Is your Android TV streaming box part of a botnet?

The title qualifies "Android TV" with a "Streaming Box" right after. Lots of service providers supply such a box to subscribers (similarly to how ISPs provide all-in-one firewall-router-modems.) Even then these are extremely cheaply made, underpowered and largely unmaintained internet connected devices. And indeed you can purchase one such box yourself (including with piracy features as described here,) but I'd be surprised if the vast majority of these devices aren't supplied by the service providers.

I think the fact that regular stores are now stocking high-seas set top boxes is more proof that streaming is too overpriced now and media companies are too greedy.

Are they actually stocked in physical stores or online only? I think they're only sold online.

Another Section 230 victory! I can look the other way and sell and profit from illegal goods as long as I remove them when caught.

>But how do you secure a home network?

Not being glib, but by not buying "smart" devices whatsoever. Manual streaming boxes might actually stop being viable for Linux as different services crack down. But, if you cared about privacy or security you wouldn't roll the dice with this stuff. I don't mean that in a rude or self-righteous way. Rather, I think people don't really care about privacy or security very much. Giving up streaming sounds like a bit sacrifice to a lot of people, but if you contrived some scenario (really just for the sake of the argument) where your streaming devices were giving your kids mercury poisoning, you'd have no trouble giving them up. (and giving them up would really be the least of your worries) You might complain that mercury poison is not even remotely similar in severity it privacy or security concerns, and you'd be correct. But, that's the point I'm making. If people really cared about these issues then abstaining would be an easy decision. People claim to care, but don't actually take any action, and so I think they don't actually care that much.

Use multiple VLANs and SSIDs, and only punch holes or route between them (and to the WAN) if/when absolutely necessary.

It does make it harder to use these things. Some things may even become impossible to use effectively.

The simpler method is just to never trust anything, ever, but that's just a long-winded path that asymptotically approaches having a completely disconnected (airgapped) home.

But the usual default method is even easier. Just use the stuff on the default WLAN that is provided by the ISP like a commoner, have no local services at all (what homelab? what file server? what printer?), and fuhgetaboutit.

So what if the botnet spreads from the Android TV box to the light bulbs? As long as all of the things keep performing their primary roles (rule #1 of a successful infection: don't kill the host), then the bliss of ignorance will be complete.

Consumer vendors for routers/firewall combos are trash, but I think they'd go a long way in helping people by having an easy to turn on IoT vlan.

Matter devices run without internet access (at least this is the whole point of the spec, some manufacturers have fewer features without using the cloud based app, but to be Matter certified it must run locally to some extent), so blocking the vlan should be okay with a lot of IoT devices.

Random dodgy streamer box does need internet access though, so I think at best having a vlan (probably one just for it sadly) that doesn't have access to the rest of your internal network would be the only realistic solution. Still won't help prevent it from using your connection as part of a botnet though. It's a hard problem.

Unfortunately users are very adverse to learning anything about how their devices work, so I don't have any idea what can be done about the problem.

Maybe we have to rely on the state going after sellers of such pre-compromised devices? I'd say hold the users somewhat liable, maybe a small fine, when they are part of a botnet, and wave them when it's a "legit brand" that gets compromised outside of the users control? Pressure would need to be done on "legit" consumer manufacturers to actually provide security updates to somewhat older devices and not abandon them the minute the latest model is released.

You can use a diy mini pc with OpnSense for a router along with a dedicated AP box... most commercial AP boxes can configure for separate SSIDs and VLAN configurations... this can allow you to monitor, configure and block certain access to the devices on your network into different trust groups.

Also, just having a pihole configured for your dhcp dns helps a lot with some traffic, but it can interfere with some legit services (CBS was a really bad one in my experience).

That said, if you don't have the technical skills or desier to learn these things... as you said, don't buy anything that gives you "easy" or "cheap" access to pirate content. It is pretty crazy.

You should not assume that no one on your network is compromised. This is part of the thinking behind 0 trust.

> Trusting a random vendor, even on your home network, seems crazy.

Random vendors who promise unlimited free streaming, no less. Even if they're pirating the content, video streaming infrastructure still costs good money to run, so they're obviously making up for it by monetizing the boxes in some other way.

That's a little over reaction.

Most wifi routers have a guest network mode, that does the first few good steps.

Devices on the guest network can't see or ping devices on your main home network.

But... if appropriately configured the home network should be able to see the devices on the guest network.

There's a few great guides out there that help plan out your home network for such undertakings.

I use vyos instead of OpenWRT, but I'd presume OpenWRT can mirror a port? It'd be better to do it on your switch of course. But you could mirror your traffic going across the LAN-WAN barrier and direct it to a security onion install, it's an opensource IDS. It has pretty heavy demands, but traffic analysis is not an easy, computationally cheap task.