Bad Addons Cause Kodi Security Risks

You use protection, right?

No, not that type of protection, although I guess the analogy would still apply.

You lock your doors at night. You buckle your seatbelt before you drive. You wear a helmet when riding a bike.

We take precautions to make us safe at home and on the road. But what about our streaming?

Is Kodi safe? If you’re reading this, then you probably use Kodi or one of the popular XBMC forks to watch your content.

Let’s look at why we need to think about security, to make Kodi safe, and more importantly, keep everything else on your home network safe.

Update: If you want to learn how to protect your streaming player against Ransomware and an Android TV Box virus attack, then read “Is your streaming device a target for an Android TV box virus?“

Why should you care about Kodi security?

Let me be blunt.

You need to care about security because no one else will.

Not Team Kodi. Not the addon devs. Not the company that manufactured your TV box. When it comes to keeping Kodi safe, or keeping XBMC safe if you have an older version, you are on your own.

Team Kodi recently published an official blog post about security.

And that’s great. Kudos to them. I love it when companies shine a spotlight on their product’s security. That’s shows responsibility, and concern for your customers. It’s just good business.

But what they said pissed me off.

That image was pulled right from the article on the official Kodi blog. While I’m all for advocating common sense, this is just insulting, especially for new Kodi users.

The last time I checked, a company isn’t supposed to insult it’s fans and customers. Even if those customers aren’t paying you directly, they’re the ones that are keeping your project running.

Maybe I’m missing a joke here, or just being sensitive. It happens sometimes. So just this once, I’ll let it slide and write it off as being a poor choice of words.

Setting the obnoxious image aside, using a little common sense is a good thing, right?

Well…sure. But when you also look at the security discussions in the official forums, you get a much clearer picture of why this pissed me off.

The Kodi developers have been warned about security issues in the past on several occasions as far back as 2012.

NoobsAndNerds wrote a detailed post recently about some severe security vulnerabilities on Kodi, and even created a security based addon for their repository.

That’s not what upsets me. Every piece of software will have security flaws.

What pissed me off even more is the reaction of official Team Kodi members when they’ve been informed about them.

Any XBMC users that has XBMC directly exposed on the net is a fool.

Ouch. Tell us how you really feel.

Team Kodi has long had the reputation of being hard on newbies, casual users, or almost anyone that wasn’t one of their team of developers.

Sometimes they even fight among themselves. Kodi has been called a “power users tool” (toy?) by respected members of the community.

So how do they suggest you secure your Kodi installation? Simple:

Just “check the source code” to see if the developer has anything to hide.

Check the source code??????

But it gets better:

Whilst I fully understand what a malicious add-on could do, you cannot police people’s stupidity and naïvety. It’s up to the user to decide whether or not to install something and no matter how many warnings you give and how many hoops you make them jump through to do it, they will still install it. You can’t have freedom of choice in a closed eco-system. Kodi offers a lot of freedom to do with it as you want and I personally don’t want that to change because of a minority of idiots.

Kodi has taken a “hands off” approach to security. They expect…no…..they require their users to take complete responsibility for the ins and outs of their Kodi installation.

That’s not good enough.

I want to be crystal clear on this part. Both the Official Kodi post and the NoobsAndNerds posts (both linked above) highlight real threats to Kodi security. I’m glad they were published, but I think they don’t go far enough into explaining it for regular users.

You know, like you and me.

So what’s the risk?

Especially if you’re just using Kodi for streaming movies, you still need to be worried about keeping it secure.

Why?

What’s the risk?

A rogue addon can be just as dangerous as a computer virus.

As Martijn, one of the senior members of Team Kodi says, addons “can contain anything from weird code sniffing your (device) to infected .zip files.”

Over the past few months, we’ve already seen fallout from third-party addons that delete content from other developers, and other well known developers accused of introducing viruses in their builds. We’ve also seen fallout over paid Kodi addons and IPTV subscriptions that are accused of much worse.

In fact, TVAddons thought the problem was so serious that they posted a very strongly worded warning to their developers to stop using malicious code in their addons. Hopefully, you picked up on my sarcasm in that statement. Another “response” that doesn’t go nearly far enough.

