ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
Homes signed up to AT&T’s DirecTV service may be inadvertently running hardware that can be easily hacked, according to a security researcher.
An easily-exploitable security flaw was found in the wireless video bridge that ships with DirecTV, which lets laptops, tablets, and phones connect with the main Genie digital video recorder. Because the wireless video bridge, manufactured by Linksys, isn’t protected by a login page, anyone with access to the device could obtain sensitive information about the device.
Trend Micro’s Ricky Lawshae, who discovered the flaw, said the device was spewing out diagnostic data about the bridge, including information on connected clients, running processes, and the Wi-Fi Protected Setup passcode.
Lawshae said in a write-up of the bug seen by ZDNet prior to publication that the device could accept commands as the “root” user, effectively granting him the highest level of access on the device.
With root access, an attacker can steal data or lock up devices. Lawshae said that one of the biggest risks to home users is from botnets, in which hackers break into internet-connected devices to launch distributed denial-of-service attacks, knocking sites and services offline.
“It literally took 30 seconds of looking at this device to find and verify an unauthenticated remote root command injection vulnerability,” said Lawshae. “The vendors involved here should have had some form of secure development to prevent bugs like this from shipping.”
DirecTV, owned by AT&T, said earlier this month that it has more than a million customers.
He said that Trend Micro’s ZDI Initiative privately disclosed the vulnerability to Linksys in June, but the device maker had “ceased being responsive.”
“We have provided the firmware fix to [DirecTV] and they are working to expedite software updates to the affected equipment,” said a Linksys spokesperson.
After publication, an AT&T spokesperson responded: “We are aware of this report and are working with the vendor to expedite software updates to the affected equipment.”
In the meantime, Lawshae said users can protect themselves by limiting the devices that interact with the affected wireless video bridge.
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.