Versions of Apple TV earlier than 7.0.1 are unpatched for two vulnerabilities:
- SSL protocol 3.0 uses nondeterministic CBC padding, which exposes it to man-in-the-middle attacks (aka, the “POODLE” issue); the issue was fixed by disabling CBC cipher suites from use when TLS connection attempts fail (CVE-2014-3566)
- Unencrypted Bluetooth input are allowed, which could be leveraged by an attacker to spoof Bluetooth connections; the issue was fixed by disallowing unencrypted connections (CVE-2014-4428)