Is this a good place to address TiVo vulnerabilities?

Discussion in 'TiVo Bolt DVR/Streamer' started by Slack3r, Nov 23, 2017.

  1. Slack3r

    Slack3r New Member

    13
    8
    Mar 23, 2016

    Advertisements

    I have recently reconfigured my home network with more a security focus. Sure I've always had firewall but now I have VLANs and subnets to isolate some of this traffic. I find it disturbing that a wireless client on my LAN (TiVo BOLT) allows SSL v2/v3, SWEET32 and ... excuse me ... RC4? They need to update the cihper sting to something more like:
    Code:
    ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
    Now I know it is a DVR and not a files server but this stuff is 3-15 years old!!! My neighbors should not be able to see what I am watching .. nor should anyone really but it is pretty easy with this list (see the image)
     

    Attached Files:

    Last edited: Jan 16, 2018
  2. HerronScott

    HerronScott Well-Known Member

    7,555
    1,107
    Jan 1, 2002
    Staunton, VA
    How are your neighbors getting on your Wifi network to be able to see this?

    Scott
     
  3. Slack3r

    Slack3r New Member

    13
    8
    Mar 23, 2016
    They aren’t, but through these holes, anybody with a smartphone could use this as a point of exploit.
     
  4. lessd

    lessd Well-Known Member

    7,961
    93
    Jan 23, 2005
    CT
    If you were Trump maybe this would be a problem, but come on, who cares what you watch; and how much time would anybody spend trying to find out. I guess TiVos main data base could be hacked and someone could find out what you and others were doing with your TiVo.
     
    mrsinctiv likes this.
  5. dianebrat

    dianebrat wait.. I did what? TCF Club

    13,223
    2,321
    Jul 6, 2002
    boston'ish

    Advertisements

    This still requires your wireless network weakness be the point of ingress, this is a non-issue if you run your Tivo wired which would be far safer for someone paranoid enough to be worrying about vulnerabilities and the default mode of Tivo network communication.
     
    mrsinctiv and jth tv like this.
  6. HerronScott

    HerronScott Well-Known Member

    7,555
    1,107
    Jan 1, 2002
    Staunton, VA
    They still have to get on the network (whether wired or Wifi) to exploit them). :)

    Scott
     
  7. Slack3r

    Slack3r New Member

    13
    8
    Mar 23, 2016
    Clearly no security community folks here. Thanks anyway.
     
    tlc, Gavroche, aaronwt and 1 other person like this.
  8. JoeKustra

    JoeKustra in the other Alabama TCF Club

    20,151
    3,722
    Dec 7, 2012
    Ashland, PA...
    You tried. :cool:
     
  9. idksmy

    idksmy Guest

    412
    153
    Jul 16, 2016
    At least none that find this to be a pressing issue.
     
    aaronwt likes this.
  10. tenthplanet

    tenthplanet Well-Known Member

    1,609
    479
    Mar 5, 2004
    Hard wire everything, wi-fi is too easy to exploit and trying to secure it is a moving target.
     
    mrsinctiv and chicagobrownblue like this.
  11. chicagobrownblue

    chicagobrownblue Well-Known Member

    3,465
    230
    May 29, 2008
    Chicago, IL
    Unpatched Windows machines are the biggest vulnerability for home networks. Combine that with users that will open any email, attachment or allow installation of any browser add-in and you have a breach. Portable storage devices, particularly from students, are also a common source of malware.

    Accessing a Tivo to do harm to a home network? Way too much trouble when you can use the above to get into a home network. Oh, and the above techniques work on corporate networks also.
     
    aaronwt likes this.
  12. wsmeyer

    wsmeyer New Member

    5
    1
    Jun 23, 2009
    To exploit this "vunerability" someone first has to get on my network, if they manage that, the TiVo is literally the last on the list of what I am concerned about.
     
    aristoBrat likes this.
  13. MighTiVo

    MighTiVo TiVotarian

    2,612
    60
    Oct 26, 2000
    Nashville, TN
    TiVo knows what you are watching :)

    I agree it seems these well known issues should be remediated but I don't see a serious problem with the vulnerabilities you have listed.
    I disagree with your stance that it is "pretty easy" and at what benefit for the work, no SPI here. At best someone bent on hacking you sees these opportunities and spends time to get the information ending up only getting a list of your recorded shows.
     
