Fall is officially here, and that can only mean that SecTor is right around the corner! All summer long, I’ve been planning and prepping new ideas for this year’s IoT Hack Lab and training session. With just a few weeks to go until the conference kicks off, I’m more than a little excited about the new hacks we’ll be demonstrating, dissecting and discussing at the Hack Lab. Although I’m not going to spill all the beans, I would like to take this opportunity to introduce just one of the devices making a first-time appearance at the SecTor IoT Hack Lab. Say hello to Roku Ultra, the very capable Internet set-top box boasting an estimated 50 million online devices.

You may be thinking to yourself that I’m only bringing a Roku to watch the Mr. Robot premiere from my hotel room…

Mr Robot on TV SecTor 2019 Lab Hacks

Actually, you’re right. Partly. See, I usually do this kind of thing from my computer, but this time I wanted to do it AFK. In person.

We will be using the publicly available Dolos framework to show how a fully patched Roku with the default configuration can be usurped by malicious web content to force attacker-controlled content onto the screen. This means that by simply opening the wrong web page, someone else can instruct all Rokus on your network to immediately start streaming an arbitrary video from the Internet, and it doesn’t take Elliot Alderson to see how this can end badly. TVs connected to the Roku can even be powered on by this attack if they are configured to use HDMI-CEC with Roku.

Roku fixed DNS rebinding attack vectors last year but made the decision to leave the default configuration exposed to cross-site request forgery. Capturing traffic while initiating a stream to Roku from AllCast reveals the HTTP request (Read more...)