. In the meantime, make sure your Android TV device is up-to-date, and then settle in to watch a new movie.