  14. JosephB

    JosephB Member

    717
    9
    Nov 19, 2010
    Atlanta, GA

    You seem to be misreading those results. I question if you are a "security community person". The SSHv2/v3 listed is not a vulnerability, Nessus is telling you that SSH is running and open on the TiVo box. SSH is a perfectly secure and standard service, and TiVo uses it for inter-TiVo communication among other things

    Security is not an exact science. It is built on layers of security and it is based on mitigating vulnerabilities against the risk they pose. That risk is defined as the likelihood that an attacker will try to exploit a given vulnerability combined with the impact of what would happen should that attacker be successful.

    In this case, we're talking about potentially weak cipher suites used to secure the HTTPS interface on your TiVo. This interface is used by the TiVo app on your phone and other API-based apps that send commands to your TiVo to change channels, etc. It's also used by various apps to download content from your TiVo

    The only sensitive data that would be exposed, should you be compromised, would be your Media Access Key. TiVo does warn you to not expose this to anyone outside of your home, but in the grand scheme of things it wouldn't be a huge deal. No one would be able to steal your personal information (aside from what you record) or infect your TiVo with a virus or other malware.

    Finally, to exploit those weak ciphers, your neighbors would have to be on your network. If someone is physically on your network listening to your traffic, you already have massive security problems well above and beyond the scope of weak SSL ciphers on your cable box
     
  15. Slack3r

    Slack3r New Member

    13
    8
    Mar 23, 2016
    This is what Nessus actually says:

    The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws, including:

    - An insecure padding scheme with CBC ciphers.

    - Insecure session renegotiation and resumption schemes.

    An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

    Although SSL/TLS has a secure means for choosing the highest supported version of the protocol (so that these versions will be used only if the client or server support nothing better), many web browsers implement this in an unsafe way that allows an attacker to downgrade a connection (such as in POODLE). Therefore, it is recommended that these protocols be disabled entirely.

    NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong cryptography'.

    That said, please do not detract from the scope of this issue or provide misinformation. In the age of IoT, everything is a target. Period. POODLE, SWEET32 and RC4 all have plenty of exploits available. I'd recommend Metasploit (better yet Kali) to see what kind of fun you can have. Once an IoT device has C&C, game over.

    Is this heartbleed or DROWN, no. However, the best security practices always recommend patching the source. I am not worried about being exploited, my PA would not allow it, nor the F5 that receives its traffic. It doesn't change the TiVo corporate responsibility to patch the holes.
     
    dmurphy likes this.
  16. dmurphy

    dmurphy Home Again

    253
    48
    Jan 16, 2002
    You've got your home LAN behind both a Palo Alto and an F5 firewall? Can I ask why?
     
  17. Slack3r

    Slack3r New Member

    13
    8
    Mar 23, 2016
    Practice of course :)

    This is my home lab, primarily used for work. The "home" network in this instance is simply a VLAN. The vulns are not world ending by any means, just very easily corrected by TiVo. So easily, they should not exist.
     
  18. Time_Lord

    Time_Lord Member

    268
    17
    Jun 4, 2012
    I always find it amazing that those that claim to be computer security experts simply take the word of some script/program/application that they run and then take the output screaming to those in charge of the equipment and say "You have a vulnerability and it needs to remediation ASAP!"

    Of course when those that actually understand what they are reading review the report and it says something like "only an issue if xyz is in use" and of course that feature is not in use and will never be. The current one going around is Spectre and Meltdown, first I question how easy it is to exploit, regardless of how easy it is to exploit I suspect that multi-tennant systems are the ones most at risk. An appliance that we use at my company, the vendor responded to the meltdown "crisis" with the following: "The Meltdown vulnerability requires a remote attacker with capabilities that permit executing custom binary code on a (vendor name removed) device without credentialed access. (If a user gains this type of access, they can commit significantly more damage in a much simpler manner than by taking advantage of the Meltdown vulnerability.)"

    I'm guessing the moral of the story is "if you have all your doors and windows properly protected, don't spend your life worring about an unreachable device"

    -TL
     
    CTLesq likes this.
  19. Slack3r

    Slack3r New Member

    13
    8
    Mar 23, 2016
    Any chance you work for Equifax?
     
    Mark Hamilton likes this.
  20. Time_Lord

    Time_Lord Member

    268
    17
    Jun 4, 2012
    actually no, but if you understood the attack it was due to unpatched PUBLIC FACING servers/applications, not due to a server/application unreachable from the public networks.

    You need to remember that just because you close all the little tiny holes in an environment but ignore the bit gaping open back door you've done nothing other then check a box off.

    Oh one other thing, your network and your data is not interesting to "hackers" so you are also not a target.
     

Share This Page

spam firewall

Advertisements