# Is this a good place to address TiVo vulnerabilities?



## Slack3r (Mar 23, 2016)

I have recently reconfigured my home network with more a security focus. Sure I've always had firewall but now I have VLANs and subnets to isolate some of this traffic. I find it disturbing that a wireless client on my LAN (TiVo BOLT) allows SSL v2/v3, SWEET32 and ... excuse me ... RC4? They need to update the cihper sting to something more like:

```
ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
```
Now I know it is a DVR and not a files server but this stuff is 3-15 years old!!! My neighbors should not be able to see what I am watching .. nor should anyone really but it is pretty easy with this list (see the image)


----------



## HerronScott (Jan 1, 2002)

Slack3r said:


> Now I know it is a DVR and not a files server but this stuff is 3-15 years old!!! My neighbors should not be able to see what I am watching .. nor should anyone really but it is pretty easy with this list (see the image)


How are your neighbors getting on your Wifi network to be able to see this?

Scott


----------



## Slack3r (Mar 23, 2016)

HerronScott said:


> How are your neighbors getting on your Wifi network to be able to see this?
> 
> Scott


They aren't, but through these holes, anybody with a smartphone could use this as a point of exploit.


----------



## lessd (Jan 23, 2005)

Slack3r said:


> They aren't, but through these holes, anybody with a smartphone could use this as a point of exploit.


If you were Trump maybe this would be a problem, but come on, who cares what you watch; and how much time would anybody spend trying to find out. I guess TiVos main data base could be hacked and someone could find out what you and others were doing with your TiVo.


----------



## dianebrat (Jul 6, 2002)

Slack3r said:


> They aren't, but through these holes, anybody with a smartphone could use this as a point of exploit.


This still requires your wireless network weakness be the point of ingress, this is a non-issue if you run your Tivo wired which would be far safer for someone paranoid enough to be worrying about vulnerabilities and the default mode of Tivo network communication.


----------



## HerronScott (Jan 1, 2002)

Slack3r said:


> They aren't, but through these holes, anybody with a smartphone could use this as a point of exploit.


They still have to get on the network (whether wired or Wifi) to exploit them). 

Scott


----------



## Slack3r (Mar 23, 2016)

Clearly no security community folks here. Thanks anyway.


----------



## JoeKustra (Dec 7, 2012)

You tried.


----------



## idksmy (Jul 16, 2016)

Slack3r said:


> Clearly no security community folks here. Thanks anyway.


At least none that find this to be a pressing issue.


----------



## tenthplanet (Mar 5, 2004)

Hard wire everything, wi-fi is too easy to exploit and trying to secure it is a moving target.


----------



## chicagobrownblue (May 29, 2008)

Unpatched Windows machines are the biggest vulnerability for home networks. Combine that with users that will open any email, attachment or allow installation of any browser add-in and you have a breach. Portable storage devices, particularly from students, are also a common source of malware.

Accessing a Tivo to do harm to a home network? Way too much trouble when you can use the above to get into a home network. Oh, and the above techniques work on corporate networks also.


----------



## wsmeyer (Jun 23, 2009)

To exploit this "vunerability" someone first has to get on my network, if they manage that, the TiVo is literally the last on the list of what I am concerned about.


----------



## MighTiVo (Oct 26, 2000)

Slack3r said:


> Now I know it is a DVR and not a files server but this stuff is 3-15 years old!!! My neighbors should not be able to see what I am watching .. nor should anyone really but it is pretty easy with this list (see the image)


TiVo knows what you are watching 

I agree it seems these well known issues should be remediated but I don't see a serious problem with the vulnerabilities you have listed. 
I disagree with your stance that it is "pretty easy" and at what benefit for the work, no SPI here. At best someone bent on hacking you sees these opportunities and spends time to get the information ending up only getting a list of your recorded shows.


----------



## JosephB (Nov 19, 2010)

Slack3r said:


> Clearly no security community folks here. Thanks anyway.


You seem to be misreading those results. I question if you are a "security community person". The SSHv2/v3 listed is not a vulnerability, Nessus is telling you that SSH is running and open on the TiVo box. SSH is a perfectly secure and standard service, and TiVo uses it for inter-TiVo communication among other things

Security is not an exact science. It is built on layers of security and it is based on mitigating vulnerabilities against the risk they pose. That risk is defined as the likelihood that an attacker will try to exploit a given vulnerability combined with the impact of what would happen should that attacker be successful.

In this case, we're talking about potentially weak cipher suites used to secure the HTTPS interface on your TiVo. This interface is used by the TiVo app on your phone and other API-based apps that send commands to your TiVo to change channels, etc. It's also used by various apps to download content from your TiVo

The only sensitive data that would be exposed, should you be compromised, would be your Media Access Key. TiVo does warn you to not expose this to anyone outside of your home, but in the grand scheme of things it wouldn't be a huge deal. No one would be able to steal your personal information (aside from what you record) or infect your TiVo with a virus or other malware.

