Security bug: Wireless WEP/WPA key exposure

Moderators: RokuDouglas, RokuShawnS, RokuRyan, RokuJamesL, RokuKen

Security bug: Wireless WEP/WPA key exposure

Postby YukonWarrior » Thu Aug 21, 2008 11:51 pm

Hello,

Once I have setup the Roku on my wireless network it appears that anyone can go into the setup of the device at any point in time and easily view the WEP/WPA key that is configured on the device. Since the device is hooked up to my TV for anyone to use they can easily grab the key to my wireless network.

This is a physical access only type attack vector, but it seems that the key should be hidden from view once it has been sucesfully setup on the device given that anyone can use the Roku but not necessarily access the wireless network. This also makes it VERY easy for someone to grab my key and then later access my wireless network without physical access...

Thanks!

YW
YukonWarrior
 
Posts: 5
Joined: Sat Jul 12, 2008 8:18 pm

Postby PirateKatz » Fri Aug 22, 2008 12:43 pm

I have mine hooked up via ethernet so I didn't notice that. It really does sound like a pretty big security flaw. If I recall correctly, my Tivo hides the key code behind asterisks once it's successfully entered.
PirateKatz
 
Posts: 27
Joined: Mon Aug 18, 2008 9:13 am

Postby whtyouthnkngfool » Fri Aug 22, 2008 12:52 pm

mine is hooked up via ethernet cable for the most part but i did notice that and i was thinking if they were going to change the setup on wireless keys it would be cool to implement a setup were u could select a profile ie "home" "vacation" buddies" so that u could pick instead of changing the whole hexadecimal key

EDIT: on second though it might or might not be possible with storage restrictions.....
whtyouthnkngfool
 
Posts: 10
Joined: Wed Jul 30, 2008 12:10 pm

Re: Security bug: Wireless WEP/WPA key exposure

Postby DoomsDay » Fri Aug 22, 2008 1:37 pm

YukonWarrior wrote:Hello,

Once I have setup the Roku on my wireless network it appears that anyone can go into the setup of the device at any point in time and easily view the WEP/WPA key that is configured on the device. Since the device is hooked up to my TV for anyone to use they can easily grab the key to my wireless network.

This is a physical access only type attack vector, but it seems that the key should be hidden from view once it has been sucesfully setup on the device given that anyone can use the Roku but not necessarily access the wireless network. This also makes it VERY easy for someone to grab my key and then later access my wireless network without physical access...

Thanks!

YW


While I agree it probably should be hidden after its setup, this could hardly be considered any type of an attack vector. I mean, if you cant trust the people in your household there are far more problems to think about. Worse case scenario, you carry the remote with you and tada, no way they can get in to see it. I can only see this as a wish for a future update. They have far more stuff they need to add first.
DoomsDay
 
Posts: 318
Joined: Mon Jul 14, 2008 12:53 am
Location: Charlotte NC

Re: Security bug: Wireless WEP/WPA key exposure

Postby YukonWarrior » Fri Aug 22, 2008 10:40 pm

DoomsDay wrote:While I agree it probably should be hidden after its setup, this could hardly be considered any type of an attack vector. I mean, if you cant trust the people in your household there are far more problems to think about. Worse case scenario, you carry the remote with you and tada, no way they can get in to see it. I can only see this as a wish for a future update. They have far more stuff they need to add first.


Hi DoomsDay!

I agree with your points - however security should be part of the overall design of the product and not a feature afterthought. The attack vector is not on the Roku itself but on my wireless network as a result of the Roku leaving my key lying around for anyone to see. ;-)

My only goal is to point out that these keys are being left around in clear text for anyone with access to the Roku - which personally is unsettling to me. I hope to see this fixed in the next servicing release whenever that may be. Obfuscating (and hopefully encrypting) the characters from plain view once it has been entered should be trivial...

Cheers!

YW
YukonWarrior
 
Posts: 5
Joined: Sat Jul 12, 2008 8:18 pm

Re: Security bug: Wireless WEP/WPA key exposure

Postby wideasleep1 » Sat Aug 23, 2008 1:12 am

YukonWarrior wrote:
DoomsDay wrote:While I agree it probably should be hidden after its setup, this could hardly be considered any type of an attack vector. I mean, if you cant trust the people in your household there are far more problems to think about. Worse case scenario, you carry the remote with you and tada, no way they can get in to see it. I can only see this as a wish for a future update. They have far more stuff they need to add first.


Hi DoomsDay!

I agree with your points - however security should be part of the overall design of the product and not a feature afterthought. The attack vector is not on the Roku itself but on my wireless network as a result of the Roku leaving my key lying around for anyone to see. ;-)

My only goal is to point out that these keys are being left around in clear text for anyone with access to the Roku - which personally is unsettling to me. I hope to see this fixed in the next servicing release whenever that may be. Obfuscating (and hopefully encrypting) the characters from plain view once it has been entered should be trivial...

Cheers!

YW


Ideally, the letters/numbers should show as you are entering them, but when completed, replaced with dots.
Then as it was, then again it will be
An' though the course may change sometimes,
rivers always reach the sea

M1000x2,M2000,Twonky 4.3.3 RC1 beta on LinkStation HGLAN400gig,Buffalo whr-g54s on DD-WRTfirmware-luv'in it!
wideasleep1
 
Posts: 2664
Joined: Sun May 08, 2005 10:14 am
Location: Sausalito,Ca

Re: Security bug: Wireless WEP/WPA key exposure

Postby xargs » Sat Aug 23, 2008 3:57 pm

YukonWarrior wrote:This also makes it VERY easy for someone to grab my key and then later access my wireless network without physical access...

If it's "VERY easy" for someone to get your key, then I'd guess your key isn't long enough, in which case you have far more serious security problems.

Given how tedious it is to type a strong key into the Roku, I can live with the minor security issue of having the key visible in exchange for being able to edit the key after I've entered it incorrectly.

Perhaps as a compromise, there could be a "hide key" button which lets you make the key invisible after you've entered it successfully.
xargs
 
Posts: 59
Joined: Thu Jun 05, 2008 2:39 pm


Return to Roku Streaming Player General Discussion

Who is online

Users browsing this forum: RokuShawnS, tkfan75 and 31 guests