TCL has responded to the backdoor claims:
https://support.tcl.com/vulnerabilities-found-in-tcl-android-tvsAlert: Vulnerabilities found in TCL Android TVsTCL was recently notified by an independent security researcher of two vulnerabilities in Android TV models. Once TCL received notification, the company quickly took steps to investigate, thoroughly test, develop patches, and implement a plan to send updates to resolve the matter. Updating devices and applications to enhance security is a regular occurrence in the technology industry, and these updates should be distributed to all affected Android TV models in the coming days.
TCL takes privacy and security very seriously, and particularly appreciates the vital role that independent researchers play in the technology ecosystem. We wish to thank the security researchers for bringing this matter to our attention as we work to advance the user experience. We are committed to bringing consumers secure and robust products, and we’re confident that we’re putting in place effective solutions for these devices.
FAQWho discovered these vulnerabilitiesThe discovery was made by two industry researchers @sickcodes and @johnjhacking.
Do these vulnerabilities apply to models sold in the USA or Canada?CVE-2020-27403 is not an issue in product deployed in North America. However, select televisions sold in the USA and Canada are affected by CVE-2020-28055. We expect to resolve this in the coming days.
Are all TCL televisions affected?TCL has deployed hundreds of models in North America and only a limited number are involved. The following models are impacted by CVE-2020-28055: 32S330, 40S330, 43S434, 50S434, 55S434, 65S434, and 75S434.
When was TCL made aware of these vulnerabilities?The TCL lab was made aware of the discovery at 11:30am on October 27. Within hours, the issues had been verified and the security compliance team triggered the vulnerability management response process. The solution for CVE-2020-27403 began deployment on October 30 via APK upgrade. The TCL lab is working around the clock to test the solution for a system upgrade to address CVE-2020-28055 to complete the modification of directory permissions. Pending successful testing, it is expected that updates will start being distributed in the coming days.