As more and more people make the decision to cancel their cable TV packages and cut the cord, Kodi continues to grow in popularity.
Along with Plex, the software is one of the two biggest players in the sector. There are some fundamental differences between the rivals, but if you’ve made the decision to go “TV-free”, you won’t get far unless you’ve got at least one of the two apps installed.
Kodi has some fantastic benefits, but it’s not all plain sailing. There are lots of associated security and privacy issues that impinge on your usage.
In this article, I’m going to explain seven Kodi-based security problems you need to be aware of.
1. Man-in-the-Middle Attacks
A Man-in-the-Middle (MitM) attack is when a hacker intercepts, relays, and alters the communications between two parties, thus controlling the entire conversation. The affected parties continue to believe they are talking directly with each other.
It’s a common method for distributing malware, though most cryptographic protocols now include a form of endpoint authentication to try and prevent them.
Within Kodi, MitM attacks have targeted the app’s add-ons.
When an updated version of an add-on is found, it’s automatically downloaded and installed. The user only sees a pop-up notification confirming completion. Kodi’s process for finding new updates simple: in layman’s terms, if Kodi detects the add-on’s local MD5 file is out-of-date, it tries to download a new one.
Worryingly, the entire update process is done over HTTP with no encryption. Therefore, a hacker who has intercepted the network traffic can send a random MD5 file when Kodi requests the update.
2. Outdated Add-Ons
The problem of outdated add-ons exacerbates the threat of a MiM attack.
According to some estimates, as much as 25% of all repositories are either dead, dormant, or have outdated content. But as mentioned above, Kodi doesn’t know these add-ons and repositories are dead. Unless you manually remove them from your system, Kodi will keep trying to download updates.
These are ripe for MiM attacks. It’s very easy for the hackers to find a dead repository and hijack thousands of devices as a result.
The only way to find outdated add-ons is to either read the log (complicated) or regularly check the add-on’s portal (time-consuming).
As always, the implications are wide-ranging and potentially severe. Hackers could clone personal information, steal passwords, and even instigate a complete takeover of your machine.
3. Malware in Add-Ons
Add-ons let you access services like YouTube and Dropbox through your Kodi app. They’re also a cord-cutter’s dream — they let you (often illegally) stream live TV, access movie libraries, and obtain other free video content.
Given their nature, it’s unsurprising that some of the add-ons have a suspect provenance. None of them are official.
Unfortunately, a rogue add-on can be just as serious as a regular computer virus. As one of Kodi’s senior developers recently said, “Add-ons can contain anything from weird code sniffing your device to infected ZIP files.”
You can help protect yourself by only using whitelisted add-ons from the official Kodi repository, but official add-ons don’t include any of the popular TV, movies, and sports content. People who want to access that type of content will continue to be affected.
4. ISP Tracking
We don’t condone using Kodi to watch illegally obtained content, but the reality is lots of people who use the app do so for this purpose.
If you live in the United States and you use Kodi in this way, you can expect a threatening letter from your ISP. They routinely monitor all your web traffic and have recently taken a particularly dim view of people who bootleg TV and movie content on Kodi.
At this stage, no one really knows what happens after you received the letter. Could you be cut off? Are they passing the information on to other government agencies? Your guess is as good as ours.
5. Pre-Loaded Kodi Boxes
Kodi can be difficult to set up for a novice, and there’s now a booming market in pre-loaded Kodi boxes. A cursory look at Twitter during big NFL or Premier League games reveals how widespread the problem is.
The boxes typically run on Linux, Android, or the Chrome operating system; Amazon Fire sticks are also available, ready to plug-and-play with your TV.
As Kodi highlighted in a blog post, these are dangerous in two ways:
- Financial Loss — They are often being set up by people who have no intention of providing a stable and working box. They just want to make a quick buck.
- Piracy — The content on the pre-loaded boxes is often touted as being totally legal. It’s not. If you want to pirate content, you should do so at your own risk. You shouldn’t be doing it accidentally because someone duped you.
Don’t buy pre-loaded boxes. Take the time to learn the ropes and set up your own box to your own specifications.
@Droidsticks I did have kodi on before with another supplier but half the add ons where dead. Removed that and put your wizard on now stuck
— Mark (@mozeruk) May 5, 2015
6. Kodi Watched Status Logging
I’ve covered five security issues to be aware of, but what about privacy issues that lie closer to home?
One issue is Kodi’s Watched Status Logging. It marks every video you’ve watched with a tick. It theoretically makes it easy to pick up where you left off with a TV series or movie.
Sounds great, but it comes with privacy issues. It’s not going to steal your passwords or compromise your network — but it could get embarrassing. Do you really want your teenage daughter to know you’re a Gilmore Girls addict?!
Thankfully, disabling it is easy. Due to the number of different skins in use, there is no one-size fits all solution — but you’ll always be able to find the option within the skin settings.
7. Database Remnants
Kodi keeps a record of every single video you’ve ever watched on the app. It doesn’t matter if you deleted the source video, removed the repository, or the add-on stopping working. Every item is dutifully logged in the video database.
Of course, this is a privacy issue. There is nothing in the app that can clean out the database. There is a “Clean Library” button, but it will only work with content that has been added to the Media Library.
Some Kodi fanatics have taken steps to address the problem. They’ve released an add-on called “Database Pre-Wash Scrub“. It’ll clean-up the video database by removing references to old paths and files which are no longer listed in the app’s sources.
The add-on is still in beta, so use at your own risk.
What Issues Concern You?
I’ve shown you seven security and privacy concerns you need to be aware of, but there are more.
I’ve love to know what concerns you about using Kodi? Were you aware of these issues? Most importantly, I’m keen to learn what steps you take to stop yourself being affected by them?
You can leave your thoughts and suggestions in the comments box below.