Homes signed up to AT&T’s DirecTV service may be inadvertently running hardware that can be easily hacked, according to a security researcher.
An easily-exploitable security flaw was found in the wireless video bridge that ships with DirecTV, which lets laptops, tablets, and phones connect with the main Genie digital video recorder. Because the wireless video bridge, manufactured by Linksys, isn’t protected by a login page, anyone with access to the device could obtain sensitive information about the device.
Trend Micro’s Ricky Lawshae, who discovered the flaw, said the device was spewing out diagnostic data about the bridge, including information on connected clients, running processes, and the Wi-Fi Protected Setup passcode.
Lawshae said in a write-up of the bug seen by ZDNet prior to publication that the device could accept commands as the “root” user, effectively granting him the highest level of access on the device.
With root access, an attacker can steal data or lock up devices. Lawshae said that one of the biggest risks to home users is from botnets, in which hackers break into internet-connected devices to launch distributed denial-of-service attacks, knocking sites and services offline.
“It literally took 30 seconds of looking at this device to find and verify an unauthenticated remote root command injection vulnerability,” said Lawshae. “The vendors involved here should have had some form of secure development to prevent bugs like this from shipping.”
DirecTV, owned by AT&T, said earlier this month that it has more than a million customers.
He said that Trend Micro’s ZDI Initiative privately disclosed the vulnerability to Linksys in June, but the device maker had “ceased being responsive.”
“We have provided the firmware fix to [DirecTV] and they are working to expedite software updates to the affected equipment,” said a Linksys spokesperson.
After publication, an AT&T spokesperson responded: “We are aware of this report and are working with the vendor to expedite software updates to the affected equipment.”
In the meantime, Lawshae said users can protect themselves by limiting the devices that interact with the affected wireless video bridge.