Consumer Reports says Roku’s unrestricted remote control API is a security vulnerability

Roku streaming devices and smart TVs running Roku’s OS have come under fire due to an article by Consumer Reports that says the devices are vulnerable to hacking. Under scrutiny is Roku’s decision to provide a remote control API that does not require any kind of authentication before it can be used to control the streaming devices and TVs.

Roku streamers and TVs can be remotely controlled through a mobile app. Fire TV, Apple TV, and Android TV devices have the same functionality through their own remote control apps but a key difference that is unique to Roku’s implementation is that there is no authentication necessary to grant the remote access to the hardware. This means that anyone with access to a Roku user’s home network is able to take control of the Roku device. Since Roku remote access is on by default, Consumer Reports considers it a vulnerability because an attacker can “pump the volume from a whisper to blaring levels, rapidly cycle through channels, open disturbing YouTube content, or kick the TV off the WiFi network.”

Roku likely chose to leave their remote control API unrestricted to make using their remote app an easy experience. Without authentication, users can immediately use the Roku remote app without needing to authorize access, like you have to do with the Fire TV Remote App. A completely open remote control API also encourages 3rd-party developers to support Roku devices, as is evident by the numerous Roku remote control apps available.

For comparison, there are three ways to control a Fire TV device over a network. Those methods include the official Fire TV Remote app, the Android Developer Bridge (ADB), and through a connected Echo device using Alexa. Unlike Roku’s remote control API, all three Fire TV control methods require having physical access to the Fire TV or logging into the Fire TV owner’s Amazon account. Simply being on the same network is not enough to remotely control a Fire TV, Fire TV Stick, or Fire TV Edition television.

Having unrestricted remote control access to a Roku device may not seem like a big issue because an attacker would need access to the device’s network, which very likely requires authentication. However, as Consumer Reports points out, access to the network, and therefore the Roku device, can be gained by a user being “tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded.”

Roku says “there is no security risk to our customers’ accounts or the Roku platform” but the fact is that it’s simply lazy development to not have a system in place to authorize API access to their devices, like Apple, Amazon, and Google have all done. Disabling Roku’s remote API, by going to Settings > System > Advanced System Settings > External Control > Disabled, will block unauthorized access but understand that all remote apps, including Roku’s official app, will stop working.

  1. boudyka says:

    what utter twaddle !!!

    Yamaha has had webpage (unrestricted) to control ther AV receivers for years, No doubt dozens of other local devices on a home network wireless are http: without by default restrictions.

    Its becoming a bug bear that unless every endpoint must have encrypted comms and secured via some cloud based oauth token, its a danger to the world and his dog.

  2. OG Charlie says:

    I don’t get it. If somebody’s connected to your home network without permission, you got way bigger things to worry about than somebody messing with your TV volume or playing random videos.

    • abc says:

      Not necessarily what you think the end of the network scenario. Let’s take the scenario that you have a bad AP password and an attacker gets in. He has no control of any products on the network unless they have not authN/Z like this piece of crap design. Also, if things implement TLS with HSTS and other security best practices, if man-in-the middle to intercept credentials become difficult. The most important thing that product companies have to understand is that they have to design things that would be resilient to operate in a hostile environment. Also, you may say the same things of smart bulb. Think of a situation where and attacker forcefully turns off all the lights and attacks you. Not this case, but sometimes cyber has physical implications too. Yes, to your point the user should block the initial vector like making it a strong AP password, but doesn’t mean this should be given a pass too.

  3. Charlie says:

    Cordcutters on YouTube explains this very well. It’s basically a nothing burger if your Wi-Fi is secure. You can opt out of personalized ads and sharing usage stats. You can block outside access if you want to give up using the phone app.

    BTW, the current Youtube app on Roku is very cool and far beyond the dull, uninteresting offer we get, or don’t get from Amazon for our FTV’s.

  4. boudyka says:

    Consumer Reports better watch this informational video of how the wireless Internet works

  5. HeffeD says:

    Why should a device manufacturer be taken to task because some ignorant consumers haven’t secured their network?

    What’s next? Frigidaire getting hassled because anyone in my house can open my refrigerator? Consumer Reports: This is an outrage! Anyone coming in off the streets can eat your cheese and put fingerprints in your butter!!

    The security vulnerability is you, not your Roku…

  6. Reflex says:

    To those who are saying it does not matter so long as your wifi is ‘secure’ –

    1) Security layers are not absolute which is why security is supposed to be multi-layered
    2) Lots of common WiFi access points and routers have known vulnerabilities and no available patches
    3) Many that have patches do not have them applied since most users do not know or think to update their wifi AP’s or routers
    4) Responsible manufacturers do not rely on the user to know best practices for security and instead design their own devices to be secure by default.

    In short, few home users have perfect security, and for those who do there may be vulnerabilities they are unaware of or unable to fix, and as a result devices should still implement best practices. Unsecured devices can quickly be compromised into a botnet or a platform for launching additional malware into a home network.

    • Allen says:

      Shhhhh… HeffeD and others need to feel secure and superior in their understanding of the problem. Don’t confuse them with actual facts that expose them to how vulnerable they are to their own fallacies.

      Factual statements like yours are difficult to refute and are thereby upsetting to them. Don’t count on receiving a response, much less a technically coherent one. They’ll move on and pretend that they never participated in a discussion such as this one.

