A REAL Threat:
As I write this it was only a few days ago the Kodi foundation made an important announcement about the vulnerability of the system when installing third party content (full details here). Coincidentally it was just a few days before that announcement a concerned user sent details of the first truly serious virus based add-on I’ve encountered (in 10 years of using XBMC/Kodi). The file was a repository and when looking at the code it appeared innocent enough, however when it auto-updated it installed some new “fake” repositories. These new files masked themselves as other very popular add-ons which a lot of users would have on their system and the code in these fake add-ons proceeded to completely wipe my system.
The above is just one example of how vulnerable the system is and no I shall not be naming this repo – as far as I can tell it’s not in the public domain and it may well have just been a hackers playtime script, that being said it bounced off many different servers and the author went to great lengths to hide the malicious code. This prompted me to delve deeper into Kodi security and I found some very disturbing truths…
I’m sure many users out there have repositories installed that are no longer working, however unless you know how to read a log or you regularly check the status on the Add-on Portal you wouldn’t be aware that the repo’s are broken and no longer being maintained. Well did you realise by keeping old repositories on your system you’re leaving the gate wide open for hackers, you may as well have a bright neon light outside your house saying “front door open, please take whatever you like”!
The foundation has said it, many of the popular third party sites have said it and I’m exhausted from continually saying it but for one more time… “DO NOT BUY FULLY LOADED UNITS!!!“. Unfortunately it seems to be the popular way of selling Kodi based units these days and those selling these units should be ashamed of themselves. By “fully loading” a unit you’re doing the hackers jobs for them and opening up some severe security flaws, if you’ve purchased one of these boxes I would highly recommend reinstalling Kodi fresh and then only add the content you trust. It’s been said time and time again just what harm these sellers are doing to the community so I’m not going to venture into that debate but there must now be hundreds of thousands of units out there that are now open to huge security breaches. These units are dotted all over the globe with the users completely unaware of the risks.
So What Exactly Is The Risk?
You may think this is just scaremongering but I can assure you that is most definitely not the case. When you install any software on any system you’re putting your trust in the author – we all know that when installing content on our PC’s and I’m sure we’ve all had our fair share of viruses over the years. Well by installing items on your Kodi device it’s no different so why wouldn’t we be more vigilant when choosing what to install?
Problem 1: Once an item is installed the author could put any code in there and due to the fact the code is running inside Kodi (an app that you’ve given system permissions to) they will have FULL unrestricted access to your whole system. If you’re using something that only runs Kodi (such as an OpenELEC device) then it’s not too bad; at worst you may get your system wiped or someone could easily steal any login details you’ve put into add-ons, although that could then lead to bank accounts. If however you’re on a proper operating system with web browser, apps etc. then the developer you’ve put your trust in could easily access your most personal information which could gain them access to emails, bank accounts – just about everything on your system. This can be done via any form of add-on – plugins, skins, modules, repositories, they all have the same abilities.
Problem 2: I briefly mentioned the issue with having old repositories installed, well lets just think for a moment what that means… At the time of writing this article there are 609 Kodi repositories scanned into the Add-on Portal library and 84 of those are now dead, no longer being maintained. Thousands of users still have those repositories installed and have no idea what a security issue that is. Kodi is continually checking these repositories to see if anything needs updating and luckily at the moment it’s just hitting empty pages, however what if a hacker decides to buy one of the domains these repo’s are linking to? Well they would suddenly have full unrestricted access to hundreds of thousands of users systems and could push any malicious code they wanted. Having your system wiped would be the least of your problems at this point!
What Can I Do To Prevent This?
Well luckily at the moment I’m not aware of any publicly released content that’s specifically designed for malicious intent, that’s not to say it’s not already out there but I personally haven’t come across anything. There has been a worrying trend of add-ons performing tasks outside of their installation path though, some are innocent and give warnings of what they are about to do but there have already been some deliberately deleting other add-ons. If you have content installed by a developer who’s done something like this you may want to seriously re-consider just how trustworthy they are and whether that’s the sort of person you want to grant full system access to.
There is some good news for all you lovely Kodi users out there though… As soon as I started to think about the serious security flaws (and I’ve really only just touched on the subject) I realised something needed to be done so I dropped all other priorities this week and focused on a security based add-on for Kodi. The Add-on Portal has had some work done to it and as that’s the largest index of add-ons in the world we can use that as a master “library” to check against. For the most part it’s automated and the new Security Shield add-on will notify you of anything on your system that’s depreciated but as with all good AV systems it also has a community based side to it. You can submit details on the forum of any add-ons you’ve found to be containing harmful code and so long as the team have sufficient proof and are all in agreement the questionable add-on can be flagged as potentially dangerous. When you run a scan using the Security Shield add-on full details will appear of why certain items have been flagged and it’s the users decision as to whether or not they want to quarantine the items and the items can even be added to your local whitelist so they don’t appear in any future scans. Full details will be coming soon but you can find the add-on in the noobsandnerds repository.
I doubt anyone in the various Kodi communities will have anything bad to say about the new Security Shield add-on as it’s a very much needed and well overdue addition, however if you do hear of a developer trying to bad-mouth it I would highly suggest checking the code in their add-ons. The only people that should have a problem with this software is those that have something to hide and as we all know there’s plenty of hidden agendas in the community at the moment! The add-on uses a combination of automated system tasks to deduce what could potentially be harmful and there is certainly nobody here making up some list of good/bad add-ons. If you’re worried about some of the add-ons being picked up as “services” on your Kodi install please contact the developer who should be more than happy to explain why they’ve added a service. If you can’t get a reply from the developer feel free to post details on the forum here and I will be more than happy to look through the code for you. If any developers out there would like to add comments to the Add-on Portal as to why a specific add-on has a service running you can notify one of the team who will be more than happy to add the details for you.
Be safe everyone and please do be extra vigilant when installing content on your system, only install from sources you know you can trust – if it’s not in the official Kodi repository you’re taking a risk. I can vouch for the noobsandnerds repo and I would hope those of you that know me already know everything I do is for the benefit of the community but at the end of the day it is a “third party” repository so if you don’t know me or aren’t familiar with noobsandnerds make sure you do your homework and check before installing :).