### Vulnerability Key Information - **Vulnerability Name**: Authentication Bug in Hindotech HK1 TV Box - **Severity**: 9.3 out of 10 on the CVSS severity scale - **Impact**: Allows arbitrary code execution as root, leading to data theft of social media tokens, Wi-Fi passwords, cookies, saved passwords, user location data, message history, emails, contacts, etc. - **Specific Issue**: Lack of authentication in the debugging functions of the set-top box, specifically with UART serial debugging port and Android Debug Bridge (adb) - **Affected Devices**: Hindotech HK1 TV Box S905X3, an Android-based streaming box - **Potential Attack Vectors**: Attackers can escalate privileges, access sensitive data, and sniff network traffic on the same network. - **Vendor Response**: No response from the vendor, Shenzhen Hindo, or Amlogic. - **Related Research Team**: Sick.Codes ### Related Links - [WarezTheRemote attack in Comcast's XR11 voice remote control](#) ### Tags - IoT - Vulnerabilities - Web Security