Amazon pulls new Fire TV feature to investigate its possible security concern

A few weeks ago, Amazon added a handy new feature to Fire TV devices that made it quick and easy to use any phone as a virtual keyboard and remote. By simply scanning a QR code shown anytime the on-screen keyboard appeared on Fire TV devices, a web-based keyboard and remote instantly allowed customers to input text much more comfortably using their phone. Last week, the new feature disappeared from all Fire TV devices. While Amazon frequently tests new features with the general public of Fire TV users, occasionally removing them if they don’t meet expectations, the recent QR code-based virtual keyboard was taken down due to potential security concerns.

Amazon has had a Fire TV remote app for years with a virtual keyboard and remote inside, but the new QR code-based virtual keyboard and remote was much easier to use thanks to not needing to install anything on your phone. That ease of use might be the feature’s ultimate downfall because tech firm Green Line Analytics claims it’s too easy for a nefarious person to take control of someone else’s Fire TV using the new virtual keyboard and remote.

The firm’s exploit description, which it has sent to Amazon and myself, states that if an unauthorized person were to acquire the virtual keyboard/remote QR code somehow, it would allow them to hijack the device by installing unwanted apps. This is because using the QR code to control the Fire TV does not require being on the same network as the Fire TV, nor does it require any kind of account login.

Acquisition of the QR code is a large hurdle to overcome since the attacker would need to directly observe a Fire TV user’s screen while the on-screen keyboard is being used to snap a picture or record a video of the necessary QR code. The potential exploit cannot be achieved without visually acquiring the QR code and, even then, the QR code expires in about a week, so there is a limited timeframe when an attack can be made, should a victim’s QR code be captured.

For the vast majority of Fire TV users, the difficulty of an attacker acquiring the QR code is enough to make this a very unlikely avenue for attack. I can see this being more of a potential issue for Fire TVs being used in public settings, like in bars or restaurants or as digital signs or kiosks. Even then, the attacker would need to wait for someone with the physical remote to bring up the on-screen keyboard and reveal the QR code, which isn’t something that happens often with public TVs.

Assuming the QR code was somehow acquired, while it, technically, might be possible to install a nefarious app on a target Fire TV, it would be no easy task. The QR code-based virtual remote only has directional up/down/left/right buttons and a select button. Without access to the navigation buttons, like the back button, home button, and menu button, the attacker would need to execute a long and elaborate sequence of button presses to achieve something like installing a nefarious app. Even then, it would have to be done in multiple sessions because the only way to back out of a dead end in navigation would be to wait up to 15 minutes for the Fire TV to go to sleep and reset itself back to the home screen.

While it may be very difficult and unlikely to exploit a Fire TV through this method, it does seem possible, which is likely why Amazon has pulled the feature while it investigates the matter further. When asked about the firm’s claimed security concern and the removal of the feature, Amazon told me:

“We appreciate the work of independent researchers to help bring issues to our attention. While we’re still reviewing this research, we immediately disabled the QR feature at issue for Fire TV customers, which fully mitigates the scenario described by the researchers. We look forward to bringing this feature back for customers soon.” ~Amazon

There is a fine balance between ease of use and being extra secure when it comes to a feature like this new virtual keyboard/remote. If Amazon made it more secure, through logins or requiring the same network, it would have made it no easier or better to use than the existing Fire TV Remote app. For most Fire TV users, I think the possibility of this exploit is a non-issue, given the hurdles involved, but it’s understandable for Amazon to pull it out of an abundance of caution. Hopefully, it will return soon but with a few additional options, like the ability to disable it, for anyone worried about unauthorized access to their Fire TV.

  1. Jp says:

    Did this ever work? Never worked for me

  2. Keith B says:

    Being In the profession I am in , (various areas of tech OSINT, analysis, development/coding)etc I never used this feature not only for this exact reason which at least to me was a obvious issue for this exact reason stated however this was not the only exploit that could be manipulated via the QR code.

