Has anyone heard of a TiVo trojan or virus?

Discussion in 'TiVo Series3 HDTV DVRs' started by snead, Jan 25, 2010.

  1. snead

    snead CG Monkey

    23
    0
    Sep 17, 2001
    East Coast

    Advertisements

    I just recently switched to Cablevision / Optimum Online (since I moved to an area that doesn't have FIOS :( ). The cable installer set us up on moving day, and since all our stuff was in boxes but we didn't want to miss any shows, we hooked our TiVo (S3) up directly to the cable modem. In retrospect, I'd never do that with a PC, but I guess I figured it's a TiVo! It's Linux! What could happen?

    So what happened is that a few weeks later, OO shut off our internet, claiming that they received complaints of spam originating from our IP address. I checked the dates of the complaints: The ONLY internet-enabled device running at our place when this started was the TiVo. There was no wireless access point or router, just TiVo -> cable modem -> evil Internet cloud.

    Has anyone heard of this happening? And can anyone recommend an easy and effective way to verify if this is in fact happening, or if this is a spurious report that Cablevision is basing this on? And if the TiVo really is infected with a trojan, would reformatting it through the software clear it up or would I need to reformat the drives? Thanks for any help.
     
  2. Da Goon

    Da Goon Registered Abuser

    1,396
    0
    Oct 22, 2006
    in order to run any code other than the stock tivo software, you must first exploit the box

    the only public way to exploit a Series3 box is to replace the prom

    so...unless you've replaced your prom, and hacked the software enough to allow unsigned code to run...and some dork was bored/determined enough to develop a hack that runs on the tivo's stripped down linux platform and find an exploited box on the net somehow...

    sounds like cablevision is full of sh*t or something else is going on
     
  3. CuriousMark

    CuriousMark Forum Denizen

    2,620
    3
    Jan 13, 2005
    SoCal
    I wonder if the Bonjour broadcasts the DVR sends out to announce its presence on the local subnet are what they are complaining about. If so, once you set up your router, the problem will be gone and they should have no more excuse to ding you. Bonjour is NOT spam, but it might not be wanted on their network. If that is the case, they should be blocking m-DNS (Bonjour), not passing it on to every other user in the subnet.
     
  4. oViTynoT

    oViTynoT Obvious Forum Lurker

    348
    0
    May 18, 2007
    Plano, TX
    No, the complaints were filed long before your TiVo took up residence...

    I'm CONSTANTLY getting my Verizon Email blacklisted because someone had my DHCP before me and SPAMMED and got it blacklisted...
     
  5. snead

    snead CG Monkey

    23
    0
    Sep 17, 2001
    East Coast

    Advertisements

    Da Goon: Good to know. It's stock firmware, never tried to get to a BASH prompt or anything with our S3 b/c it already does everything we need it to.

    CuriousMark: That's a pretty good theory. I'll be putting it behind the router tonight (I've had everything disconnected since I got the warning and haven't authorized them to turn the connection back on) so I'll see if that makes them happy.

    oViTynoT: That sounds plausible too. If it keeps happening maybe I'll check out Uverse, I think that's an option here too.

    Thanks everyone for the help, I feel very relieved knowing my TiVo has (probably) not betrayed me.
     
  6. snead

    snead CG Monkey

    23
    0
    Sep 17, 2001
    East Coast
    Update: called Cablevision back and told them that it's pretty damn unlikely that TiVo was the culprit.

    Then after spending a few minutes on hold, they figured out that my cable modem MAC address had been cloned, and the clone was sending out the spam.

    Would have been nice if they had made the effort to figure that out BEFORE blocking my internet access with a message telling me to reformat my hard drive. :up:

    Thanks again for the help!
     
  7. pdonoghu

    pdonoghu Member

    520
    0
    Mar 5, 2003
    Upper...
    Uverse will not work with any Series 3 models.
     
  8. Southcross

    Southcross New Member

    238
    0
    Nov 28, 2008
    what seems royally screwed up, is how does someone get the MAC of someone elses modem to clone it, and brings up a major gripe/scarry point about DHCP. What if you have some kiddy porn peddler, the FBI gets their IP address, and then it gets traced back to the new IP holder.
     
  9. cjv2

    cjv2 New Member

    290
    0
    Dec 15, 2009
    Atlanta, GA
    I don't know whether it's true any longer, but at one point the cable modem sat on one big broadcast network. You weren't in the same broadcast domain as *everyone* using the provider, to be sure, but you were on with more than enough households that you could get information very easily. Heck, you don't even need DHCP to be involved to grab MAC addresses if you're sharing the wire with other folks... not to mention I remember seeing various NetBIOS names (Windows domains, machine names, usernames)...
     
  10. oViTynoT

    oViTynoT Obvious Forum Lurker

    348
    0
    May 18, 2007
    Plano, TX
    The "cloner" could have just picked a MAC at random (knowing the Vendor code, the first half of the MAC) and a random last three is all that's needed...

    If the FBI were to track a porn guy, they're not just going by IP address. It's not like TV where the IP address leads them right to your house...

    They would look at the DHCP server logs to see by what and when the address was leased / changed / etc. Then they can look in the access logs of the switches and routers to find where the MAC address was that actually leased the address during the timeframe they saw ... etc.

    Not saying some low-end investigator wouldn't be stupid, but those computer crimes forensic guys know their stuff and know the limitations of the "bit trails."

    Short answer: Fuhgedaboudit.
     
