Entertainment Security

7 Security and Privacy Issues to Consider With a Kodi Media Box

Dan Price 15-11-2016

As more and more people make the decision to cancel their cable TV packages and cut the cord Should You Cut the Cord or Keep Your Cable TV? If you're still holding on to your cable subscription, but are debating if its time to make a change, we're here to help. This guide should help you make your mind up. Read More , Kodi continues to grow in popularity.


Along with Plex, the software is one of the two biggest players in the sector 5 Alternatives to Windows Media Center for Windows 10 Windows 10 will offer many new features, but some old favorites will be deprecated. The Windows Media Center will no longer be supported. Here are alternative media center application compatible with Windows 10 to take... Read More . There are some fundamental differences between the rivals, but if you’ve made the decision to go “TV-free”, you won’t get far unless you’ve got at least one of the two apps installed.

Kodi has some fantastic benefits, but it’s not all plain sailing. There are lots of associated security and privacy issues that impinge on your usage.

In this article, I’m going to explain seven Kodi-based security problems you need to be aware of.

1. Man-in-the-Middle Attacks

A Man-in-the-Middle (MitM) attack What Is a Man-in-the-Middle Attack? Security Jargon Explained If you've heard of "man-in-the-middle" attacks but aren't quite sure what that means, this is the article for you. Read More is when a hacker intercepts, relays, and alters the communications between two parties, thus controlling the entire conversation. The affected parties continue to believe they are talking directly with each other.

It’s a common method for distributing malware, though most cryptographic protocols now include a form of endpoint authentication to try and prevent them.


Within Kodi, MitM attacks have targeted the app’s add-ons.

When an updated version of an add-on is found, it’s automatically downloaded and installed. The user only sees a pop-up notification confirming completion. Kodi’s process for finding new updates simple: in layman’s terms, if Kodi detects the add-on’s local MD5 file is out-of-date, it tries to download a new one.

Worryingly, the entire update process is done over HTTP with no encryption. Therefore, a hacker who has intercepted the network traffic can send a random MD5 file when Kodi requests the update.

2. Outdated Add-Ons

The problem of outdated add-ons exacerbates the threat of a MiM attack.


According to some estimates, as much as 25% of all repositories are either dead, dormant, or have outdated content. But as mentioned above, Kodi doesn’t know these add-ons and repositories are dead. Unless you manually remove them from your system, Kodi will keep trying to download updates.

These are ripe for MiM attacks. It’s very easy for the hackers to find a dead repository and hijack thousands of devices as a result.

The only way to find outdated add-ons is to either read the log (complicated) or regularly check the add-on’s portal (time-consuming).

As always, the implications are wide-ranging and potentially severe. Hackers could clone personal information, steal passwords, and even instigate a complete takeover of your machine.


Kodi Add-ons

3. Malware in Add-Ons

Add-ons let you access services Make TV More Social With These XBMC Add-Ons Who says watching TV is anti-social? Add-ons can bring Facebook photos, live Tweets and more to your XBMC setup. Read More like YouTube and Dropbox through your Kodi app. They’re also a cord-cutter’s dream — they let you (often illegally) stream live TV, access movie libraries, and obtain other free video content.

Given their nature, it’s unsurprising that some of the add-ons have a suspect provenance. None of them are official.

Unfortunately, a rogue add-on can be just as serious as a regular computer virus. As one of Kodi’s senior developers recently said, “Add-ons can contain anything from weird code sniffing your device to infected ZIP files.”


You can help protect yourself by only using whitelisted add-ons from the official Kodi repository, but official add-ons don’t include any of the popular TV, movies, and sports content. People who want to access that type of content will continue to be affected.

4. ISP Tracking

We don’t condone using Kodi to watch illegally obtained content How To Stream Live TV To Your XBMC Watch live, streaming TV on your XBMC media center – without a cable subscription. Here are some add-ons worth checking out. Read More , but the reality is lots of people who use the app do so for this purpose.

If you live in the United States and you use Kodi in this way, you can expect a threatening letter from your ISP. They routinely monitor all your web traffic and have recently taken a particularly dim view of people who bootleg TV and movie content on Kodi.

Comcast Alert

At this stage, no one really knows what happens after you received the letter. Could you be cut off? Are they passing the information on to other government agencies? Your guess is as good as ours.

5. Pre-Loaded Kodi Boxes

Kodi can be difficult to set up for a novice, and there’s now a booming market in pre-loaded Kodi boxes. A cursory look at Twitter during big NFL or Premier League games reveals how widespread the problem is.

The boxes typically run on Linux, Android, or the Chrome operating system; Amazon Fire sticks are also available, ready to plug-and-play with your TV.

As Kodi highlighted in a blog post, these are dangerous in two ways:

  1. Financial Loss — They are often being set up by people who have no intention of providing a stable and working box. They just want to make a quick buck.
  2. Piracy — The content on the pre-loaded boxes is often touted as being totally legal. It’s not. If you want to pirate content, you should do so at your own risk. You shouldn’t be doing it accidentally because someone duped you.

Don’t buy pre-loaded boxes. Take the time to learn the ropes and set up your own box to your own specifications.

6. Kodi Watched Status Logging

I’ve covered five security issues to be aware of, but what about privacy issues that lie closer to home?

One issue is Kodi’s Watched Status Logging. It marks every video you’ve watched with a tick. It theoretically makes it easy to pick up where you left off with a TV series or movie.

Kodi Watched Status Logging

Sounds great, but it comes with privacy issues. It’s not going to steal your passwords or compromise your network — but it could get embarrassing. Do you really want your teenage daughter to know you’re a Gilmore Girls addict?!

Thankfully, disabling it is easy. Due to the number of different skins in use, there is no one-size fits all solution — but you’ll always be able to find the option within the skin settings.

7. Database Remnants

Kodi keeps a record of every single video you’ve ever watched on the app. It doesn’t matter if you deleted the source video, removed the repository, or the add-on stopping working. Every item is dutifully logged in the video database.

Of course, this is a privacy issue. There is nothing in the app that can clean out the database. There is a “Clean Library” button, but it will only work with content that has been added to the Media Library.

Some Kodi fanatics have taken steps to address the problem. They’ve released an add-on called “Database Pre-Wash Scrub“. It’ll clean-up the video database by removing references to old paths and files which are no longer listed in the app’s sources.

Kodi Database Scrub

The add-on is still in beta, so use at your own risk.

What Issues Concern You?

I’ve shown you seven security and privacy concerns you need to be aware of, but there are more.

I’ve love to know what concerns you about using Kodi? Were you aware of these issues? Most importantly, I’m keen to learn what steps you take to stop yourself being affected by them?

You can leave your thoughts and suggestions in the comments box below.

Related topics: Online Privacy, Online Security, XBMC Kodi.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Doc
    November 17, 2016 at 1:52 pm

    "...detects the add-on’s local MD5 file..." MD5 isn't a file, it's a file *hash*.