Security researchers take aim at Roku streaming media players

One security researcher cracked Roku WPA2-PSK and the Roku WPS pin, while another used Shodan to uncover some interesting facts about Roku.

Security researchers take aim at Roku devices
Brian (Creative Commons BY or BY-SA)

If you are sick of your ever-increasing cable bill, have you considered becoming a cord cutter? If you spent a bundle on your TVs but they aren't smart TVs, you likely aren't planning to abandon them. PCMag has a decent cord cutter's guide; for folks without a smart TV, TechHive's media streamer buyers' guide compared Amazon Fire TV, Apple TV, Google Chromecast, Nvidia Shield Android TV, and Roku 3 before recommending Roku 3 "as the best all-around option." TechHive explained:

Roku 3, for instance, has the most complete app selection, but like all other non-Apple devices it can't access iTunes purchases. Meanwhile, Apple TV is missing apps for Amazon Instant Video, Sling TV, and Plex. The Nvidia Shield Android TV covers for its ho-hum app selection through Google Cast support, which lets you launch content from a phone or tablet (marked GC on the chart), but it lacks support for Amazon Instant Video.

While pondering cutting the cord, you have to decide what you want to stream, like Showtime, HBO Now, CBS All Access, or if you are interested in small bundles like Sling TV offers along with a free Roku Streaming Stick.

Roku streaming players Roku

Roku has been around for a long time. So long, in fact, that HBO GO no longer works with the Classic Roku, which was made before May 2011. Reddit user EpicNoob1983 feels "burned" after Roku 2 was "abandoned," and when he took the issue to the forum, he was told to buy a new TV. One would hope that the new Roku TVs don't suffer the same abandonment fate.

Fabrizio Siciliano, aka @x42___, spent the weekend performing a Roku vulnerability assessment. Siciliano said the "take-aways" from his post titled "Cracking the Roku V2 WPA2-PSK" are:

1. Roku WPA2-PSK cracked.

2. Roku WPS Pin is 00000000.

3. Just because you decide to use an impossible to surmise WPA2-PSK passphrase, implementing it through WPS is useless.  

One would hope that smart TVs would be secure, but most "smart" devices are potential privacy and security nightmares; security researchers have previously shown how smart TVs are the "perfect target" for spying on you. As pointed out by John Matherly, aka @achillean and the founder of Shodan, "Much of the smart TV world is full of low-hanging fruit in terms of security."

After Siciliano's post became popular on the subreddit Netsec, Matherly decided to shine a light on the Roku. He scanned his Vizio TV with Nmap; it launched "an update and shows the application menu - no authentication required. As such, it isn't a huge surprise to learn that the Roku offers an API to control the device that doesn't have authentication enabled. And to be fair, the use case for the API is to allow local users to control their Roku over the phone. They're not meant to be directly exposed on the Internet. Aside from the security implications, this also provides an opportunity to learn a bit about which Roku devices are most popular and which apps users install the most. First, I scanned the Internet for devices then downloaded the results."

Matherly found "1,868 Roku devices directly on the Internet," with the Roku 3 followed by the Roku Stick and Roku 2 as the most popular Roku devices. It's cool to see the breakdown, which included specific model numbers; 4200X is the most common, followed by 3500X and 3050X. Even better, Matherly was able to "determine how often people update/patch" their Roku channels and used Netflix versions as an example.

Other interesting data included Matherly's comparison of the most popular Roku channels according to Roku, and the most popular Roku channels according to Shodan. He noted, "Sling TV, Time Warner Cable and Acorn TV aren't anywhere close to the top 10 in the Shodan ranking yet they're very high in Roku's list."

Top 10 most popular Roku apps via Shodan and Roku Shodan

Matherly also tweeted, "Talk to Roku devices on the Internet directly to get a list of the most popular apps" and linked to a list of installed Ruku apps on GitHub Gist. If interested, you can check out Matherly's "complete breakdown of versions and apps."

Siciliano will continue to hack Roku as he believes "this still deserves more research." He also said, "If anyone has any ideas on escalating this to getting internet access through the Roku, any suggestions or ideas are welcome."

As his research inspires others to do the same, it had me wondering about the security of cord cutting. LG and Samsung have raised significant privacy concerns in the past, enough that I personally don't want a smart TV. I do want to cut the cord and stop paying an ever-inflating cable TV bill – basic cable at that! Are most all of the streaming devices insecure by design? If so, then will it be on the user to secure them? That scenario worked so well in the past with other IoT devices, such as wireless cameras…With more and more people cutting the cord and moving to insecure-by-design streaming media players and smart TVs, will attackers have anything significant to gain by going after that low-hanging fruit?

That might just depend upon what fruits can be harvested. It will be interesting to see if any smart TVs or streaming media players are targeted at DefCon's IoT Village where hackers are encouraged to "show us how secure (or insecure) IP enabled embedded systems are. Routers, network storage systems, cameras, HVAC systems, refrigerators, medical devices, smart cars, smart home technology, and TVs—If it is IP enabled, we're interested."

SUBSCRIBE! Get the best of CSO delivered to your email inbox.