TiVo Community
TiVo Community
TiVo Community
Go Back   TiVo Community > Underground Playground > TiVo Underground
TiVo Community
Reply
Forum Jump
 
Thread Tools
Old 04-21-2014, 10:48 AM   #1
rfryar
My Media, My Way
 
Join Date: Feb 2008
Location: Cottage Grove, MN
Posts: 206
Tivo vulnerable to heartbleed?

Has anyone looked at the HTTPS web interface used for streaming and show transfers between boxes to see if it has the heart bleed bug? If so we may be able to glean some more information on how the streaming protocol works.

I will probably double post this to the more read forum.

Rick
rfryar is offline   Reply With Quote
Old 04-24-2014, 09:46 AM   #2
eboydog
Just TiVo'ing.....
 
eboydog's Avatar
 
Join Date: Mar 2006
Posts: 904
I doubt it, the heatbleed issue is with OpenSSL which is a common add on part of e-commerce sites and not the encrypted ttls interface of the Tivo. And even if it was, you Tivo is local to your home network and unless a hacker has gained access to the internal home network, they would be targeting your PC were you might be logging into things like email and online banking. There isn't a lot of sensitive data involved with your Tivo box it's self shy of your MAK. As long as your Tivo isn't accessible directly on the Internet, there shouldn't be any reason to worry.

If I understand correctly, the reason for SSL encryption on the Web interface is to keep the recordings transfers more secure so one can't circumvent the recordings encryption, while the .Tivo file are encrypted, the enterface to transfer them requires a secure http interface too.
__________________
TiVo Roamio Pro
TiVo Roamio Plus (3tb)
TiVo Mini (three)
TiVo Premiere

eboydog is offline   Reply With Quote
Old 04-25-2014, 06:40 PM   #3
telamon
Registered User
 
Join Date: Mar 2008
Posts: 11
I think what he means is that if the Tivo HTTPS port is vulnerable to Heartbleed, in theory you could recover the private key for the SSL encryption and use it to decrypt traffic for two Tivo boxes streaming to each other so that things like pyTivo could be improved.

I tested my Premiere 4 running the 20.4.1 software and it's not vulnerable on TCP 443.

I thought folks had figured out a way to man in the middle the SSL traffic before by faking the DNS and using self-signed certs? But then again I've not kept up with these things in a long time.
telamon is offline   Reply With Quote
Old 04-25-2014, 07:29 PM   #4
wmcbrine
Resistance Useless
 
wmcbrine's Avatar
 
Join Date: Aug 2003
Posts: 9,116
Quote:
Originally Posted by telamon View Post
I thought folks had figured out a way to man in the middle the SSL traffic before by faking the DNS and using self-signed certs? But then again I've not kept up with these things in a long time.
Yeah, at least a couple people have done it, but they never explained the process in enough detail for me to replicate it. :/ That's down to me, I suppose... I used to be quite the hacker, but I've clearly gone rusty.
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
wmcbrine is offline   Reply With Quote
Old 04-26-2014, 03:42 AM   #5
Worf
Registered User
 
Join Date: Sep 2000
Posts: 1,694
With heartbleed you don't need self-signed certs. You extract the private key from the server and you can MITM using the original cert. And that's all you need - you can imitate the server once you have the private key.
Worf is offline   Reply With Quote
Old 04-30-2014, 11:40 AM   #6
rfryar
My Media, My Way
 
Join Date: Feb 2008
Location: Cottage Grove, MN
Posts: 206
Quote:
Originally Posted by telamon View Post
I think what he means is that if the Tivo HTTPS port is vulnerable to Heartbleed, in theory you could recover the private key for the SSL encryption and use it to decrypt traffic for two Tivo boxes streaming to each other so that things like pyTivo could be improved.

I tested my Premiere 4 running the 20.4.1 software and it's not vulnerable on TCP 443.

I thought folks had figured out a way to man in the middle the SSL traffic before by faking the DNS and using self-signed certs? But then again I've not kept up with these things in a long time.
Correct, that was what I was after. Of course after I posted the question I confirmed that they do not have the bug, pity.

Thanks for the input guys.

Rick
rfryar is offline   Reply With Quote
Reply
Forum Jump




Thread Tools


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Advertisements

TiVo Community
Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
vBulletin Skins by: Relivo Media

(C) 2013 Magenium Solutions - All Rights Reserved. No information may be posted elsewhere without written permission.
TiVoŽ is a registered trademark of TiVo Inc. This site is not owned or operated by TiVo Inc.
All times are GMT -5. The time now is 08:24 PM.
OUR NETWORK: MyOpenRouter | TechLore | SansaCommunity | RoboCommunity | MediaSmart Home | Explore3DTV | Dijit Community | DVR Playground |