Looking for security contact at TCL Corporation

Looking for security contact at TCL Corporation urgently:

  • DM’ed 4 of their global Twitters (still posting new updates to their feed)
  • Emailed their support team
  • Left a contact form
  • Blind emailed security at tcl.com
  • Spoke to live chat who said he would forward it on
  • Emailed Android CNA RE: Open Handset Alliance member since TCL makes Alcatel mobiles and owned blackberry mobile and Palm phone (Blackberry is a CNA)
  • @'ed them on Twitter (deleted after 24hrs)

<3

If it’s a private contact my DM’s are open on twitter
https://twitter.com/sickcodes

sickcodes - Overview

DM me on twitter! twitter.com/sickcodes @sickcodes - sickcodes

Hello, can you give me an approximate estimation of the timeline between these steps?

Greetings @johnjhacking! Sure can, here’s the semi-redacted version of the contact timeline so far:

Friday Night

  • 2020-10-16 - Researcher discovers vulnerability
  • 2020-10-16 - Researcher direct messages (DM) Vendor via Twitter to all of their Twitter Accounts.
  • 2020-10-16 - Researcher submits contact form at Vendor website.
  • 2020-10-16 - Researcher requests CVE.
  • 2020-10-17 - Researcher inboxes Vendor via Twitter DM, again, to confirm receipt of DM.
  • 2020-10-17 - Researcher live-chats to customer support of Vendor and support agent confirms they will forward report to engineering team.
  • 2020-10-18 - Researcher cancels CVE request and emails appropriate CNA (Google CNA covers Open Handset Alliance members, who run Android [Smart TV’s are Android and TCL is a member as they make Alcatel phones]*.
  • 2020-10-20 - Researcher inboxes Vendor via Twitter DM, again. Researcher is feeling ghosted as Twitter account is actively posting, but not replying.
  • 2020-10-20 - Researcher blind emails security @ company dot com.
  • 2020-10-20 - Researcher posts here on The “looking for a contact at XYZ company” thread requesting assistance in contacting the security team at TCL.
  • 2020-10-20 - Researcher phones Customer Support requesting assistance, or to forward the report to the engineering team. Phone agent states they will escalate it.
  • 2020-10-21 - A fellow researcher reaches out via Twitter DM from reading this message board and supplies contact details from within TCL. Main researcher emails that contact**.
  • 2020-10-21 - Vendor’s Customer Support finally replies to live-chat on 2020-10-16 via email with the following message ***:
    “Hope this email finds you well. We have carefully reviewed your email, may we verify for you further elaborate your concern about our XXXXXX TV model?”
  • 2020-10-21 - Researcher replies to above model number request, while CC’ing the security contact within TCL, stating that it affects ALL of the TV model numbers that are running the firmware number which is stated in the email on 16th.

Thursday today, no response from security team yet (approaching 7 days).

Eventually this Vendor will respond. I hope this timeline helps others out there doing off-platform security reports. Sometimes they’re just as fun as looking for the bugs! Will edit this post as the timeline changes.

** Feel free to DM me on Twitter for the TCL contact, if you need it. I’m not sure if it works yet though. Thank you to the guy who sent it to me, you know who you are!

*** Fully prepared report example: CVE-2020-15590 - Private Internet Access VPN for Linux – Exposure of Sensitive Information to an Unauthorized Actor - Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!

Always include semi-standard titles like vuln/exploit, details, mitigation, links so that the bug scraping bots out there can distribute your reports properly. Make it easy for the bots!

Above report in GitHub mode: security/SICK-2020-001.md at master · sickcodes/security · GitHub

And in Markdown mode: https://raw.githubusercontent.com/sickcodes/security/master/advisories/SICK-2020-001.md

Feel free to copy the format above.

NB: Even if MITRE doesn’t assign a CVE for your vulnerability, it is obviously still in the general interest of humanity to know about software bugs that, especially for people who use that software. Consider self-publishing reports like I have started doing: CVE-2020-27402 - Hindotech HK1 TV Box - Root Privilege Escalation - Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!. It may still get picked up by bug scraping bots and save somebody’s computer from ransomware one day!

Thank you for the great information. I think we can undoubtedly get you some help. I want to comment on a specific portion here (also - seriously, great detail, more researchers need to do this)

They responded to your email today and asked for more information, which is a good step. It appears that you gave them the information too. Let’s keep an eye out on that. In the interim, I will do a Social Media tag. I’ve found great success doing so for other researchers. Let me tag you in a post, get a little bit of visibility, and ultimately we can address next steps if you do not hear back by Monday.

Social Media tag was ineffective, even after being shared multiple times. I contacted the support line myself and the support representative told me that none of the Social Media pages nor support lines have the Security team’s contact info. This vulnerability is Severely Critical and I have validated.

I coordinated disclosure through CERT with sickcodes.

It sounds as though the vendor is responsive now?

Only the vendor’s support phone line has responded, and they have no contact to Security and basically said that they did not know how to help. The CERT is a better option in this instance.

As an update, we sent a follow up email, including some new email distros and one high-profile employee. We are still awaiting a response.

Receipt of report has been acknowledged, we will update further as developments continue and a fix is achieved.

Update: Still waiting on patching status, still waiting on CVE IDs.

CVE IDs assigned - waiting for patch confirmation.

The vulnerabilities are now fully disclosed.

Update for readers!

This bug won the worst in show awards at CES 2021 as presented by The Repair Association via iFixit:

TCL publicly acknowledged the vulnerabilities:

Our original research:

As expanded on by Paul Roberts:

Featured in major tech news sites:

And also on TV:

Then subsequently by The Department of Homeland & Security:

https://twitter.com/sickcodes/status/1341413452359856135