This is a security fix. You should not be able to install private channels via the ECP. If there is some business case for doing this let me know.

- Joel

The business or use case for being able to install private channels via the ECP is the same as the case for doing so with public channels. ie: It is an easy/seamless user experience for a customer using an external app or device to install a companion channel on the Roku with a couple of clicks.

For eample, a PC media server app can present an option to the customer to "click here to install the companion player on your Roku". Then the customer can click on the PC, go to their TV, and click "Add Channel". Super easy and a wonderful user experience.

The same could be true of (for example) an iOS app that relies on a companion Roku channel to "cast" media to it. Installing it with a couple of clicks is vastly easier than logging into a web browser and adding it there, then going to the Roku and going to Home...Settings...System...Update.

I also don't see how it is any more of a security hole to enable this for private channels than it may be for public channels. What is the security risk?

Have same problem.

Before clicking "Add Channel" button on Roku, i can see the rating, descrption of privated channel to determine whether or not to install it.

It's very inconvenient for me if i need to log-in my Roku Account everytime to install each privated channel.

Without ECP launch command, there is no easy way to install privated channel. User cannot install privated channel even from Roku directly. (like entering an channel id by remote.)

"roquoonewbie" wrote:
I also don't see how it is any more of a security hole to enable this for private channels than it may be for public channels. What is the security risk?

I'll take a stab/guess at that... since private channels aren't reviewed by Roku, it's possible someone could develop a malicious channel (e.g., a fake Netflix or Amazon channel with the sole purpose of capturing usernames and passwords.. or worse). Allowing a user to install those channels easily via a screen that makes it look like it's officially available in the channel store could lead to very bad things, for both unsuspecting users and Roku.

"TheEndless" wrote:
I'll take a stab/guess at that... since private channels aren't reviewed by Roku, it's possible someone could develop a malicious channel (e.g., a fake Netflix or Amazon channel with the sole purpose of capturing usernames and passwords.. or worse). Allowing a user to install those channels easily via a screen that makes it look like it's officially available in the channel store could lead to very bad things, for both unsuspecting users and Roku.

If such a malicious channel existed, and an attacker had gained access to the victim's PC (or other device), couldn't they just as easily launch the user's browser to the add channel screen there (eg: https://owner.roku.com/Add/ACETV)? ie: whether the malicious code launched the Add Channel screen on the Roku/TV, or launched the Add Channel screen on the PC/Browser, the risk is the same as far as I can tell. I don't see how launching the channel store screen poses any more of a risk. In both cases, the attacker has to first gain access to run code on a device on the user's network, present an Add Channel option to the victim, and get the victim to agree to do so.

"roquoonewbie" wrote:

"TheEndless" wrote:
I'll take a stab/guess at that... since private channels aren't reviewed by Roku, it's possible someone could develop a malicious channel (e.g., a fake Netflix or Amazon channel with the sole purpose of capturing usernames and passwords.. or worse). Allowing a user to install those channels easily via a screen that makes it look like it's officially available in the channel store could lead to very bad things, for both unsuspecting users and Roku.

If such a malicious channel existed, and an attacker had gained access to the victim's PC (or other device), couldn't they just as easily launch the user's browser to the add channel screen there (eg: https://owner.roku.com/Add/ACETV)? ie: whether the malicious code launched the Add Channel screen on the Roku/TV, or launched the Add Channel screen on the PC/Browser, the risk is the same as far as I can tell. I don't see how launching the channel store screen poses any more of a risk. In both cases, the attacker has to first gain access to run code on a device on the user's network, present an Add Channel option to the victim, and get the victim to agree to do so.

Your example is more malicious than the one I suggested, which was more of a phishing attempt. But to answer your question, your use-case above where a mobile app is used to install private channels directly on the device could very easily be used to do the same, so the app is already running on the user's network. How can you be sure that every private channel installable via that app can be trusted? You and I are likely much more diligent in reviewing apps before we install them, but there's a large user population out there that isn't. Presenting the channel to the user via a channel store screen gives that user the impression that it's an official public channel, as there's nothing on the screen or during the install process that indicates otherwise. Presumably, your desire to have the feature available to you is for completely legitimate reasons, but that doesn't mean Joe Hacker won't use it more nefariously, and it only takes one bad apple...

"TheEndless" wrote:
Your example is more malicious than the one I suggested, which was more of a phishing attempt. But to answer your question, your use-case above where a mobile app is used to install private channels directly on the device could very easily be used to do the same, so the app is already running on the user's network. How can you be sure that every private channel installable via that app can be trusted? You and I are likely much more diligent in reviewing apps before we install them, but there's a large user population out there that isn't. Presenting the channel to the user via a channel store screen gives that user the impression that it's an official public channel, as there's nothing on the screen or during the install process that indicates otherwise. Presumably, your desire to have the feature available to you is for completely legitimate reasons, but that doesn't mean Joe Hacker won't use it more nefariously, and it only takes one bad apple...