Finally, to exploit those weak ciphers, your neighbors would have to be on your network. If someone is physically on your network listening to your traffic, you already have massive security problems well above and beyond the scope of weak SSL ciphers on your cable box


----------



## Slack3r (Mar 23, 2016)

JosephB said:


> You seem to be misreading those results. I question if you are a "security community person". The SSHv2/v3 listed is not a vulnerability, Nessus is telling you that SSH is running and open on the TiVo box.


This is what Nessus actually says:

The remote service *accepts connections encrypted using SSL 2.0 and/or SSL 3.0*. These versions of SSL are affected by several cryptographic flaws, including:

- An insecure padding scheme with CBC ciphers.

- Insecure session renegotiation and resumption schemes.

An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients.

Although SSL/TLS has a secure means for choosing the highest supported version of the protocol (so that these versions will be used only if the client or server support nothing better), many web browsers implement this in an unsafe way that allows an attacker to downgrade a connection (such as in POODLE). Therefore, it is recommended that these protocols be disabled entirely.

*NIST has determined that SSL 3.0 is no longer acceptable for secure communications.* As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong cryptography'.

That said, please do not detract from the scope of this issue or provide misinformation. In the age of IoT, everything is a target. Period. POODLE, SWEET32 and RC4 all have plenty of exploits available. I'd recommend Metasploit (better yet Kali) to see what kind of fun you can have. Once an IoT device has C&C, game over.

Is this heartbleed or DROWN, no. However, the best security practices always recommend patching the source. I am not worried about being exploited, my PA would not allow it, nor the F5 that receives its traffic. It doesn't change the TiVo corporate responsibility to patch the holes.


----------



## dmurphy (Jan 17, 2002)

Slack3r said:


> exploited, my PA would not allow it, nor the F5 that receives its traffic.


You've got your home LAN behind both a Palo Alto and an F5 firewall? Can I ask why?


----------



## Slack3r (Mar 23, 2016)

dmurphy said:


> You've got your home LAN behind both a Palo Alto and an F5 firewall? Can I ask why?


Practice of course 

This is my home lab, primarily used for work. The "home" network in this instance is simply a VLAN. The vulns are not world ending by any means, just very easily corrected by TiVo. So easily, they should not exist.


----------



## Time_Lord (Jun 4, 2012)

I always find it amazing that those that claim to be computer security experts simply take the word of some script/program/application that they run and then take the output screaming to those in charge of the equipment and say "You have a vulnerability and it needs to remediation ASAP!" 

Of course when those that actually understand what they are reading review the report and it says something like "only an issue if xyz is in use" and of course that feature is not in use and will never be. The current one going around is Spectre and Meltdown, first I question how easy it is to exploit, regardless of how easy it is to exploit I suspect that multi-tennant systems are the ones most at risk. An appliance that we use at my company, the vendor responded to the meltdown "crisis" with the following: "The Meltdown vulnerability requires a remote attacker with capabilities that permit executing custom binary code on a (vendor name removed) device without credentialed access. (If a user gains this type of access, they can commit significantly more damage in a much simpler manner than by taking advantage of the Meltdown vulnerability.)"

I'm guessing the moral of the story is "if you have all your doors and windows properly protected, don't spend your life worring about an unreachable device"

-TL


----------



## Slack3r (Mar 23, 2016)

Any chance you work for Equifax?


----------



## Time_Lord (Jun 4, 2012)

Slack3r said:


> Any chance you work for Equifax?


actually no, but if you understood the attack it was due to unpatched PUBLIC FACING servers/applications, not due to a server/application unreachable from the public networks.

You need to remember that just because you close all the little tiny holes in an environment but ignore the bit gaping open back door you've done nothing other then check a box off.

Oh one other thing, your network and your data is not interesting to "hackers" so you are also not a target.


----------



## slowbiscuit (Sep 19, 2006)

Slack3r said:


> The vulns are not world ending by any means, just very easily corrected by TiVo. So easily, they should not exist.


LOL that would assume the basics, like paying for folks competent enough to configure accurate NTP so clocks wouldn't go 2 mins. off.

Um, wait... nevermind.


----------



## Time_Lord (Jun 4, 2012)

Now I know it is a DVR and not a files server but this stuff is 3-15 years old!!! My neighbors should not be able to see what I am watching .. nor should anyone really but it is pretty easy with this list (see the image)[/QUOTE]

Chris,

What I really want to know is how are your neighbors seeing what you are watching? Are you sharing your network connection with your neighbors? Your network wide open to the world?

Typical "security expert", doesn't understand the threats against their environment and focuses on the impossible/improbable and not the real threat of the perimeter. I'm guessing that you don't trust your wife, SO, roommate, kids etc and that the attack is going to come from inside.


