Has anyone heard of a TiVo trojan or virus?

Advertisements

maybe so, but as I just mentioned, the only places to store unchecked data is in /var or mfs

mfs is a database, not a true filesystem like root or /var, making it quite difficult to consistently run arbitrary code

you have no way of referencing /var without modifying the root partition

 

never stated it wasn't a possibility, but rather it would be overly difficult and not very rewarding/useful to even bother with

 

you would have to constantly send the code to execute as it can not remain in the file system of a unmodded TiVo. No one would want to leave a trail like that nor would it be able to do anything of use anyway. Seems like your only way to back up your statements is by saying "hey, you can not say a meteor will not strike the earth"

 

Some people are apparently either seriously misreading what I wrote or just just don't get it. Let's go over this again.

Changing the ROM makes sense for the TiVo hacker community.

Changing the ROM is probably not necessary to execute code on the TiVo.

In the context of the original poster it certainly could be relevant. But there are far more friendly, useful and numerous devices to go after for spammers, etc.

How useful would it be to someone else? I don't know and don't care. I know for me, it would be useful if I could (without opening the TiVo box) "turn off" CCI bytes and otherwise patch tivoapp. If I had to do that once every time the TiVo rebooted I'd be OK with that. If I wanted to log in and completely own the hardware and software I'd do what the hacker community is doing and replace the ROM.

The rest is just a sideshow about leaving a "trail", trying to insult my knowledge, wasting my time by asking me spill everything I know about software, equating software exploitation to meteors striking the earth (which happens a lot incidentally) and asserting I made claims I did not. I'm not going to otherwise address the sideshow.

Claiming TiVo is invulnerable is by far the stronger claim. If anyone needs to back a claim up, that's the one. My statement that a lot of software has bugs that can be exploited is common knowledge - and simply a fact.

 

Advertisements

Sorry, IMO you've demonstrated that you have no idea what you're talking about. You've made false statements about the prom change being more useful to the hackers than the ability to run arbitrary code. You claimed that your opinion was based on your knowledge of TiVo software and hardware, yet refuse to give any indication of what that TiVo knowledge is, so that looks like a false claim also.

Are there ways to run pretty much arbitrary code on a TiVo? Absolutely, even remotely. Are there ways for a hacker to target just your TiVo for an attack without physical access to it, as is done to PCs? Probably not with current technology - like my land-line phone is not hackable, even though anybody can call it. The interface with the outside world just isn't fully featured enough.

For the purposes of this conversation, the TiVo is invulnerable to the sort of trojan horse and virus attacks that hackers use on PCs.

 

it's not (no one has posted a different method publicly however). at the minimum, pulling the drive and changing something IS required though

that is the main point. why do you even keep posting?

this statement showcases your lack of knowledge and understanding of the subject. why do you even keep posting?

to restate, again :

thanks for the laughs

 

Hmm - so a hacker would have to send in arbitrary code on some interval since the arbitrary code can not reside on the drive and be executed.
Yet you want to keep claiming that this alone makes the box hackable. That is indeed like claiming meteors hit the earth and just like meteors it is unlikely to hit anything of value 99.999% of the time.

Your thought of turning off CCI bits with this arbitrary code was a good laugh. The CCI bits are in the broadcast stream - TiVo just interprets them. If you claim such superior knowledge of code and TiVo hackability you could at least know some basics of how the TiVo works.

 

notting tried to point you in the right direction. I tried to help too.

I'd recommend learning a number of topics. Secure coding, exploit development both remote and client, rootkits, computer architecture (pick at least two), and [secure] operating systems. There are many books, specialized training, conferences and university classes on these topics. Once you've got a handle on all that you should be able to contribute meaningfully to this thread.

HTH, HAND.

 

Give it up. You're digging yourself deeper and deeper in the hole with every post. You haven't contribute meaningfully to this thread yet, and have been incorrect every time you try to get specific. That seems to be why you are refusing to get specific any more, despite our repeated challenges.

I've had all those, including multiple "university classes" in them at the graduate level.

 

Oh please... do quote and point out errors in my posts in this thread.

It promises to be most entertaining for myself and others who know better.

 

I already have, several times. For instance, your claim that hackers prefer a Prom change to the ability to run arbitrary code. Your not understanding CCI bytes. Your claim you had specific TiVo knowledge that leads you to conclude it is hackable. (The people who respond to you have shown much greater knowledge than you about TiVo and the CCI byte issue that you raised.)

I spent my first night debugging Unix worms in the wild over 20 years ago; what's your experience with them?

 

You don't know enough to realize you keep prodding a bear in his own cave do you? I was hoping you'd provide more nonsense to rebut however there was already plenty for me to work with.

Bottom line is: If TiVo has invented a hardware and software architecture that is "invulnerable" what the heck are they doing mucking around in the DVR business? They could line up several billion dollars worth of investment money quite easily. They'd be hailed as a messiah.

Nonsense. You've got nothing.

