[Click here for a NotebookLM audio discussion of this topic drawn from my source material.]

Google and the FBI took down “Badbox 2.0” last month – ten million compromised TV streaming boxes being used by criminals. Malware on the devices connected them into a botnet for all kinds of badness: to conduct attacks on business and government targets; to display fraudulent “ads”; to spoof activity to inflate clicks and defraud advertisers and networks; and to steal sensitive information from home, business and school users.

Yes, I said “compromised TV streamers.” Not mine, probably not yours. They were the true bargain basement models with made-up brand names. You wouldn’t find them at Costco. They were available on Amazon, some even marked as “Amazon’s choice,” with ultra-cheap prices and boasting that they were “unlocked” or “jailbroken” so buyers could install dodgy apps. More likely you’d find this kind of cheap streamer in small independent neighborhood electronics shops or stalls run by street vendors.

In other words, this isn’t an action item, other than a reminder that we live in dangerous times and paranoia is still your best friend.

If you’re interested in cybersecurity, I’ll give you a little history, then a short version of the Badbox 2.0 story and how it was taken down by Google, the FBI, and industry partners.

The most dangerous cyberattacks are directed against computers. In all the stories about viruses and hackers stealing passwords and business networks being compromised, computers are the target.

Over the last twenty-five years, the world has developed a huge array of internet connected devices that aren’t computers. Smart speakers, cars, Philips Hue light bulbs, thermostats and doorbells, refrigerators and washing machines and all the other appliances that come with apps, which is all of them now. My new Wolf range is online. Your next dishwasher will be online. Don’t ask why. It is the way of the world and resistance is futile.

The term “Internet of Things” never really caught on with consumers but it still turns up in articles when the devices are hacked. When you see the acronym “IoT” it means: almost anything connected to the internet other than computers.

Security weaknesses in IoT devices have already caused much grief.

Back in 2016 tens of millions of insecure IoT devices were built into a massive botnet (nicknamed “Mirai”), which was used to execute a Distributed Denial of Service attack that caused widespread outages at sites like Twitter, Netflix, Reddit, CNN, and more.

Weak passwords allowed Ring doorbells to be compromised in 2019, with hackers sometimes harassing families through the cameras’ speakers.

Over 1.4 million Jeep Cherokees were recalled in 2015 after security researchers demonstrated a vulnerability by taking control of an SUV while it was on the road.

Medical and industrial IoT devices have been increasingly targeted in the last few years for ransomware, data theft, and operational disruption.

And there’s more – takeovers of 150,000 security cameras in factories, hospitals, schools and prisons a few years ago; billions of sensitive records stolen from a IoT manufacturer database; more botnets launching DDoS attacks.

Most people buy a device to run their TV – Apple TV+ or Google TV Streamer or Amazon Fire Stick or Roku.

There are cheap cheap cheap knockoffs of those brand names. You’d buy one, hook it up to your TV, and use it to click between Netflix and Disney.

The operating system on the low-end devices is a free version of Android. You associate that name with Google but Android is its own separate thing. Google will certify an Android device when manufacturers add required layers of protection. Major manufacturers do that because without the certification, they can’t include the Google apps (Chrome, YouTube, Maps, and all the rest) and nobody wants an Android device without Google apps.

Don’t worry about the details, just remember that the crimes on off-brand Android devices aren’t Google’s fault. Quite the contrary; Google works hard to lock out the bad guys and it was an important partner in the recent takedown.

So these cheap devices are built with a version of Android that can be used for evil. They’re infected with malware while they’re being manufactured or with malicious apps downloaded during setup. They appear to work normally but they have backdoors that can be used by criminals.

A law enforcement operation in 2022 named Badbox running on hijacked Android TV streamers was taken down in early 2023. But the criminals came roaring back with a more sophisticated version, labeled Badbox 2.0 by security researchers.

There was a large range of criminal activity carried out by the infected streamers. This is just a sampling.

Hidden ads  The criminals installed apps to generate hidden ads that users would never see but which advertisers were made to believe had been viewed. Billions of fraudulent ad requests were generated in a single week, triggering payouts to the botnet’s operators.

Hidden web browser activity  Similarly, the devices would launch hidden web browsers that navigated to ad-heavy websites to continuously generate ad impressions and clicks. They would mimic user actions like scrolling, accepting cookies, and generating fake search queries.

Unauthorized access to compromised home networks  The criminals could route their internet activity through home IP addresses, making it appear legitimate. Then they’d resell that access to downstream criminals, who might use it to launch DDoS attacks, steal accounts and passwords, or launder their own illegal online activity.

After years of preparation, last month a coordinated action between Google, the FBI, and various threat intelligence teams took down a huge network linking tens of millions of infected machines, most of them TV streaming devices. Google used its leverage over app publishers linked to Badbox campaigns and took the lead on legal action targeting perpetrators and domains affiliated with the botnet. Among others, Google filed a lawsuit against 25 operators of the botnet in China for financial damages and reputation harm.

A nonprofit organization, the Shadowserver Foundation, helped identify the command-and-control servers directing the hijacked devices. It rerouted malicious traffic away from the criminals’ servers, the crucial step in taking infected devices away from criminal control.

It was an impressive joint effort that neutralized large portions of the Badbox infrastructure and cut off most of its monetization efforts. It’s not over, of course. New infected devices are still being sold and the criminals are constantly evolving their techniques. The FBI’s most recent Public Service Announcement warns that the bad guys are still working to exploit uncertified Android devices. Security experts are already expecting the attacks they will call “Badbox 3.”

Again: you almost certainly don’t have one of these compromised devices in your home unless you’ve been doing some serious bargain basement shopping or giggling about how easy it is to watch pirated movies on your Chinese TV. But the FBI’s checklist is worth keeping in mind for your next shopping trip. Watch for these giveaways:

• The presence of suspicious marketplaces where apps are downloaded.
• Requiring Google Play protect settings to be disabled.
• Generic TV streaming devices advertised as unlocked or capable of accessing free content.
• IoT devices advertised from unrecognizable brands.
• Android devices that are not Play Protect certified.
• Unexplained or suspicious Internet traffic.

We might feel powerless in the face of western civilization falling apart, but be careful about the things within your control. Don’t buy your next TV streamer at a flea market, okay?