Three security vulnerabilities patched in latest Fire TV software update

Cybersecurity firm Bitdefender has identified three security vulnerabilities in Fire TV devices that it says have been patched in Amazon’s recent software updates. The vulnerabilities were discovered and divulged to Amazon in December 2022 and were patched last month.

Fire TV devices are constantly receiving software updates, both for the operating system and for individual system components. It’s likely that security vulnerabilities are found and patched on a regular basis but Amazon does not publish any details about them. It’s only the involvement of Bitdefender with these particular vulnerabilities that we’re being made aware of their specifics.

Bitdefender says these vulnerabilities could have allowed an attacker to gain control of the Fire TV device, however, Amazon says there is “no evidence that this issue has been used against customers.” Bitdefender specifically calls out v6.2.9.5 of Fire OS 6 on an Insignia Fire TV and v7.6.3.3 of Fire OS 7 on a 3rd-gen Fire TV Stick as being the last vulnerable Fire TV software versions, but you can’t just go by those version numbers because different Fire TV models have different version numbers that can be considered up to date. Ultimately, if your Fire TV device is reporting it has no software updates available when you check for updates under Settings > My Fire TV > About, then it is likely not vulnerable even if it reports a software version number that is older than the ones mentioned.

  1. anon says:

    OK, I am looking for some clarity here…

    1) Users of firesticks don’t use email on these devices, so there is little chance of receiving malware attachments, phishing scheme emails, etc.

    2) User of firsticks don’t typically browse the internet in a web browser and click on links to potential malware sites.

    So, how exactly would these security vulnerabilities be exploited?

    The only thing that comes to mind is sideloading a malicious app. If thats pretty much the only way, then that’s not too bad because if users stopped the amazon updates so it wont break your stick (stop 3rd party launchers, debloating) then if you just make sure you only sideload reputable apps, you should be ok.

    Or am I missing something?

    • Rik Emmett says:

      I use the built in Silk Internet Browser to browse the internet every day.

    • ricklar says:

      “Bitdefender has identified three security vulnerabilities”
      * 1st vulnerability was in the {FireTV Remote App Pairing} pin authenticator, system-app LightningServer, package:(; this system-app is not normally on anybody’s debloat list, and that system-app update was pushed to devices April 12th that don’t have updates blocked. The vector for this vulnerability is the WhisperPlay API and Whisperlink, and when Amazon started protecting packages to thwart device mods Whisperlink is one of those packages that can’t be disabled now.
      * 2nd vulnerability could have allowed malicious javascript code be delivered/executed through WebView. WebView is usually updated monthly by Amazon. But if you blocked updates and need to “sideload” the latest versions of both WebView and LightningServer can be found here [].
      * 3rd vulnerability is the dangerous one, but I’m not too sure it can be used/applied unless vulnerability 1 or 2 where first used to gain privilege access to the device.
      * Stay safe, Bitdefender published the Whitepaper if you want to give it a thorough read; hopefully my quick 3-point interpretation of that Whitepaper helps. There is a download hyperlink for the Whitepaper on the Bitdefender webpage Elias linked above.

    • Kary says:

      Not all vulnerabilities require user interaction, use of email or browsing or access to the device. The recent Samsung Exynos vulnerabilities merely required a phone service connection and/or use of other services. Unfortunately Samsung took longer to fix those issues than Amazon did to fix these, even though the risk was likely greater.

    • It’s possible for another infected device, like a phone or computer, to infect a Fire TV over a local home network if the right type of vulnerability is present. Similarly, Fire TVs with ADB debugging enabled were being infected a few years ago by viruses on other devices which were scanning for Android devices. This is likely one of the reasons why Amazon switched ADB on Fire TVs to now require manual on-device confirmation of the ADB connection before commands can be executed. It’s also possible for an ad, which many legit Fire TV apps use, to be malicious if, for example, there is a javascript vulnerability. So there are multiple ways for a virus to make its way onto a device like a Fire TV without you actively surfing the web or installing software on the device.

  2. Scott says:

    Tried downloading a third party app that I have used a number of times but will not dowload it now keeps coming up connection error.have tried uninstalling and re-installing and doing all the other stuff. Do you currently have any isdues

  3. charltonfan1 says:

    Since doing this update my 4K Fire stick (Aug 2022 purchase) no longer turns on when connected to the USB port on my TV. I know it is not ideal using the TV USB however it has never been an issue, until now. It just gets stuck in a boot loop. I have to provide more power to the fire stick to get it to complete the boot up process

    Why have they done this?

Leave a Reply

Your email address will not be published. Required fields are marked *


Get AFTVnews articles in your inbox!

Get an email anytime a new article is published.
No Spam EVER and Cancel Anytime.