back to article FREE zero-day for every reader: AT&T's DirecTV kit has a root hole – and no one wants to patch it

AT&T's DirecTV wireless kit has an embarrassing vulnerability in its firmware that can be trivially exploited by miscreants and malware to install hidden backdoors on the home network equipment, according to a security researcher. Ricky Lawshae – a DEF CON veteran and infosec guru at Trend Micro's Digital Vaccine Labs – was an …

  1. RockBurner

    Is there ANY digital kit available these days that doesn't have a built-in zero-day vulnerability?

    Makes me quite happy to still have my old tube amp and CRT TV.

    1. Natalie Gritpants

      You do realise that it is fairly easy to read the screen of a CRT from outside your house? Google tempest.

      1. EveryTime

        "You do realise that it is fairly easy to read the screen of a CRT from outside your house? Google tempest."

        It's actually quite difficult. You might be able to do it with an unshielded monochrome monitor immediately on the other side of a lightly framed wall. But not with anything more modern, or further away. At most you can tell when the displayed image has changed to something significantly different.

        Unless you mean using binoculars through a window. That works spectacularly well, no matter what the signaling and display technology.

        1. Anonymous Coward
          Anonymous Coward

          Is difficulty not just synonymous with cost or importance? If looking through the window is not an option, they can either to the XKCD route (spanner or hammer) or do the "phone up your phone company records" route.

          You would need to have something very important for them to bother that much. But a couple of videos on Defcon shows it's not as hard as most people think it is. Some pretty good demonstrations on there.

          PS, I'd also love to see what could be done with the maths involved in detecting signals below the noise level. Some really clever "tricks" can be done with the right kit or right algorithms.

      2. JimboSmith

        Well Tempest and Van Eck Phreaking demo here (NHK video but has audio translation into English) and for just a keyboard here. Years ago (in the Win95 era I think) a builder I knew had refurbished a house for a wealthy client. He said that in several rooms he'd been asked to put metal screening in the walls ceiling and floors and the rooms had metal cored doors. I can't remember what had been done to the windows but they were special too. He'd also had to use magnetic paint which was yet another oddity. I said I could think of a reason why the client was very keen to do this because the builder had always thought it odd. I explained about Faraday cages etc. and he said that made sense "the bloke was f*cking paranoid".

    2. Dr.Sommer

      sure!

      only ... their zero-days are not jet discovered.

  2. Anonymous Coward
    Devil

    gangrene purple ...

    ... is the new black.

    <EOM>

  3. Anonymous Coward
    Anonymous Coward

    Likely the tip of the iceberg

    Cable/satellite companies just care about adding features for their customer's convenience, like wireless, streaming content off their DVR while away from home, and so forth. No doubt most are riddled with holes like this example, because they slap together open source tools without paying any attention to security.

  4. Anonymous Coward
    Anonymous Coward

    On the zero day of Christmas my hacker gave to me, an exploit in a direc tv.

    1. Boris the Cockroach Silver badge
      Devil

      On the first day of xmas my hacker gave me, a raid by the cops for hosting child pornography

      1. Anonymous Coward
        Anonymous Coward

        On the second day of Christmas my hacker gave to me, an update through flash and IE.

        1. Boris the Cockroach Silver badge
          Devil

          on the third day of Christmes my hacker gave to me , 3 spam bots , an update through flash and IE and a raid by the cops for hosting child pornography

          1. Anonymous Coward
            Anonymous Coward

            On the 4th day of Christmas my hacker gave to me, 4 jailbreaks, 3 spam bots, an update through flash and IE and a raid by the cops for child pornography.

          2. Anonymous Coward
            Anonymous Coward

            On the fifth day of Christmas my hacker gave to me, 5 Android cracks, 4 jailbreaks, 3 spam bots, an update through flash and IE and a raid by the cops for child pornography.

