Study finds built-in browsers across gadgets often ship years out of date
Web browsers for desktop and mobile devices tend to receive regular security updates, but that often isn't the case for those that reside within game consoles, televisions, e-readers, cars, and other devices. These outdated, embedded browsers can leave you open to phishing and other security vulnerabilities.
Researchers affiliated with the DistriNet Research Unit of KU Leuven in Belgium have found that newly released devices may contain browsers that are several years out of date and include known security bugs.
In a research paper [PDF] presented at the USENIX Symposium on Usable Privacy and Security (SOUPS) 2025 in August, computer scientists Gertjan Franken, Pieter Claeys, Tom Van Goethem, and Lieven Desmet describe how they created a crowdsourced browser evaluation framework called CheckEngine to overcome the challenge of assessing products with closed-source software and firmware.
The framework functions by providing willing study participants with a unique URL that they're asked to enter into the integrated browser in the device being evaluated. During the testing period between February 2024 and February 2025, the boffins received 76 entries representing 53 unique products and 68 unique software versions.
In 24 of the 35 smart TVs and all 5 e-readers submitted for the study, the embedded browsers were at least three years behind current versions available to users of desktop computers. And the situation is similar even for newly released products.
"Our study shows that integrated browsers are updated far less frequently than their standalone counterparts," the authors state in their paper. "Alarmingly, many products already embed outdated browsers at the time of release; in fact, eight products in our sample included a browser that was over three years obsolete when it hit the market."
According to KU Leuven, the study revealed that some device makers don't provide security updates for the browser, even though they advertise free updates.
[...] In December 2024, the EU Cyber Resilience Act came into force, initiating a transition period through December 2027, when vendors will be fully obligated to tend to the security of their products. The KU Leuven researchers say that many of the devices tested are not yet compliant.
[...] The authors put some of the blame on development frameworks like Electron that bundle browsers with other components.
"We suspect that, for some products, this issue stems from the user-facing embedded browser being integrated with other UI components, making updates challenging – especially when bundled in frameworks like Electron, where updating the browser requires updating the entire framework," they said in their paper. "This can break dependencies and increase development costs."
But in other cases, they suggest the issue arises from inattention on the part of vendors or a choice not to implement essential security measures.
While they suggest mechanisms like product labels may focus consumer and vendor attention on updating embedded browsers, they conclude that broad voluntary compliance is unlikely and that regulations should compel vendors to take responsibility for the security of the browsers they embed in their products.
(Score: 5, Funny) by turgid on Sunday December 28, @08:55PM
I'll get my coat...
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 4, Insightful) by ikanreed on Sunday December 28, @11:58PM (2 children)
I, and practically everyone else, have one in my pocket all the time. One in my car is, at the very best possible use, an unnecessary and dangerous distraction.
Other places I don't want a web browser, but I'm forced to have one anyways:
My tv
Election Applications
(Score: 5, Touché) by driverless on Monday December 29, @05:03AM
Don't worry, the code that reports your viewing habits and other interactions with the device back to the vendor will get regular updates and enhancements.
(Score: 2) by Username on Monday December 29, @05:43PM
Just imagine a shower head that needs an lcd touch screen, and has an integrated camera and browser. Want the water on? Find the start button on the lcd...
(Score: 2, Interesting) by Anonymous Coward on Monday December 29, @12:48AM
Just nit-picking, but game consoles actually have a vested interest in ensuring they ship up-to-date browsers with current patches.
You need a kernel exploit to really get into the system, but kernel-level stuff isn't usually accessible from outside. Instead, you need some way to run code on the system to exploit a kernel bug: one of the points of entry is the web browser. Most of the Playstation jailbreaks start with the web browser, a Webkit(I think) exploit to be able to run custom code in a user-context, to be able to make calls into kernel code.
(Score: 3, Touché) by Anonymous Coward on Monday December 29, @02:26AM (1 child)
Build a car, especially an electric one, with no internet. Or maybe that's not legal anymore. It will be like trying to cross the border without a facebook account
(Score: 5, Informative) by epitaxial on Monday December 29, @04:26PM
Here you go. https://www.slate.auto/en [slate.auto]
Now let's see how many people put their money where their mouth is and buy one.
(Score: 4, Interesting) by mcgrew on Monday December 29, @02:34PM (2 children)
These outdated, embedded browsers can leave you open to phishing and other security vulnerabilities.
Like allowing you to visit an HTTP site? The only security ANY for profit corporation worries about is the security of their own profits. Just a few days ago I attempted to text a link to my "Nooze" site to my daughter, and Android refused to send the link!
Apparently, from now on the internet is only for commerce and if you try to use it for anything else the money monkeys will do what they can to stop you, it is a danger to THEIR security!
I want my old honest America back!
Mad at your neighbors? Join ICE, $50,000 signing bonus and a LICENSE TO MURDER!
(Score: 0) by Anonymous Coward on Monday December 29, @05:44PM
Maybe I am confused, but send texts with links all the time on this crappy A15.
(Score: 0) by Anonymous Coward on Tuesday December 30, @04:11PM
As if it ever was.
(Score: 3, Insightful) by SomeGuy on Monday December 29, @04:01PM
My obviously "old" car has no web browser (or touch screen shit - I can keep my eyes on the road while I adjust the AC knobs!)
My CRT TV and its OTA tuner box do not have any web browser.
My desk phone has no web browser in it.
My refrigerator, thermostat, and washing machine have no web browser on them.
There has not been a single time when I have ever thought that using a web browser on these devices would be a good or useful idea.
As someone who kicks around old browsers on full-tower beige boxes that won't fit in my pocket and don't need to, the real problem is NOT "security", the real problem is that common web sites intentionally break in any browser that is more than five minutes old. Because they need the latest seizure inducing animations and dizzying video backgrounds or whatever the latest stupid trend is.
If there were an actual, enforced, law requiring vendors to support their product for a reasonable product lifetime rather, then they might actually take these useless browsers out of their products. That would be a good thing.