Most smart devices run outdated web browsers, expose owners to attacks
Most smart devices on today’s market come with an embedded web browser that runs extremely out-of-date versions, a new study has found. This exposes device buyers to cyberattacks as soon as they turn on their new gadgets.
An academic study from the Catholic University of Leuven, Belgium (KU Leuven), examined browsers embedded in smart TVs from Samsung, LG, and Philips, as well as e-readers such as Kindle and Kobo, gaming consoles, and other modern devices.
On these consumer products, the browsers usually serve as secondary features for users who typically only open them on rare occasions – but they’re there, and that, apparently, is not an insignificant problem.
That’s because, simply put, they’re deeply unsafe. In the study, researchers found that all five e-readers tested and 24 of 35 smart TV models used embedded browsers that were at least three years behind the current versions.
“While users can rely on the transparent security practices and frequent updates of standalone browsers, integrated browsers often lack these guarantees,” the paper says.
Some devices were actually released with vulnerable browsers from day one. For instance, researchers found eight products that shipped with three-year-old browsers at launch, essentially exposing their buyers to attacks as soon as they turned on their products.
While some manufacturers advertised free firmware updates, most failed to update the embedded browsers.
Naturally, expecting product vendors to update their embedded software indefinitely would be unrealistic, the paper rightly notes.
But device makers have even failed to incorporate the free automatic updates that most current browser makers provide. Why? It’s the money, of course, the authors of the study say.
“We suspect that, for some products, this issue stems from the user-facing embedded browser being integrated with other UI components, making updates challenging – especially when bundled in frameworks like Electron, where updating the browser requires updating the entire framework,” the researchers explain.
“This can break dependencies and increase development costs.”
The KU Leuven team reported its findings to Belgian and US authorities, but only the Belgian Centre for Cybersecurity has apparently tried to speak with vendors. The US Federal Trade Commission didn’t respond.
Besides, in most cases, the browsers are embedded in the smart device user interface without their normal browser UI, so most device owners wouldn’t be able to install updates even if they wanted to.
These types of deployments require the vendor to take the browser update, add it to its firmware, and then ship a firmware update. That’s something that many vendors don’t do because it costs too much.
The KU Leuven team reported its findings to Belgian and US authorities, but only the Belgian Centre for Cybersecurity has apparently tried to speak with vendors. The US Federal Trade Commission didn’t respond.
By 2027, hardware vendors in the European Union will be required to ship regular and timely security updates under the new EU Cyber Resilience Act. These updates will have to cover browser updates if the devices are commonly used to navigate the web.
Unlock more exclusive Cybernews content on YouTube.
