Revelation: these pirate IPTV boxes “invulnerable to blocks” expose thousands of homes to hackers and lawsuits
EVPAD 10P: attractive packaging for a device that transforms its buyers into unwitting distributors of pirated content and potential targets of cyberattacks. © Les Numériques / EVPAD
SinceAmazon has toughened its tone on misused Firestickssome are turning to alternatives manufactured directly in China. Among them, EVPAD boxes are a benchmark. For a few dozen euros and a subscription “for life”these devices running Android 7.0 promise films, series and live sports, all allegedly escaping the blocking devices deployed by the rights holders.
Advertisement
The Premier League, the Motion Picture Association and other rights holders have also classified them as priority threats in their annual reports to the US Trade Representative.
A team from Korea University therefore decided to examine two specific models, the EVPAD 3p and EVPAD 10p, to understand how their closed ecosystem actually worked. Their findings, published in an academic study accessible from sources, reveal an architecture that is much more devious than the simple client-server streaming touted by resellers.
A P2P hybrid that betrays its buyers
These boxes IPTV don’t just passively distribute content. After initial authentication with centralized servers that provide content listings and updates, devices join a peer-to-peer network operating on the same principles as BitTorrent. Concretely, whoever watches a film simultaneously downloads and uploads fragments to other members of the network. The received idea that “streaming protects better than torrenting” collapses instantly.
Advertisement
The EVPAD 10P box, sold for €150 on AliExpress with its “lifetime” subscription, hides critical vulnerabilities identified by researchers. © Aliexpress
For live streaming via the StarLive application, the libtvcore library establishes connections between boxes to distribute TV streams in real time. On the video-on-demand side with StarVod, the system retrieves XOR-encrypted torrent files, decrypts them, then queries a tracker to obtain the list of available peers. At the same time, HTTP servers serve as backup CDNs. The researchers were able to manipulate category identifiers to extract the entire catalog: 24,934 video contents, including 1,052 films and series in the “Nflix” category alone.
This hybrid architecture certainly complicates blocking, but it destroys any pretension to anonymity. Each EVPAD owner becomes a de facto unauthorized distributor of protected content, with all the legal implications that this entails. Unlike traditional streaming where only the download can be documented, here we actively share, which constitutes a much more serious offense in the eyes of the law.
EVPAD 3Plus 6K: behind the marketing promises (8 cores, WiFi, 6K), an Android box delivered with security flaws straight from the factory. © Screenshot Amazon UK
Advertisement
Gaping holes in a house of cards
Even a single, carefully crafted TCP packet is enough for an individual to trigger a service shutdown on a remote peer device. This drastically lowers the threshold for potential abuse, since no significant bandwidth or coordinated effort is required.
Researchers have identified two major vulnerabilities. The first allows authentication to be bypassed by emulating a legitimate box via NoxPlayer, opening the way to infinite replication of paid access. The second is blood-curdling: a single TCP packet is enough to cause the instant disconnection of a remote device. The study puts it bluntly: “Even a single, carefully crafted TCP packet is enough for an individual to trigger a shutdown of the service on a remote peer device. This drastically lowers the threshold for potential abuse, since no significant bandwidth or coordinated effort is required.”
Behind this refined Android interface hides a system that transforms each viewer into an involuntary distributor of pirate content. © YouTube Screenshot
Beyond the risks associated with sharing protected content, the security implications go far beyond the scope of audiovisual piracy. EVPADs come pre-installed with root permissions enabled, with no restrictions on installing packages from third-party sources. During the installation process of StarLive and StarVod applications from a third-party site, everything happens without interaction or explicit permission. Researchers found that the system setting allowing installation from non-Market sources was enabled at the factory, allowing universal sideloading.
A powerful botnet delivered turnkey
Even worse: SELinux runs in permissive mode, where policy violations occur without being enforced, and there is no mechanism to verify the integrity or authenticity of system updates. The researchers explicitly raise the specter of the Mirai botnet, which at its peak generated approximately a terabyte of malicious traffic with 145,000 compromised devices.
How to turn 131,000 IPTV boxes into an army of digital zombies: the attack pattern identified by South Korean researchers shows that a simple falsified URL is enough to compromise the entire EVPAD network. © USENIX, Korea University study, 2025
With just 17,000 EVPADs infected, they estimate that we could reach 0.12 terabytes of hostile traffic. The study identifies 131,175 active devices across 116 countries and 78 operational servers in the United States, Japan, Singapore and Hong Kong.
The verdict is clear: “Even if malicious intent is not the primary motive, the lack of commitment to security on the part of these illegal operators places people in a vulnerable position, making them susceptible to attack.” In other words, those who thought they could cleverly circumvent geographic blocks find themselves with a potential Trojan horse plugged directly into their home network, which can be exploited remotely by any cybercriminal with a minimum of technical skills.
Advertisement
Want to save even more? Discover our promo codes selected for you.