To their credit though, they threatened to ban any addon found to tamper with a users system or Kodi installation. However, instead of getting the word out to as many people as possible, they hid behind their forums and private messages:

If you’re an end user and have reason to be concerned about a specific addon, please feel free to send a private message to any of our staff members at our discussion forums so that they can check it out. Please refrain from posting publicly about this type of concern, as we prefer to prevent the spread of misinformation, unfounded witch hunts and the publicity of potentially malicious addons.

That makes so much more sense!

Why would we want the public to actually know about potentially malicious addons?

Is there a Kodi Virus or XBMC virus?

The security world has lots of different definitions for security threats: virus, malware, spam, spoofing, phishing, spyware, adware, ransomware, worm….and so on, and so on.

Most end users, like you and me, will simply lump these all into the category of “virus”, because that’s what we’re used to. However, it’s important to note that there is a distinction in each of these terms.

Thankfully, there’s nothing that can specifically be called a “virus” affecting Kodi. But that doesn’t get us off the hook.

A virus is arguably the most notable malware that can affect your system, but it’s far from the most dangerous.

Even though there’s no such thing (yet) as a Kodi virus or XBMC virus, malicious addons can wreck havoc with your system and anything else on your home network.

How? Keep reading.

Why isn’t Kodi safe?

One of the more common questions I get is “Is Kodi safe”, or “Is XBMC safe?” For the most part, it’s the same question, although there is some specific XBMC concerns which I’ll list at the end of this section.

Depending on how you use Kodi, it could be relatively safe or riddled with security flaws. It depends on you.

To illustrate, let me run through a scenario with you. You’ll see just how easy it is to do some serious damage to not only your Kodi box, but to everything on your entire network.

Your Video Library

I’ll bet that somewhere on your network there’s a hard drive folder with some videos that you want to watch on different devices like your tablet, or laptop. It may be on your PC, or on a Network Accessible Storage device like an external hard drive connected to your router.

Having them in one central location makes it easier to access from anywhere. Because it’s easier to have them on one drive, that’s what Kodi recommends you do. Kodi even recommends that you use Universal Plug and Play (UPnP) because it’s the “easiest way to share a library”, even though Homeland Security strongly advised against it back in 2013.

When you install and configure Kodi, you’ve probably told it where to find that file folder, right? After all, Kodi is a media player, so if you’ve played any video from any other device on your network, Kodi now knows how to access that library folder, including what username and password to use (if any) and what folders are on that particular file share.

Unofficial Streaming Sources and Repositories

Maybe you don’t have a media library set up on your network. I mean…why not? But, let’s assume for this example that you only stream your content.

So…your Kodi box still sits on your home network so you can use the same Internet connection that your PC uses. But, you stream all of your content, so you don’t have any Kodi video libraries set up.

Kodi has an Official Kodi Repository that includes over 1000 different addons for adding various functionality to your Kodi installation. These addons are vetted by Team Kodi, so they are “guaranteed” to be safe. In general, if you install something from there, you can be as sure as you can be that it won’t mess up your system.

But…not every addon is listed in the Official Kodi Repository. Many, and I’d think it’s fair to say most, of the most popular addons are added from sources other than the official repository.

Some are excellent quality and for whatever reason they don’t get submitted and included to the official repo. To be clear, there are many reasons why good quality, legal addons wouldn’t make it into the official repository. But, if you’re looking for any of the more popular addons like Exodus, Phoenix or SportsDevil, you won’t find them there.

Kodi Builds

Configuring Kodi from scratch is hard. So, you used one of those builds which install a bunch of different addon repositories. It’s simple, right? More choices is better, right?

Well, a good chunk of those repositories aren’t being used anymore. Think of TV Time or Genesis as an example, although there are literally hundreds of addons that were once extremely popular but have fallen by the wayside. Estimates are that up to one quarter of all repositories are sitting dormant or have outdated content.

Unless you manually remove each repo and addon from your system, your Kodi box will keep trying to get updates from that source.

Every time that Kodi asks for an update it exposes the device to something called a “Man-In-The-Middle” attack. This is where a hacker would intercept the update request from Kodi and replace the code it’s looking for with something else. In theory, they could gain access to anything and everything that your Kodi box can see and do.

In many cases, Kodi runs in a “sandbox”, or a little walled-off area inside your device’s operating system. By design, this minimizes the amount of things that Kodi can access.

