If you're one of the millions of people who've signed up to AT&T's DirecTV service, there may be an easy way for hackers to get into your home and spy on you. That's because of a vulnerability that's yet to be fixed in a core part of the Genie digital video recorder system that's shipped free of charge with DirecTV.
The issue resides in the wireless video bridge that lets other DirecTV devices communicate with the Genie DVR over the air. In this case that's the Linksys WVBR0-25. Security researcher Ricky Lawshae, from Trend Micro DVLabs, was able to immediately get data from the device's web server as there was no login page. From there, Lawshae was able to determine the device would accept commands remotely and would do so at the "root" level of access. That meant he could run almost anything he wanted on the Linksys device, a fairly shocking vulnerability, even by today's low standards of home tech security.
"It literally took 30 seconds of looking at this device to find and verify an unauthenticated remote root command injection vulnerability. It was at this point that I became pretty frustrated," wrote Lawshae, in an advisory shared with Forbes ahead of publication Wednesday. "The vendors involved here should have had some form of secure development to prevent bugs like this from shipping. More than that, we as security practitioners have failed to affect the changes needed in the industry to prevent these simple yet impactful bugs from reaching unsuspecting consumers."
The video below shows how quick and simple Lawshae's hack was, taking him less than a minute to execute.
Spying via the TV
Lawshae handed his findings to the Trend Micro-owned ZDI Initiative, which attempted to disclose the vulnerability to Linksys. But according to the researcher, LinkSys had become "unresponsive" and so he and ZDI had decided to publicize the issues.
A spokesperson from Belkin, the owner of Linksys, told Forbes Wednesday it had "provided the firmware fix to DirecTV and they are working to expedite software updates to the affected equipment." AT&T told Forbes after publication an update was on the way, but didn't give a precise date.
Brian Gorenc, manager of the ZDI, warned about the possible impact for customers, adding: "Since they're root, they can take any action available to the system: install software, exfiltrate data, encrypt files...
"If the devices are set up to use on-demand services, then this is just like any device or computer on the network and could be used as a node to perform surveillance or Man-in-the-Middle attacks with any other device. Aside from that, the attacker can see everything about what a user is doing on the TV, from buttons pressed on the remote to the TV channels selected."
Trend Micro recommended that without a patch, "isolating the device on the network is the best mitigation strategy."
UPDATE: Whilst AT&T didn't say when a patch might be coming, the company told Forbes that it was inaccurate to say other PCs or devices on the home network could be attacked using the vulnerability, and that phones and laptops didn't connect to the vulnerable wireless bridge. Forbes has updated the article to reflect the latter point.
In an emailed statement, an AT&T spokesperson said: "We are aware of this report and are working with the vendor to expedite software updates to the affected equipment."
It should also be noted that an attack would require the hacker to have access to the target's network, either by joining it legally or breaking into it first, not an overly difficult task for a relatively talented hacker.
AT&T disagreed with the researchers that other devices, like customers' mobiles and PCs, were susceptible to attacks via the vulnerabilities. But the benevolent hackers said that it was possible to use the flaw to start targeting other computers on the network. "Other devices on the local network may be at risk if the consumer uses the On-Demand services, which requires them to pair their DVR with their home network."
AT&T also said anyone who exploited the weakness would only be able to see encrypted video content and related communication sent between a Genie and wireless DirecTV devices. The researchers, however, said that while video streams themselves are encrypted, the related communications, such as screen changes, button pushes and guide actions, were not encrypted and could be deciphered.