----------



## lessd (Jan 23, 2005)

Chris

Now I want to know what your watching


----------



## Slack3r (Mar 23, 2016)

LMFAO, I can't decide if I want to incite trolls or solve the problem. No, there is not likely a neighbor with the proficiency to access my wireless (even if I removed the password), much less the wired. It is about closing the hole that is not needed, for the operation of the platform, nothing more. You patch it so it cannot be used in a chain. Is there interesting data on my TiVo ... no. That does mean you leave a mistake uncorrected? this is not security, it is common sense.

@lessd - NCIS and Mavel like, my neighbors


----------



## lessd (Jan 23, 2005)

I don't mean to troll, but TiVo has so many software issues now that I don't TiVo to spend time on such a security hole that will not harm almost any TiVo user.


----------



## Slack3r (Mar 23, 2016)

lessd said:


> I don't mean to troll, but TiVo has so many software issues now that I don't TiVo to spend time on such a security hole that will not harm almost any TiVo user.


Not at all  now that I have "upgraded" to the new UI I am seeing this too. I am only seeing a problem with voice but it looks like there many things around these boards. I don't need the voice. I like AppleTV better anyway for streaming and Siri actually woks unlike on iPhone. It runs Plex, HBOGo/NOW, and Hulu way better than I think Tivo _can_.

Trolls are the folks that question creds in a baseless sense and ignore the point of the thread. You have not done that. The fix, is as simple as the single line I pasted in the initial post. I don't recall if I pulled it from Apache or Nginx, but its the same for any web server. I am more of a traffic engineer than a "security" guy, but they are hand in hand in the age we live in, and I am typically the guy that gets to fix it since the corp IT guys don't understand TCP.


----------



## CTLesq (Jan 19, 2003)

Maybe it’s as simple as TiVo just isn’t for you?


Sent from my iPhone using Tapatalk


----------



## HerronScott (Jan 1, 2002)

Slack3r said:


> I am more of a traffic engineer than a "security" guy, but they are hand in hand in the age we live in, and I am typically the guy that gets to fix it since the corp IT guys don't understand TCP.


Your company need better corp IT guys.... 

Scott


----------



## Time_Lord (Jun 4, 2012)

HerronScott said:


> Your company need better corp IT guys....
> 
> Scott


I company needs better computer security people  great example of how clueless some of these guys are, we were setting up a new connection over a sonet ring and the security guy was all happy because we had "payload scrambling" turned on, he really thought that would provide some level of security and fought with me over what it meant until I provided him documentation.

I truly believe the majority of these "security experts" simply read something and decide "we need to do that" or "that sounds like it could be a good thing" and then have no idea what they just asked for.

-TL


----------



## JosephB (Nov 19, 2010)

Slack3r said:


> This is what Nessus actually says:
> 
> The remote service *accepts connections encrypted using SSL 2.0 and/or SSL 3.0*. These versions of SSL are affected by several cryptographic flaws, including:
> 
> ...


Again, like I said in my initial reply to you, this is completely ignoring the overall situation. Security vulnerabilities have to be taken in context. Included in this context is, what is at risk should the vulnerability be exploited? There is nothing on your DVR that sensitive. Who cares if someone can see the traffic between your TiVo and TiVo's servers? Also, what are the chances that someone will exploit it? Almost none. It requires a *very* sophisticated man in the middle attack, which if in place on your network, your TiVo is the least of your worries.

Is it less secure than it could be? Yes, absolutely. Does that matter? Not in the slightest.



Slack3r said:


> Not at all  now that I have "upgraded" to the new UI I am seeing this too. I am only seeing a problem with voice but it looks like there many things around these boards. I don't need the voice. I like AppleTV better anyway for streaming and Siri actually woks unlike on iPhone. It runs Plex, HBOGo/NOW, and Hulu way better than I think Tivo _can_.
> 
> Trolls are the folks that question creds in a baseless sense and ignore the point of the thread. You have not done that. The fix, is as simple as the single line I pasted in the initial post. I don't recall if I pulled it from Apache or Nginx, but its the same for any web server. I am more of a traffic engineer than a "security" guy, but they are hand in hand in the age we live in, and I am typically the guy that gets to fix it since the corp IT guys don't understand TCP.


Okay, so you're not a security guy. You have apparently very deep knowledge in a slice of IT, networking, that runs adjacent to some security concepts (transport encryption). That doesn't mean that you're an expert in overall security. It doesn't mean that this one aspect of Information Security that you know about is the most important thing in the world. It doesn't mean that there are no other aspects to consider. I also work in IT, also not directly in security (anymore, anyway) and I don't claim to be an expert. However I do know enough that I wouldn't set my hair on fire over this minor issue.


----------

