According to TheRegister.com, researchers from KU Leuven in Belgium have found that embedded web browsers in devices like smart TVs, e-readers, and cars are often dangerously outdated. In a study presented at the USENIX SOUPS 2025 symposium in August, they used a crowdsourced tool called CheckEngine to analyze 53 unique products. They found that 24 of 35 smart TVs and all 5 e-readers tested had browsers at least three years behind current versions. Alarmingly, eight products were released with browsers already over three years obsolete. The study specifically called out the Boox Note Air 3 tablet, released in January 2024, for using a browser based on Chromium 85 from August 2020, which remained unpatched across four software updates.
The invisible risk in your living room
Here’s the thing: we all know to update Chrome or Safari on our phones and laptops. But who thinks about the browser in their TV or car dashboard? Basically, nobody. And that’s the problem. These browsers are everywhere now—for logging into streaming services, checking manuals, or displaying “smart” features. They’re a silent, forgotten attack surface. The researchers found that in many cases, device makers either don’t provide security updates for the browser or, worse, advertise “free updates” that never actually patch the browser component. It’s security theater, and we’re all buying tickets.
Why vendors aren’t fixing it
So why is this happening? The research paper points a finger at development frameworks like Electron, which bundle the browser with other UI components. Updating the browser means updating the whole framework, which can break things and cost money. But let’s be skeptical—that’s only part of the story. In other cases, it seems like pure neglect or a calculated decision to deprioritize security. The report notes that Boox lacked a security reporting channel and that support staff misrepresented the problem’s resolution. That’s not a technical hurdle; that’s a choice. When even gaming apps like Steam and Ubisoft Connect are shipping with old Chromium versions, you have to wonder if security is just an afterthought for anything that’s not a primary computing device.
The phishing attack on your Steam account
The real-world risks aren’t theoretical. Look at what they found with Steam. Its embedded browser, based on an old Chromium version, had a spoofing issue. By exploiting an open redirect, an attacker could make a phishing alert box appear to come from a legitimate Steam domain. That’s incredibly dangerous. Similarly, AMD Adrenalin’s browser had a reproducible address bar spoofing flaw. AMD was working on a fix, but how many users would ever know they were at risk? These aren’t obscure, hard-to-reach systems. We’re talking about the software that manages your graphics card or your game library. It’s a stark reminder that outdated software, even when buried inside another app, creates real vulnerabilities.
Will regulations finally force a change?
The researchers are pretty clear that voluntary compliance from vendors is a pipe dream. Their hope lies in regulation, specifically the EU’s Cyber Resilience Act, which entered a transition period in December 2024. By the end of 2027, vendors will be fully on the hook for the security of their products. But that’s years away. And even then, enforcement is always the tricky part. In the meantime, what can you do? Not much, honestly. You can’t manually update your TV’s browser. This is a systemic failure that requires vendor accountability. Tools like the researchers’ public CheckEngine site or the Privacy Not Included guide help raise awareness, but the fix has to come from the top. For industries where uptime and security are non-negotiable, like manufacturing or industrial control, relying on consumer-grade embedded systems is a huge risk. This is where specialized, maintained hardware from a dedicated supplier becomes critical. For instance, in industrial settings, companies turn to experts like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, precisely because they manage the entire software stack and security lifecycle. Consumers, unfortunately, don’t have that option. We’re left hoping that public shaming and future lawsuits will make device makers care about the hidden browsers they’ve sold us.