Unless…..

Rooted\Jailbroken Devices

People are convinced that rooting your device is cool.

What is rooting? Briefly, Rooting (Android) and Jailbreaking (Apple) are the same concept. We just use different terms depending on which OS you have. You are accessing the base level of the operating system in order to make it do everything that it can possibly do. It gives you access to all of the settings in your OS, even the ones that are normally hidden by default. It also lets you run any app you want because you’ve bypassed the security that only lets apps run on devices that they’re compatible with.

Wait…did I just say “bypassed security?”

Yup.

Android.com recently warned of severe security vulnerabilities that can occur by using a rooting app on your device. Samsung has long been an opponent of rooting as well. According to Gartner research back in 2014, an estimated 75% of all security issues started because rooting the device left it open to security flaws.

What does that mean in the Kodi world?

Well, for starters, I recommend avoiding those configuration apps that automatically sets up Kodi for you. Many of them require that your device be rooted so they can access your files and set up the installation however they choose.

Does that sound safe to you?

Koying, one of the most respected Team Kodi developers, and the former lead developer for Kodi on Android had this to say:

From an android perspective, now is a good time to think again before rooting your device. Everybody can implement all the security in the world, if users bypass them purposedly (sic), it’ll be pointless.

What about XBMC? Is XBMC safe?

Maybe you don’t run the latest version of Kodi at all. Maybe you’re using one of the custom XBMC forks because that’s what the manufacturer installed on your TV box. They say it has “tweaks”, “extra features” and “performance enhancements” so that you can get the most out of your device.

Probably, yes.

But, it also doesn’t have the support of the entire team of Kodi developers on an ongoing basis.

Team Kodi may be slow to respond to security issues in some cases, but they still do respond. Can the same be said of whatever company you bought your device from?

I always recommend that you install the official version of Kodi, OpenElec, or SPMC , rather than using a custom XBMC installation that came pre-loaded on your TV box. That was one of the first hard lessons I learned when joining the Kodi community.

Where does the responsibility lie?

That’s the question of the day: Should Team Kodi be responsible for securing unofficial addons?

People get passionate about this one way or another. Some people don’t believe in holding Team Kodi accountable for something that they “can’t control.” After all, these addons aren’t made by Team Kodi developers, so why should they have to make sure that they don’t break your system?

My response to that is because they created the program that enables these addons to break your system.

A user doesn’t care where the addon came from. Whether that addon came from the official repository or some third party repository, it is still Kodi that it runs on.

Also Read: Best VPNs for Kodi

Security vulnerabilities from unofficial addons are every bit as much Team Kodi’s responsibility as those that are in their own official repository.

The core Kodi software is designed to give complete freedom to anyone who uses it or programs for it. It is designed not to be secure because they expect the end-users to be fellow programmers, just like the people who created it.

Kodi has outgrown that philosophy, though.

Right now the Kodi reputation is synonymous with piracy.

If you don’t believe me, open a new tab in your browser right now and Google the word “Kodi.” Once you get past the official page and the Google Play store listing, the majority of the results will list some sort of YouTube video or “Top 10..” list of Kodi addons that get you free content that you would otherwise have to pay for.

Piracy’s not the issue here, though. I could care less about piracy. Really.

As Nate Betzen said in his now famous post, piracy box sellers are killing Kodi.

Do we in the community really want Kodi to be synonymous with both Piracy and bad security?

The Verdict

If you’ve been part of the Kodi community for any length of time, you’ve probably seen a lot of infighting between Team Kodi and the addon developers, even between groups of addon devs.

All this fighting is not good for the community, or for the Kodi brand as a whole.

A business survives because of the reputation it is building with its customers, and let’s be clear about something. Kodi (and the XBMC Foundation) is a business. It may be a non-profit full of open-source developers and their supporters, yes. It may “give away” it’s product for free, yes. They will tell you (often) that nobody receives a salary for their work on the project.

That’s all true.

But Kodi is a product with millions of users worldwide. To me, that means that they have a lot more responsibility for their product than just some developer working on their own.

In my opinion, it’s time the community as a whole held Team Kodi and the Kodi addon devs to a higher standard.

Until then, every user should take a look at beefing up the security on their Kodi boxes.