Forum Discussion

roquoonewbie's avatar
roquoonewbie
Visitor
10 years ago

Firmware 7.0 Introduces ECP launch command bug

Prior to updating to firmware 7.0, it was possible to use the ECP launch command to open the channel store to the channel page of a specific *private* channel. For example, this command would launch ...
Roku Developer Program
EnTerr's avatar
EnTerr
Roku Guru
10 years ago
"roquoonewbie" wrote:
If such a malicious channel existed, and an attacker had gained access to the victim's PC (or other device), couldn't they just as easily launch the user's browser to the add channel screen there (eg: https://owner.roku.com/Add/ACETV)? ie: whether the malicious code launched the Add Channel screen on the Roku/TV, or launched the Add Channel screen on the PC/Browser, the risk is the same as far as I can tell. I don't see how launching the channel store screen poses any more of a risk. In both cases, the attacker has to first gain access to run code on a device on the user's network, present an Add Channel option to the victim, and get the victim to agree to do so.

You are right, TheEndless's example is not a real security concern. In his niceness, he'd creatively apologize (Canadian much? :P) for most anything RokuCo may do. In this case he ummm, "embellished the truth" by conjecturing that showing info screen on a channel somehow places it in the official Channel Store context. Which it doesn't - just like having a "private" channel installed on the Home screen does not imply it came by the means of teh "Streaming Channels" section.

However: there is a security risk in that "Details" screen, in light of this August's "indecent exposure": viewtopic.php?f=34&t=88160
A possible intrusion scenario can go like this: scanning the internets, Mallory (or "Malice", an automated agent) discovers Alice's Roku and using ECP commands, brings the Details screen and installs a malicious app. Which through cunning use of the "hidden" flag turns the Rokus into a "sleeper cell" without Alice ever being able to detect - or for that matter, even remove said app. And when the time comes, said malicious apps can be launched by Malice via remote ECP for the purposes of say DDoS attack

So, does that mean that ECP install is doomed? Not at all, there are ways to tackle the real issue - instead of shooting the DetailsScreen messenger. The real concern is NOT to allow an automated agent to install channels - ANY channel - without an explicit HUMAN approval. How? Say by implementing a "PIN feedback loop" on "add channel" menu item, where there is no universally-known key sequence. For example:
  1. Ask the owner to type the security PIN code (which is used for purchases)

  2. Ask the viewer to type a random code, akin to a Bluetooth handshake or Roku channel-device linking. (This btw was recently implemented in fw7:) [spoiler=var-PIN:3k3b0efo][/spoiler:3k3b0efo]