            1. Anonymous Coward
              Anonymous Coward

              On the sixth day of Christmas a hacker gave to me, 6 lords a pissing all over privacy, 5 Android cracks, 4 jailbreaks, 3 spam bots, an update through flash and IE and a raid by the cops for child pornography.

              1. Anonymous Coward
                Anonymous Coward

                On the seventh day of Christmas a hacker gave to me, 7 bitcoin ransoms, 6 lords a pissing all over privacy, 5 Android cracks, 4 jailbreaks, 3 spam bots, an update through flash and IE and a raid by the cops for child pornography.

                1. Anonymous Coward
                  Anonymous Coward

                  On the eighth day of Christmas a hacker gave to me, 8 trojans a milking, 7 bitcoin ransoms, 6 lords a pissing (over privacy), 5 Android cracks, 4 jailbreaks, 3 spam bots, an update through flash and IE and a raid by the cops for child pornography.

                  1. Anonymous Coward
                    Anonymous Coward

                    On the ninth day of Christmas a hacker gave to me, 9 ladies dildos spying, 8 trojans a milking, 7 bitcoin ransoms, 6 lords a pissing (over privacy), 5 Android cracks, 4 jailbreaks, 3 spam bots, an update through flash and IE and a raid by the cops for child pornography.

                    1. Anonymous Coward
                      Anonymous Coward

                      On the tenth day of Christmas a hacker gave to me, 10 IoTs a leaking, 9 ladies dildos spying, 8 trojans a milking, 7 bitcoin ransoms, 6 lords a pissing (over privacy), 5 Android cracks, 4 jailbreaks, 3 spam bots, an update through flash and IE and a raid by the cops for child pornography.

                      1. Anonymous Coward
                        Anonymous Coward

                        On the eleventh day of Christmas a hacker gave to me, 11 MITM Piping, 10 IoTs a leaking, 9 ladies dildos spying, 8 trojans a milking, 7 bitcoin ransoms, 6 lords a pissing (over privacy), 5 Android cracks, 4 jailbreaks, 3 spam bots, an update through flash and IE and a raid by the cops for child pornography.

                        1. Anonymous Coward
                          Anonymous Coward

                          On the twelfth day of Christmas a hacker gave to me, 12 DNS hijacks, 11 MITM Piping, 10 IoTs a leaking, 9 ladies dildos spying, 8 trojans a milking, 7 bitcoin ransoms, 6 lords a pissing (over privacy), 5 Android cracks, 4 jailbreaks, 3 spam bots, an update through flash and IE and a raid by the cops for child pornography.

                          1. Norman Nescio

                            On the thirteenth day of Christmas a hacker gave to me, 13 Obi-wan errors, 12 DNS hijacks, 11 MITM Piping, 10 IoTs a leaking, 9 ladies dildos spying, 8 trojans a milking, 7 bitcoin ransoms, 6 lords a pissing (over privacy), 5 Android cracks, 4 jailbreaks, 3 spam bots, an update through flash and IE and a raid by the cops for child pornography.

  5. Christian Berger

    Well so where's the problem?

    Those boxes are strictly in the local network an if I pay for that device I damn well have every right to be root on it.

    It should be noted that the most likely attacker (the vendor) probably already has root access in the form of potentially malevolent firmware updates. There have been many examples of vendors taking away features or deliberately or accidentally bricking devices. That seems to be much more common than fixing actual security bugs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Well so where's the problem?

      "if I pay for that device I damn well have every right to be root on it"

      You've got a right for goods to be fit for purpose, of adequate quality, or similar phrasing in a lot of jurisdictions, but I'm not aware of any laws anywhere giving an end user the right to root access on computer controlled devices.

      Or do you know better?

      1. Christian Berger

        Re: Well so where's the problem?

        "but I'm not aware of any laws anywhere giving an end user the right to root access on computer controlled devices."

        Actually the German constitutional court derived the right of "Integrity and secrecy of information processing systems" some years ago. Just because there aren't any explicit laws, doesn't mean you don't have a right.

