Set-top box (STB) hijacking is not a theoretical threat. It’s definitely a growing problem for pay TV and video operators around the world, particularly in LATAM and parts of Europe. 

In simple terms, hijacking occurs when an operator-supplied set-top box is taken over and repurposed for unauthorized use. The impact is immediate and financial, and in some cases the losses can reach pretty staggering amounts.

There are two primary reasons why attackers target set-top boxes. Both come down to economics.

Repurposing valuable hardware for free

In the traditional operator business model, the operator purchases millions of set-top boxes and deploys them to subscribers. The cost of each device is recovered gradually through subscription revenue. Typically, the first year of a contract may only cover the hardware and logistics. Only after that does the operator begin generating meaningful margin.

If that box is stolen, otherwise unavailable for use, or simply not returned after a subscriber cancels service, the operator loses control of a revenue-producing asset. In some regions, especially where logistics are complex or expensive, it is not commercially feasible to collect every returned device. That creates an opportunity.

Once a subscriber realizes the device can be repurposed, the incentive is clear. Instead of returning the hardware, they keep it and convert it for use with another service or as a generic device usable for a whole host of things. In more extreme cases, entire truckloads of boxes have been stolen and redistributed for unauthorized use.

The financial math can be brutal. For an extreme available, if one million boxes are compromised, operators may see losses in the range of tens of millions of dollars. This is not about content piracy alone. It is about lost hardware, lost subscriptions, and lost control over infrastructure investments—even in less extreme cases.

Exploiting open platforms for control

The second reason set-top boxes are targeted is technical. The ecosystem has changed. In the past, operators tightly controlled firmware, middleware, and application environments. Only certified software could run on the box. That made repurposing extremely difficult. 

Today, many operator devices run Android TV or similar open platforms. These platforms are designed to be flexible, with open app stores and debugging capabilities. That openness is valuable for innovation, but it also expands the attack surface.

Hijacking typically follows one of several paths:

  • Debug bridge exploitation (ADB): Android Debug Bridge access can allow an attacker to connect a laptop via USB and install or remove applications directly on the device. If not properly restricted, this grants full control.
  • Factory reset bypasses: Even when debugging is disabled, a factory reset can sometimes re-enable blocked features if not properly secured.
  • App store abuse: If app stores are not tightly restricted, attackers can install third-party applications that take control of system functions.
  • Remote support channel exploitation: Many operators deploy remote management tools to support customers. These services can unintentionally expose control interfaces. In some cases, authentication is based only on an IP address. An attacker can disconnect the box, assume the expected IP address, and gain privileged access.

    Once control is achieved, the attacker removes the original operator application and replaces it with software that connects to another provider or to unauthorized streaming services. The box is effectively hijacked and repurposed.

The cost of losing control

The underlying issue is not just piracy. It is loss of control over operator-owned assets.

Operators invest heavily in hardware fleets. When those devices can be stolen, modified, or redirected to competing services, the entire business model is threatened. Revenue projections assume that each deployed device remains tied to a paying subscriber. Hijacking breaks that assumption.

Preventing hijacking requires disciplined device review before release, hardened remote management applications, secure boot and debug restrictions, and ongoing patching. Regulatory pressure, such as the EU Cyber Resilience Act, is reinforcing the need for stronger lifecycle control. But beyond compliance, this is also about protecting investments.

Set-top box hijacking succeeds when control is weak. It fails when operators treat device security as seriously as content security. In today’s open, software-driven environment, that shift in mindset is essential.