What about my example was more malicious than the one you suggested? I was just demonstrating how an attacker could get a phising channel installed on the Roku. You were saying that could be done by abusing the ECP launched channel store page. That can only be done if there is malicious software already running on the network. And if that is the case, that software could just as easily launch to the channel store add page of the private channel in the web browser (see this link: https://owner.roku.com/Add/ACETV). Both the web page to add the private channel and the channel store screen can give the user the impression it is a public channel. There is nothing on the web page that indicates it is a private channel either. So I again make the point that the channel store method of adding the channel is no less secure than the web method. It is just a little bit easier for the user.

And let's not forget that the ECP launching of a private channel store screen has been available for at least 2-3 years until this most recent 7.0 firmware update. If it was really a security hole, wouldn't there have been issues by now?

"roquoonewbie" wrote:
What about my example was more malicious than the one you suggested?

You talked about "gaining access to the victim's PC (or other device)". I thought you were suggesting the channel could do that, but I think I may have misinterpreted what you were suggesting.

"roquoonewbie" wrote:
You were saying that could be done by abusing the ECP launched channel store page. That can only be done if there is malicious software already running on the network.

Not necessarily. Your perfectly harmless ECP app could unknowingly allow the install of such a malicious channel. Have you reviewed the code of every private channel that your app installs? There's no way for you to know if a developer has hidden something in their channel that looks completely innocuous on the surface.

"roquoonewbie" wrote:
So I again make the point that the channel store method of adding the channel is no less secure than the web method. It is just a little bit easier for the user.

That's exactly why it's less secure. The fewer steps it requires, the more likely it is to be done by accident, or unknowingly. The ECP app that's launching the channel store screen could just as easily send additional ECP remote commands to force the install and launch of the channel with no user interaction.

"roquoonewbie" wrote:
And let's not forget that the ECP launching of a private channel store screen has been available for at least 2-3 years until this most recent 7.0 firmware update. If it was really a security hole, wouldn't there have been issues by now?

Bugs and security holes can exist for years in software and websites before they're found. Heck, there are people who have made a career of finding find such holes (Google even offers sizable bounties to people who find security vulnerabilities in their software). Just because it was available and not exploited before (as far as we're aware) doesn't mean it's not a security risk.

I should reiterate that this is complete conjecture on my part. I don't know Roku's reasons for patching/removing the feature aside from RokuJoel's "security fix" comment above, but I did previously work for a company that developed security software, where regular security audits and a deeper respect of potential security issues was critical.

"roquoonewbie" wrote:
If such a malicious channel existed, and an attacker had gained access to the victim's PC (or other device), couldn't they just as easily launch the user's browser to the add channel screen there (eg: https://owner.roku.com/Add/ACETV)? ie: whether the malicious code launched the Add Channel screen on the Roku/TV, or launched the Add Channel screen on the PC/Browser, the risk is the same as far as I can tell. I don't see how launching the channel store screen poses any more of a risk. In both cases, the attacker has to first gain access to run code on a device on the user's network, present an Add Channel option to the victim, and get the victim to agree to do so.

You are right, TheEndless's example is not a real security concern. In his niceness, he'd creatively apologize (Canadian much? :P) for most anything RokuCo may do. In this case he ummm, "embellished the truth" by conjecturing that showing info screen on a channel somehow places it in the official Channel Store context. Which it doesn't - just like having a "private" channel installed on the Home screen does not imply it came by the means of teh "Streaming Channels" section.

However: there is a security risk in that "Details" screen, in light of this August's "indecent exposure": viewtopic.php?f=34&t=88160
A possible intrusion scenario can go like this: scanning the internets, Mallory (or "Malice", an automated agent) discovers Alice's Roku and using ECP commands, brings the Details screen and installs a malicious app. Which through cunning use of the "hidden" flag turns the Rokus into a "sleeper cell" without Alice ever being able to detect - or for that matter, even remove said app. And when the time comes, said malicious apps can be launched by Malice via remote ECP for the purposes of say DDoS attack

So, does that mean that ECP install is doomed? Not at all, there are ways to tackle the real issue - instead of shooting the DetailsScreen messenger. The real concern is NOT to allow an automated agent to install channels - ANY channel - without an explicit HUMAN approval. How? Say by implementing a "PIN feedback loop" on "add channel" menu item, where there is no universally-known key sequence. For example:

1. Ask the owner to type the security PIN code (which is used for purchases)


2. Ask the viewer to type a random code, akin to a Bluetooth handshake or Roku channel-device linking. (This btw was recently implemented in fw7:) [spoiler=var-PIN:3k3b0efo][/spoiler:3k3b0efo]