1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. Breaking News - The sale is back... "Our “once in a lifetime” PLS promotion was such a hit, that we’ve decided to launch it again! The PLS Transfer Sale will be available again for the last 3 days of the month. This will include the BOLT+ 3TB, and 4 refurb units (BOLT 500GB, BOLT 1T, Roamio Pro and the TiVo Mini)." https://www.tivo.com/secondchancelifetimesale#/secondchancelifetimesale

Tivo vulnerable to heartbleed?

Discussion in 'TiVo Underground' started by rfryar, Apr 21, 2014.

  1. rfryar

    rfryar My Media, My Way

    224
    0
    Feb 15, 2008
    Cottage...
    Has anyone looked at the HTTPS web interface used for streaming and show transfers between boxes to see if it has the heart bleed bug? If so we may be able to glean some more information on how the streaming protocol works.

    I will probably double post this to the more read forum.

    Rick
     
  2. eboydog

    eboydog Just TiVo'ing.....

    904
    0
    Mar 23, 2006
    I doubt it, the heatbleed issue is with OpenSSL which is a common add on part of e-commerce sites and not the encrypted ttls interface of the Tivo. And even if it was, you Tivo is local to your home network and unless a hacker has gained access to the internal home network, they would be targeting your PC were you might be logging into things like email and online banking. There isn't a lot of sensitive data involved with your Tivo box it's self shy of your MAK. As long as your Tivo isn't accessible directly on the Internet, there shouldn't be any reason to worry.

    If I understand correctly, the reason for SSL encryption on the Web interface is to keep the recordings transfers more secure so one can't circumvent the recordings encryption, while the .Tivo file are encrypted, the enterface to transfer them requires a secure http interface too.
     
  3. telamon

    telamon New Member

    11
    0
    Mar 29, 2008
    I think what he means is that if the Tivo HTTPS port is vulnerable to Heartbleed, in theory you could recover the private key for the SSL encryption and use it to decrypt traffic for two Tivo boxes streaming to each other so that things like pyTivo could be improved.

    I tested my Premiere 4 running the 20.4.1 software and it's not vulnerable on TCP 443.

    I thought folks had figured out a way to man in the middle the SSL traffic before by faking the DNS and using self-signed certs? But then again I've not kept up with these things in a long time.
     
  4. wmcbrine

    wmcbrine Ziphead

    10,458
    67
    Aug 2, 2003
    Yeah, at least a couple people have done it, but they never explained the process in enough detail for me to replicate it. :/ That's down to me, I suppose... I used to be quite the hacker, but I've clearly gone rusty.
     
  5. Worf

    Worf Active Member

    2,060
    21
    Sep 15, 2000
    With heartbleed you don't need self-signed certs. You extract the private key from the server and you can MITM using the original cert. And that's all you need - you can imitate the server once you have the private key.
     
  6. rfryar

    rfryar My Media, My Way

    224
    0
    Feb 15, 2008
    Cottage...
    Correct, that was what I was after. Of course after I posted the question I confirmed that they do not have the bug, pity.

    Thanks for the input guys.

    Rick
     

Share This Page