    2. Dan 55 Silver badge

      Re: Well so where's the problem?

      I imagine it wouldn't be too difficult to knock up malware which looks for this device on the LAN and recruits it as a botnet or turns it into a Monero miner.

      That's what's wrong with it.

    3. razorfishsl

      Re: Well so where's the problem?

      Duuuurrrrrrrrrr......

      you run a "reflection attack", say a computer with an external connection to the internet, DL some java script, then go after the internal network from the computers point of view.

      1. Michael Wojcik Silver badge

        Re: Well so where's the problem?

        you run a "reflection attack"

        Yup. All the attacker needs is for you to visit a page with a CSRF vulnerability. Of which there are approximately one zillion.

        Pivot-and-escalate is one of the most common attack approaches. Everyone in IT should know that.

        It's not a problem that the owner (or renter, or however the agreement with AT&T works) can get root. It's a problem that anyone can, trivially.

  6. My other car is an IAV Stryker
    Unhappy

    So DirecTV is sh!te

    And he used to be a U-verse customer instead, as I still am. Wonder what he found there.

    Personally, I've had two (or is it three) different Motorola DVR STBs go wonky, losing recordings when I swap them out, and three or four (or five now?) "gateway" units (mostly Arris) develop issues. And the latest gateway unit has issues handling the multiple Wi-Fi networks that AT&T loves to offer.

    Details of feature: simultaneously delivering 802.11b on 2.4MHz AND .11n or -ac) on 5MHz, each with both a "regular" SSID AND a "guest" SSID. My issues:

    - The 5MHz barely works at all, the 2.4 sometimes goes missing and needs a reboot. Not sure they're working well together even though it's set to. Doesn't matter anyway because my total bandwidth is a smaller pipe than a prostate with cancer. (Apologies to any mates suffering.)

    - Some of my devices aren't working right on the MAC filter (which every time I get a new unit I have to repopulate); I think the "normal" and "guest" SSIDs were sharing the whitelist even though I set guest to not filter.

    - For now, I keep the non-guest SSID beacons off, but I'm not sure if things will stay working in that state much longer.

    And my only other choice is Comcast. For now, AT&T is the lesser of two evils.

  7. kain preacher

    You want fast fix ? Tell t hem that this flaw will allow for free service .

  8. Bucky 2
    Black Helicopters

    Whenever a vendor goes silent on a 0-day, I think the wisest course of action is to assume that it was a back door that the government (or a government, anyway) demanded they put in.

    Which is fair, because it's tantamount to the same thing.

    1. Anonymous Coward
      Anonymous Coward

      Not even farfetched. Computers that have the Synaptics touchpad inside are all, as in all OEM's, able to function as a keylogger with the insertion of one registry key. I can easily understand how it can happen "accidently" due to debugging as an option in the dev build remaining in the OEM build. Just botched delivery. Engineers supposed to remove it get pulled off to piss on another hot project. Whoops.

      Or malicious intent from whatever source. The NSA flat refuses to answer the question of whether coercion has ever been used against corporations to insert this class of bug. Ditto IME. Funny, NSA has an "undocumented kill switch" for the IME in Intel chips. Everyone else didn't have a clue, or couldn't publically discuss the matter. [I wish I had a copy of the NDA I had to sign before being tossed on the middenheap by the US Navy for disability. Five pages, small type. Very small type.]

  9. Wade Burchette

    Linksys is now owned by Belkin

    So there is your problem right there. Everything Belkin is pure garbage. The garbage in my trash can becomes even less valuable when I throw away something from Belkin.

  10. Chairo
    Coffee/keyboard

    Now you'd think this wouldn’t be an issue for long. AT&T's a big company, as is Linksys, and they have a vested interest in protecting their customers and making sure that their kit isn't subverted. Not so it seems.

    Nicely put. Made me spill my coffee all over the place.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon