Your car’s web browser may be on the road to cyber ruin - theregister.com

Your car’s web browser may be on the road to cyber ruin - theregister.com
December 18, 2025 at 8:15 PM

Headline: Embedded browsers in cars, TVs, e-readers, and game apps are years out of date—putting you at risk

What this study found

  • KU Leuven's DistriNet researchers built a crowdsourced testing framework, CheckEngine, to evaluate closed, embedded browsers, presented at USENIX SOUPS 2025.
  • 76 submissions covered 53 unique products and 68 software versions (Feb 2024–Feb 2025).
  • 24 of 35 smart TVs and all 5 e-readers used browsers at least three years behind desktop releases.
  • 8 products shipped with browsers already more than three years obsolete at launch.

Why it matters

  • Embedded browsers often miss security patches, enabling phishing, origin/address bar spoofing, and potential privilege escalation.
  • Vendors sometimes promise updates but fail to deliver or provide clear security reporting channels.

Real-world examples

  • Boox Note Air 3: NeoBrowser based on Chromium 85 (Aug 2020) shipped Jan 2024; remained unpatched across four updates; no proper security contact; reported to EU regulators.
  • Steam client: Embedded Chromium 109/126. Older builds allowed spoofed alert box origins via an open redirect—useful for phishing.
  • Ubisoft Connect: Embedded Chromium 109 ran with --no-sandbox, increasing privilege escalation risk; new tabs/windows were blocked, limiting some exploit paths.
  • AMD Adrenalin: Embedded Chromium 112 vulnerable to address bar spoofing; AMD acknowledged and worked on a fix.

Why updates lag

  • Tight coupling: Embedded browsers are intertwined with UI components; updating can break dependencies and raise costs.
  • Framework overhead: Products built on bundles like Electron require updating the entire framework to move the browser forward.
  • Vendor inattention: Some simply do not prioritize or provision browser security updates.

Regulatory backdrop

  • EU Cyber Resilience Act took effect Dec 2024, with full obligations by Dec 2027; many tested devices are not yet compliant.

What you can do now

  • Prioritize devices with transparent, frequent security updates and published security contacts.
  • Apply firmware/software updates promptly and limit sensitive logins on embedded browsers.
  • Favor vendors that decouple the browser from the UI so it can be updated independently.

Bottom line
Integrated browsers are updated far less often than standalone ones. Without pressure—from labels and, more importantly, regulation—many vendors will continue shipping outdated, vulnerable browsers in new products.

Source: https://www.theregister.com/2025/12/18/web_browsers_in_devices_security_vulnerabilities/

Back…