# Tivo vulnerable to heartbleed?



## rfryar (Feb 15, 2008)

Has anyone looked at the HTTPS web interface used for streaming and show transfers between boxes to see if it has the heart bleed bug? If so we may be able to glean some more information on how the streaming protocol works.

I will probably double post this to the more read forum.

Rick


----------



## eboydog (Mar 24, 2006)

I doubt it, the heatbleed issue is with OpenSSL which is a common add on part of e-commerce sites and not the encrypted ttls interface of the Tivo. And even if it was, you Tivo is local to your home network and unless a hacker has gained access to the internal home network, they would be targeting your PC were you might be logging into things like email and online banking. There isn't a lot of sensitive data involved with your Tivo box it's self shy of your MAK. As long as your Tivo isn't accessible directly on the Internet, there shouldn't be any reason to worry. 

If I understand correctly, the reason for SSL encryption on the Web interface is to keep the recordings transfers more secure so one can't circumvent the recordings encryption, while the .Tivo file are encrypted, the enterface to transfer them requires a secure http interface too.


----------



## telamon (Mar 29, 2008)

I think what he means is that if the Tivo HTTPS port is vulnerable to Heartbleed, in theory you could recover the private key for the SSL encryption and use it to decrypt traffic for two Tivo boxes streaming to each other so that things like pyTivo could be improved.

I tested my Premiere 4 running the 20.4.1 software and it's not vulnerable on TCP 443.

I thought folks had figured out a way to man in the middle the SSL traffic before by faking the DNS and using self-signed certs? But then again I've not kept up with these things in a long time.


----------



## wmcbrine (Aug 2, 2003)

telamon said:


> I thought folks had figured out a way to man in the middle the SSL traffic before by faking the DNS and using self-signed certs? But then again I've not kept up with these things in a long time.


Yeah, at least a couple people have done it, but they never explained the process in enough detail for me to replicate it. :/ That's down to me, I suppose... I used to be quite the hacker, but I've clearly gone rusty.


----------



## Worf (Sep 15, 2000)

With heartbleed you don't need self-signed certs. You extract the private key from the server and you can MITM using the original cert. And that's all you need - you can imitate the server once you have the private key.


----------



## rfryar (Feb 15, 2008)

telamon said:


> I think what he means is that if the Tivo HTTPS port is vulnerable to Heartbleed, in theory you could recover the private key for the SSL encryption and use it to decrypt traffic for two Tivo boxes streaming to each other so that things like pyTivo could be improved.
> 
> I tested my Premiere 4 running the 20.4.1 software and it's not vulnerable on TCP 443.
> 
> I thought folks had figured out a way to man in the middle the SSL traffic before by faking the DNS and using self-signed certs? But then again I've not kept up with these things in a long time.


Correct, that was what I was after. Of course after I posted the question I confirmed that they do not have the bug, pity.

Thanks for the input guys.

Rick


----------

