Apple TV can hack your houseby Nikola Strahija on February 26th, 2016 Apple has recently patched 33 bugs from 58 CVE vulnerabilities out of which 10 allow malicious attackers to execute arbitrary code and 6 of them run it with system privileges.
Only one bug applies to the newest (4th) generation of Apple TV while the rest hit 3rd gen devices. Users with automatic updates turned on should have these fixes applied already.
Some bugs are susceptible to memory corruption flaw (CVE-2015-5776) which can lead to remote arbitrary code execution or app crash. Several bugs are related to an old version of libxml2 which is vulnerable to remote denial of service (CVE-2012-6685, CVE-2014-0191 and CVE-2014-3660 reported by Google's Felix Groebert). On top of those, malformed or malicious DMG files and plists can be used to trigger arbitrary code execution with system privileges. Apple's engineers fixed 27 bugs including 19 code execution flaws that malicious attackers could exploit by special web content.
Less serious bugs are in the realm of images and cookies being leaked to third party sites.
There were some cross-origin flaws as well which meant that images and cookies could have leaked to third party sites. The source of unsigned code execution bug is the TaiG jailbreaking team which also found the bug that allowed arbitrary code executon with system privileges.
By gaining access to an Apple TV device, a malicious attacker can use it as a foothold to other parts of the network and devices or computers connected to it.