You will no doubt already be aware a vulnerability was found in the way some  media players process downloaded subtitle zips. YES, there IS a flaw, but the scaremongering going on is hideously exploitative and misleading.

“You need to bin your old box and invest in new ones” – ever stop to wonder who is benefiting from millions of new sales? This is called driving indirect sales, knowing that the MILLIONS of users with old boxes will be buying and if you have a company, you’re bound to pick up your market share.

If it wasn’t so serious these two posts, contradicting each other are an example of how things can be given a spin – even the FTMC is loaded with “you poor suckers who cant afford a new box”? really? Many users are single parents, low paid workers, like Nurses, shopworkers etc, who’s only choice is to cut their costs using Kodi rather than pay extortionate prices of satellite and cable companies. So what if they can’t afford a new box? The idea of a community is support all users as best you can?

Note the date on this shot from their Facebook page; They posted this solution previously, complete with patronising commentary too;

Every tuber, blogger and clilckbait merchant is posting how this is critical and the world will stop spinning garbage. Maybe someone should explain that Kodi is wide open to abuse anyway (more on this later!)

If you have TV Addons repo installed you will get another of their scaremongering popups…. (apologies for the poor pic) “You must upgrade to 17.. or you will be hacked”. B*ll***s! Even Kodi themselves stated on twitter;

This is of course utter nonsense, if you don’t use subtitles ( I don’t and never have), then this is a total non-event. If you are an end user who is “technologically challenged” you will have no doubt panicked , updated – got the lovely rushed out useless patch (17.2 – hey mistakes happen, but still…) and then had to install another patched version (17.3). Having fun?

Would you have rushed to do this had it been properly explained that this was a theoretical hack? It wasnt actually discovered “in the wild”, the security investigators stated;
By carefully crafting a subtitles file they claim to have managed to take complete control over any type of device using the affected players when they try to load a video and the respective subtitles

The emphasis was they “claim to have managed to take complete control” – they are doing what good security researchers do, finding ways that code can be vulnerable to exploitation. So please don’t think I am having a dig at these guys, far from it. Their hack wasn’t actually being used – and I have trawled various er… “information sites” looking for examples of this being done “in the wild”.

Full story of this vulnerability here; Subtitles hack

Older Boxes & HTTPS Streams

I also want to draw attention to the second part of this message that “older versions of Kodi don’t support HTTPS streams anyway” – though they fail to mention you can use forks such as FTMC (also now patched for subtitle flaw), CEMC and SPMC (python updated). This post again says “You are at serious risk of being hacked” (not true) but also allude to https issues;

Kodi Forks with Patched HTTPS Python updates. These forks are all available on Ares Wizard under browse add-ons

I do note that within hours of posting about this issue AGAIN – they also posted about FTMC being available for older boxes, its based on Jarvis but importantly has been HTTPS patched ( the python modules have been updated to allow compatibility with newer HTTPS encoding).

Also take note, this FTMC will run fine on ANY box with at least Android 4.4.2 – I use this on my Samsung Note 5 and my FireTV box (alongside SPMC beta) – more here What the FORK to do?

This mis-information campaign is then reinforced via others on social media and when you speak up and present FACTS, you get abuse or bad advice like this as shown below. No mention of forks, which are widely and readily available for devices from 4.2.2 upwards, just bad information (and abuse – but you don’t need to see the rest of this little rant or his abuse on Twitter!).

You may understandably think twice before commenting against bad advice. Sadly that’s how this bad info is allowed to propagate and become normalised. Anyone speaking up will be abused or have lies told about them. Same old schoolboy tactics, no facts, no information just childish name calling.

Misleading Information

So this looks like a “bash TVA” campaign , its not. The TVA “collective” brings a lot of content and some brilliant add-ons that we all use. However, bad advice and bad information doesn’t change regardless of its source. Every blogger and tuber is pumping out this same misleading, twisted up rubbish. Upgrade, upgrade the sky is falling in! The are using the information from a “trusted source”, that being TV Addons and twisting it up, although admittedly, not much twisting to be done with these two threads of bad and incomplete information.

The box sellers they claim to despise are really earning easy money now as older box owners panic buy new devices. Often very poor quality or clones – you only have to spend a few days on Facebook to see users with all kids of problems with devices. You CAN keep older devices and use the numerous forks without any issues, and no increased security risk.

Security Risk?

It seems a little ironic that we are advised by TVA as to the dire security risk of a zero-day exploit when the only publicly known security risk came from their biggest and most popular add-on, Exodus.

This article was censored in response to a request from TVA – Exodus DDOS bot which led to Lambda to quit the add-on. I will say that whilst its easy to understand the sentiments and emotions behind his actions, you cannot condone using innocent users as cannon fodder in this fight against copy n past merchants. Educate the users as to the security risk of using such code – but to do that, you need to make people aware of how insecure Kodi is.

I dont want to keep going over old ground, but when such bad advice is given, its hard not to refer back to the history of exploits and “malicious code” exploits.

Kodi Add-on Exploit Explained

Kodi is very open and vulnerable to being exploited due to the nature of how addons are “plugged in” to the media player. Most users are just not aware of how insecure Kodi actually is.

Its actually very simple to install a separate piece of code to exploit your device. This can easily be disguised as a normal update, pull in the the “hack code” and then update the add-on to remove any trace of the exploit method. This method is explained via the link below and uses Genesis to deliver the payload.

I want more people to understand this, so they stop installing add-ons from copy and pasters, who can easily use the “feverish pursuit of better” add-ons  to get their viewing fix. How can they be better? They copied the code you already have – Exodus, Genesis, Bob, Phoenix etc and just changed the pics/name. Why goto to all that trouble? Have a think about it people.

Read how you can use a add-on on Kodi to hack any device and take control. This isn’t the only method, but one written by an experienced security researcher, which should give it credibility.

Source: How to hack kodi

Summary

The reason for covering this isn’t to say *don’t* upgrade, but to educate you with enough information so you can make an informed decision. Then its your choice and your choice if you decide a new box, not that of fear mongers or tubers scaring you about the security of your device. Kodi is very insecure and easy to exploit anyway and you need to understand that.

Its not just Kodi that’s insecure, the current trend for installing IPTV Apks/apps from all over the place exposes you to “hack risks”. So be careful where you get them from, its very easy to add additional “payloads” and post these on social media. We have a section on Ares Forum (APKS) that has checked sources to help reduce the risks.

Owners of older devices still have options, most of these supposedly “obsolete” boxes are more than powerful enough to run Kodi without breaking sweat. The games on Ares Wizard were tested on “old m8s” devices to ensure that most people could use them – if they chose too. You can use the forks via Ares Wizard (under Browse Add-ons) or direct downloads via Kodi Forks & Apps page.

I hope we can move to an informed way of delivering information and not scaremongering or ill-informed opinions.