Can your streaming box get infected with malware?

There’s a recent article from our own Chris Brantner in Forbes. According to Chris, more people now pay for streaming than cable. That didn’t take long — consider that only a decade ago barely a tenth of us paid for any sort of streaming video. There’s no question that streaming is a powerhouse, and that it’s the future of video delivery. But, as with all futures there’s some degree of uncertainty. Streaming boxes are so common now, but are they at risk of malware?

Malware and mobile devices

There was a time when we talked about malware and only meant computer viruses. Some malware was annoying, some slowed down your computer, but no matter the type it was always a problem. We’ve been using antivirus software on our computers for two decades now. Most of us don’t use it on our phones, though.

The threat of malware on mobile devices can be very real. Apple’s iOS has been largely immune to it, surprisingly. iOS is built on a secure foundation and its App Store is extremely picky about what apps can be there. So far this methodology has made it possible for iPhone users to be almost impervious to downloaded problems.

Android phones have had more of a checkered past. While today it’s fair to say that the Google Play store is safe, that hasn’t always been the case. Google’s own SmartScreen technology helps identify bad apps, but it’s still possible for bad stuff to get through. Unlike iPhones, Androids can be unlocked and made wide open. You can choose to go to whatever app store you want and there’s no guarantee that some outside app store will be safe.

How does this apply to streaming boxes?

The AppleTV box runs an operating system derived from iOS, which itself was derived from the core software of a Mac. It inherits its resistance to malware, and AppleTV also uses the same App Store model as the phones. That makes it very unlikely that you’ll see malware there.

Roku boxes are theoretically very hackable although no one has really found a way to exploit that yet. The good thing about Roku is that the boxes themselves are really very underpowered from a computing point of view. They have the chips they need to process video but as general-purpose computers they aren’t very good. This makes them undesirable from the point of view of malware. It’s not impossible to hack a Roku, though. Just because we haven’t heard of someone putting something nasty on one doesn’t mean it won’t happen.

Smart TVs are similar to Roku in that way. It is definitely possible to hack a smart TV, especially since many of them will let you upgrade the firmware using a USB stick. That opens the door to all sorts of potential hacks, but at least you’re only hacking the TV in front of you. The bigger threat with smart TVs is privacy. Several years ago there was a story that Samsung was always recording using its camera and microphone. Considering all the time you spend looking at a TV, it’s scary to think it could be looking back at you.

And now, we come to Android TV

Android TV devices like the AirTV Player and Channel Master Stream+ could be very vulnerable to malware. They run on a version of the vulnerable Android operating system and they will let you load apps directly, bypassing the Google Play store.

The good news here is that even though it’s theoretically possible to hack these devices, it isn’t easy. I spent several days trying to root an AirTV Player but I couldn’t do it. The software has been customized enough that off-the-shelf rooting tools don’t do it. The same looks to be true of the Stream+. I wouldn’t worry too much about malware as long as you stay with the Google Play Store.

How to stay safe with streaming boxes

Of course you should always make sure you’re being smart with all these devices. Keep them on a separate network from any device that stores your passwords like a PC or networked hard drive. If possible, put them on a guest network that can’t see the rest of your devices at all. I do expect at some point that someone will find a way to put malware on a streaming box, and at that point, you’ll be glad you were careful.

About the Author

Stuart Sweet
Stuart Sweet is the editor-in-chief of The Solid Signal Blog and a "master plumber" at Signal Group, LLC. He is the author of over 9,000 articles and longform tutorials including many posted here. Reach him by clicking on "Contact the Editor" at the bottom of this page.