Last week, the FBI issued an alert regarding a significant cybercrime operation taking advantage of common internet-enabled devices. This botnet, referred to as BADBOX 2.0, has discreetly penetrated millions of devices, including TV streaming boxes, digital projectors, tablets, vehicle infotainment systems, and other smart home gadgets across the United States.
Understanding BADBOX 2.0
Once these devices are compromised, they do not merely operate poorly or crash; they covertly incorporate your home internet connection into a residential proxy network. As a result, cybercriminals can use your IP address to carry out illicit activities such as ad fraud and data scraping—all occurring without the owner’s awareness.
“This is all completely unbeknownst to the poor users who bought these devices simply to watch Netflix or whatever,” commented Gavin Reid, chief information security officer at the cybersecurity firm Human Security, in an interview with Wired.
Which devices are at risk?
The FBI reports that BADBOX 2.0 has infected:
- TV streaming boxes
- Digital projectors
- Aftermarket vehicle infotainment systems
- Digital picture frames
Many of these devices are produced in China and sold under obscure or generic brands. Security experts estimate that there are at least 1 million active infections worldwide, with the botnet likely involving several million devices overall. The most affected products come from the “TV98” and “X96” families of Android-based devices, both of which are currently available on Amazon. One device among these is marketed as “Amazon’s Choice.”
How infections occur
Infections can typically originate from two sources:
- Pre-installed malware: Some devices are already compromised before they reach consumers, having been tampered with prior to sale.
- Malicious app installations: Users may be encouraged to install applications from unofficial marketplaces during device setup, leading to malware infiltration.
This represents a shift from the earlier BADBOX campaign, which primarily focused on firmware-level infections. The updated version is more agile, utilizing software tricks and deceptive apps to extend its reach.
Identifying an infected device
Here are some warning signs to look for:
- The device requests you to disable Google Play Protect
- It comes from an unknown or lesser-known brand
- It claims to be “unlocked” or capable of streaming free content
- It redirects you to download applications from unofficial stores
- You detect unusual internet activity on your home network
Securing your home network
To enhance your safety, the FBI advises the following precautions:
- Steer clear of unofficial app stores: Use only the Google Play Store or Apple’s App Store.
- Avoid suspicious deals: Extremely cheap, unbranded devices are often too good to be true.
- Monitor your home network: Watch for unusual internet traffic or unknown devices.
- Keep devices updated: Regularly apply the latest firmware and security updates to your devices and router.
If you believe a device on your network may be compromised, disconnect it immediately and consider reporting the issue to the FBI at www.ic3.gov.
Be wary of bargain gadgets
If a deal seems too good to be true, it likely is. Fyodor Yarochkin, a senior threat researcher at Trend Micro, summed it up well: “There is no free cheese unless the cheese is in a mousetrap.”