First, what you wrote doesn't even make any sense. The TiVo hacker community uses a ROM change to run arbitrary code. They don't do it "instead" of running arbitrary code. It's what makes sense to the community to enable easy hacking of the software and keep their changes after the unit restarts. It makes sense for them. Why don't you understand this?

The relevant point you guys have been right about is that the TiVo boot process is locked down pretty well. It's also a point I never contested. The rest - sorry - the three of you have it wrong.

Say whatever you want about the protected TiVo boot process. When it's up, running and connected to a network you've now got prospects.

Let's go down a list of questions ...

1. Can developers write software?
2. Can developers change software?
3. Can software be debugged?
4. Can software be reverse engineered?
5. Can software be changed while it's running?
6. What don't you understand about patching the CCI checks out?

Here's a great example of how wrong you guys are and don't realize it. The functionality the CCI value prevents can reenabled by patching. Does it magically stop your service provider from sending it? Obviously not, but it is disregarded. Yet something this basic was used to illustrate how supposedly ignorant I was. Ho-hum.

"specific TiVo knowledge" - this is a term that you fine folks have come up with. Having had many hacked TiVos in the past I've got first hand experience with what software runs on the box. And not from the remote control side. However, even without that experience and simply given the public knowledge that the box runs Linux and seeing what's available from the feature list and the remote it's easy to back up my claim. I made a very weak claim and that's the really funny thing you folks don't understand. It's the core misconception on your part.

There aren't many more details to provide than I already have. Certainly anyone who's as accomplished as you claim to be wouldn't need additional justification because the rest is self evident. See notting's post for someone who "gets it". notting and I can have a productive conversation - you and I can't. Anyone who's worth their salt and familiar with the topics I outlined would understand what a large attack surface TiVo now exposes. They also understand what can be done once an exploitable defect is found. Chances are there are exploitable defects to be found. TiVo boxes weren't always like this - they weren't always on, Internet connected devices that provide a large number of services and connect to a large number of services. TiVo is a Linux computer running a complex suite of software. Your TiVo is not a 1960s era Princess phone. It's incredibly hard for me to believe that someone with multiple graduate level classes in computer science, computer/electrical engineering or any other relevant field would draw such a preposterous parallel.

It's also remarkable, for someone who's a TiVo user to not recognize the fact that TiVo provides a large number of services. To say the interface "isn't fully featured enough" is a huge oversight and disconnected with reality. Does TiVo, or any other software manufacturer, need to explicitly write an "exploit me" interface for you to recognize it?

Incidentally, you've also used incorrect assumptions about your phone's security to support your position. Look up the term "phreaking".

These silly comparisons are a meaningless distraction to the topic at hand and I won't engage except to point out how unhelpful they are. They belie your claims of knowledge since you obviously aren't able to engage with proper terminology and understanding so you resort to hand waving and a sideshow. There's a failure to communicate due to a lack of understanding about the subject at hand. Think, "Uhm, TiVo is secure because it's built like a Volvo." Sigh.

Basic English word definitions also seem to be lacking. Invulnerable when applied to computer hardware and software is an extraordinary claim. Simply amazing actually. Even if you were able to rely on all of the hardware in a computer doing everything as intended the proof on the software side is intractable.

Actually what they've shown is that they know where the CCI value is originated and that they don't understand the software that enforces it.

Your experience 20 years ago is irrelevant. From where I sit, it's obvious you haven't kept up with these fields. You and others make great claims about your expertise but aren't even communicating on the level of someone who understands these things.

If you expect me to detail a particular exploit (or potentially a chain of them) and make a demonstration at a hacker convention you're being outrageously silly. I don't have such a thing, never claimed to and certainly wouldn't just to win a silly Internet argument or entertain you. I'd have been done here a long time ago but it's difficult for me to walk away from this thread with the last posts having seriously factually incorrect information. But I'm tired of the silliness and attacks and am walking away regardless of the misinformation that follows. Then the three of you can pat each other on the back for your "win". Or possibly you'll meet online in WoW and toast to a virtual beer.

It's obvious to me that collectively you don't understand the relevant portions of the topics I suggested you research. You might be under an illusion and think you do - but you don't. I can't possibly bridge the gap in your knowledge in an online forum. Nor will I waste my time attempting to do so for characters such as yourselves.

That hole I dug? Look around. You're standing in it.

 

it would have been helpful to have been more accurate the first time you posted. So how was I wrong in saying you do not turn off CCI bits?

While network services have been added back in to the kernel running in a TiVo DVR the kernel that is signed and comes up during that boot process is still limited in scope.
You might, might be able to tweak the flags for encrypting content and doing a CCI copy protection check in running memory - though I doubt that. A simple check of the value in the file system every so often would defeat that.

Could you get a command line though to do anything else meaningful? The OP was wondering about a trojan horse or virus, specifically one that would start to generate a lot of traffic out of the TiVo - those are clearly not going to be useful to the hacker without access to the file system. So basically everyone got into a pissing contest and was not really hearing what others were saying.