  11. tivohaydon

    tivohaydon New Member

    186
    0
    Mar 24, 2001
    Just from using TiVo's software (DVR and PC) I'd say it's likely the DVR is vulnerable to remote exploitation. Whether or not it's worth anyone's time to investigate is another matter entirely. Relying on physically modified hardware is probably completely unnecessary.
     
  12. CrispyCritter

    CrispyCritter Purple Ribbon Wearer

    3,653
    2
    Feb 28, 2001
    North...
    That's a very strong claim; what's your evidence for it? I suspect you don't know what you are talking about. TiVo just doesn't offer that kind of outside access; how would you attack it?

    There's been lots of hackers working on TiVo over the years with a lot of neat tricks; they wouldn't be relying on physical modification if they didn't have to.
     
  13. tivohaydon

    tivohaydon New Member

    186
    0
    Mar 24, 2001
    <shrug> That's OK. The ROM change has been necessary to replace the kernel. If you just want to execute code on the box after it comes up, probably not. The TiVo hackers want a lot more than that and are mostly satisfied to do it to their own box. Changing the ROM is a good option for them and easily lets them do whatever they want on the box. It also makes it a lot harder for TiVo to interfere with their fun.

    If it was as cool as hacking Microsoft the unit would get a lot more scrutiny. In any case, until it's been broken neither of us can prove it one way or another.
     
  14. Sapphire

    Sapphire Xtal substance

    44,100
    807
    Sep 9, 2002
    USA
    Years ago, yes. Now they have all sorts of fancy security measures including encryption so it's a bit more difficult but doable.

    But it may still be possible, especially since a lot of modems are in the wild with the default admin password and full access via protocols such as tftp and snmp.
     
  15. Da Goon

    Da Goon Registered Abuser

    1,396
    0
    Oct 22, 2006
    you can't even PUT any code to run on the box unless you replace the PROM (or discover another type of exploit)

    regardless, to exploit the box in ANY sense of the term, you'll need to first remove the hard drive and install some type of exploit. it cannot all be done remotely

    as oViTynoT put it : Fuhgedaboudit :p
     
  16. CrispyCritter

    CrispyCritter Purple Ribbon Wearer

    3,653
    2
    Feb 28, 2001
    North...
    You don't seem to understand basic things about exploits. If you can execute arbitrary code on the box, there is no need for a prom change.

    You made a strong claim. Your claim was supposedly based on your knowledge of TiVo software and hardware. Let's hear the specific reasons you have to back up your claim.
     
  17. tivohaydon

    tivohaydon New Member

    186
    0
    Mar 24, 2001
    The claim that a platform is secure just because it has some anti-hacking measures is by far the bolder claim. You have to prove software correctness. Not the other way around. I'm absolutely happy with my posts.

    As I already pointed out, changing the ROM has its advantages and is appropriate for what the hacker community is doing.

    Let me ask you - would it be a strong claim if someone said that another Microsoft Windows exploit will be found?
     
  18. Da Goon

    Da Goon Registered Abuser

    1,396
    0
    Oct 22, 2006
    you are not adding credibility to your statements, but rather showcasing your lack of knowledge of the subject

    to restate CrispyCritter's previous request "Let's hear the specific reasons you have to back up your claim."
     
  19. notting

    notting Member

    69
    1
    Dec 15, 2005
    Chapel Hill, NC
    To execute random code on any sort of computer (which the Tivo is, for this case) doesn't necessarily require access to the local hard drive. All it may require is programming errors in the code used in the Tivo itself. See http://en.wikipedia.org/wiki/Buffer_overflow or http://en.wikipedia.org/wiki/Integer_overflow for some background reading.

    Where this could become an issue is if these sorts of errors are in the code Tivo uses to process data it receives over the network. Given that Tivos:
    • play movies
    • view pictures
    • download program data
    • download new software
    • run a web server

    all via the network, all it would take is an error in one of those code sections for the Tivo to possibly have a problem.

    I have no evidence that the Tivo does have issues in the area, but the fact that it receives user-specified data via the network means that you can't really categorically deny that it's a possibility.
     
  20. Da Goon

    Da Goon Registered Abuser

    1,396
    0
    Oct 22, 2006
    the "chain of trust" that tivo employs in their security scheme consists of a few things. in general, this consists of the PROM and the initrd packaged up alongside the kernel

    when the tivo boots up, the PROM initializes the hardware and computes a checksum over itself. if that checksum does not match the checksum stored within the PROM itself, bootup halts. later on, it does a similar check of the boot kernel. if the check fails, bootup halts

    if everything is ok, bootup proceeds and the kernel launches the initrd (or linuxrc executable). the initrd includes a list of files that allowed to be on the root partition and their checksums. if a file is found that is not on the list, or if a file's checksum is different than expected, the file is summarily deleted and the box reboots

    the only places you can store unsigned material without exploiting these previous measures is in partition 9 (/var) or in the MFS media partitions. regardless of that however, you have no way of referencing any of this material in a helpful fashion without modifying something in root partition

    your options of continuing an ANY interesting manner requires either modifying the PROM+kernel and then modifying the root partition contents to do your bidding

    this at the minimum requires pulling the drive and changing SOMETHING

    M$, unlike tivo, does not sign EVERY EXPLOITABLE FILE on the box and refuse to pass control unless the check clears

    feel free to 'bebuff away', I'm down for some laughs :)
     

Share This Page

spam firewall

Advertisements