    On a side note , as a supporter to AFTV , It would be really cool if you as a journalist platform if going to review IPTV Services (which is highly appreciated) I’d request that you start leaving , urls , telegram group, discords, whatever it may be, but leave the source if possible. I am pretty crafty and trying to get some of these services that you review especially decent ones however, it would help as its not always readily available info and at times even via word of mouth which makes it difficult to find. I used to have a YT channel to review these devices until it went against their TOS which was around the same time of the xtream codes debacle and things changed quite a bit, times have changed in the iptv landscape. I would love this if possible, I don’t see why it would be a issue for you , but I very well could be wrong and not know of a underlying issue that stops you from doing so . Best regards !

  3. Raymond says:

    It works but I would prefer if the keyboard would launch automatically when the web page is loaded

  4. Derek says:

    The most embarrassing thing about this story is that a ‘security firm’
    was proud enough of this ‘find’ to contact a news site for self promotion

  5. JC says:

    I’ve found that the phone keyboards only work with certain apps that support voice search, including the Text Search shortcut from ‘AFTVnews.’ These apps usually have an on-screen keyboard that pops up when you tap the search bar, rather than a keyboard that’s already visible on the page. I couldn’t get the phone keyboard to work with Tubi, Frndly, or Netflix.

  6. Brad Woodard says:

    Is this really a serious security issue?

    In order for an attacker to install unwanted/nefarious apps, they will:

    1. Need the QR code
    2. Know the proper steps what they want to install without seeing the screen
    3. Have the main user unaware of these actions and do nothing

    Yeah the no need to log in after scanning could be seen as an issue. But if these QR code keyboard instances are unique and only allow for one device connection and expire in less than 8 hours (more than enough time for a standard viewing session) I don’t really see an issue.

  7. Official Press Release From Green Line Analytics

    “Researchers at Green Line Analytics have concluded that the recently removed off-site remote represented perhaps the most egregious security vulnerability ever released on Fire TVs. The lack of any obvious change-log notification about the feature or user authentication as well as the inability to disable, hide or reset the QR code within the 1-2 weeks before it expired created a security threat that allowed attackers the capability to install malicious apps on Fire TV’s without seeing the target’s TV screen or requiring any user interaction on the targeted Fire TV.

    Amazon explicitly designed the troubleshooting feature so that recipients of the QR link in text or email messages who never actually saw the QR code could control the corresponding Fire TV device from a different location. Previous owners of a specific Fire TV and Airbnb renters could transfer possession of the device clean of any malware and then have this capability within the 1-2 week period without the current owner or renter taking any action. Compounding the threat posed by these scenarios, the user’s false impression of the innocuous nature of the ubiquitous Fire TV on-screen keyboard and standard QR codes instilled an absence of user screen-visibility discretion when this pseudo master password displayed on-screen in the presence of others or when they transmitted the QR link by phone.

    Attackers could remotely navigate the Fire TV without line of sight to the connected TV screen through a simple process in which they use the same model of Fire TV (identified on the QR-code web page) as a visual mirror for directional navigation from the universal wake position. They need only emulate on the QR page, one click at a time, the simple series of clicks that they perform on their own Fire TV at a time when they anticipate the target’s device to be asleep. The attacker would first enable administrator access, wait fifteen minutes for the device to go to sleep, download and open a download-capable browser from the Amazon app store, and then download malware. Notably, this simple navigation does not require the Home, Menu or Back buttons not included in the QR-code remote control web page.

    The absence of industry-standard security protocols and the unusual use of a QR code for off-site remote control of a device combined to produce these attack vectors that posed one of the most significant security threats ever pushed to Fire TVs.”

Leave a Reply

Your email address will not be published. Required fields are marked *


Get AFTVnews articles in your inbox!

Get an email anytime a new article is published.
No Spam EVER and Cancel Anytime.