      • HeffeD says:

        Great generalist statement, Allen. Well done! It’s a bit telling that you mock others about their need to feel secure and superior on the subject by way of belittling them…

        Since you assume you know me and think I’m an idiot, I’d be willing to bet that I have more security layers in place than most of the general public. Possibly even you! My friends and family have always considered me paranoid when it comes to network/computer/internet security. (Guilty!)

        A few key points:
        -My (secured) network is monitored. Through both my router and Nmap. I’m notified when any device connects. Access is by whitelist. Unknown MAC addresses are blocked and failed login attempts are logged.

        -External network access is through my personal domain (SSL/TLS depending on the device), or VPN, depending on the need. While mobile, my VPN connection is always used in lieu of WiFi access points, be it public or friends/family.

        -Friends/family access my internet connection through an isolated guest network.

        -Local private DNS service. Ads/known malicious domains are blocked network-wide at the DNS level. All DNS activity is logged.

        -All internet facing applications are sandboxed.

        -Hardware and software firewalls. (And yes, I’m aware that this has the potential to be less secure if improperly configured…)

        -Layered real-time and on-demand virus/malware scanning from multiple vendors.

        -‘Secure’ passwords are used and changed regularly. Two-factor authentication is enabled on all web services that support it.

        -IoT devices are controlled locally through Home Assistant. (The Python software, not Google Home Assistant…) Aside from an Echo Dot and a Fire TV/Fire TV Stick, no cloud services.

        There is more, but those are just a few of the key points.

        • Allen says:

          Fair enough.

          But that’s you. Reflex’s points remains unassailed and perhaps even reinforced in that the measures you have taken, and good on you for taking them, are not at all typical of regular consumers. And this is a product clearly marketed to big-box store consumers, not security minded IT professionals. Hence, the designers are responsible to engineer a device that responsibly serves its targeted consumer.

          This device doesn’t do that, it exposes users that can be reasonably assumed to consist of a statistically significant percentage of people lacking technical sophistication to menaces that no one can reasonably expect them to thwart, much less even anticipate.
          IOW, you can’t market vacation packages to beautiful sunny Juarez to grandma in Wisconsin and then chastise her for not being ready for what she encounters.

          • HeffeD says:

            Oh, I’m well aware I’m not typical. :-)

            I think what’s muddying the waters here is the term “remote access”, because that’s not what’s happening here.

            Should Roku authenticate and encrypt remote access? Most definitely! Local access though, is a completely different animal. Should Roku authenticate local access? I’m definitely not as concerned with that.

            Why? According to the article, the worst this “hacker” is able to do is boot the device from the network! They can turn the volume up or down, or switch what you’re watching, but this is really just an annoyance, not a security vulnerability…

            This “unsecured” API doesn’t expose any user data. They don’t have access to your Roku account. They can’t even tell what you’re watching! All they can do is make you think your Roku needs servicing…

            Not to mention that if someone gains illicit access to your network, I can virtually guarantee that the last thing on their mind is going to be to pull out their Roku app to see if they can crank the volume up on your TV.

            The fact that people are getting up in arms about this “exploit” is actually kind of entertaining because “security exploits” with the exact same severity have been with us since the 80’s. I can probably control your TV, and I don’t even need to be on your network! While bluetooth and RF remotes exist, most televisions still use IR remotes. My phone has an IR blaster. I can ‘hack’ into your TV as long as I have line of sight. And if your walls are painted, I can actually reflect the IR beam, so it doesn’t even need to be direct. If there is a window near your TV, I could even do it from outside your house! FEAR ME!

            Now granted, I can’t do this from any great distance, but I hope you get my point. ;-)

          • Reflex says:

            I don’t think you understand the nature of the exploit. Elias has pointed out one area where it can be an obvious issue, I have pointed out others. In my mind the fact that it puts an unsecured ‘smart’ device on your network and fully accessible at what is essentially an admin level (compromise remote control you can script it to go out and download/install whatever you want) means that this is likely to enable trivial privilege escalation exploits.

            What I have not heard is a compelling reason why Roku should be exempt from fairly trivial device/app pairing, which is an industry standard most customers are used to using and provides a decent baseline authentication while being painless to use.

  7. Mark B says:

    Great, because if this stupid article 3rd party apps will suffer. Look at the Android TV app, its like 1 star because it’s 100% broken and Google won”t fix the issue. If they had open access like Roku we”d actually get r3rd party eplacement apps.

    • Reflex says:

      …or Roku could properly secure it and create a method for authorizing access to your device like the FireTV does. It’s not terribly complicated or an either/or situation.

      • Mark B says:

        Pioneer does the same thing. Open access to receivers.

        Proper authing is one thing, closing down 3rd party access completely because of a huge national story on a slow news night is what most people are afraid of. That’s why you are hearing push back. Non uodated routers and IOT devices is a much greater threat than this and imho roku doesn’t deserve a huge ding from consumers reports over this.

        • Reflex says:

          No one is suggesting Roku should close down third party access. They are suggesting that if they are going to offer it, they should do so securely.

          And yes, they deserve a ding over this, this is a significant problem and can permit the device itself to become a platform inside a network for further attacks. It also calls into question the security of Roku devices inherently, this is fairly trivial and they failed to implement it correctly, what else is insecure about these devices?

          • OG Charlie says:

            From the article

            “To become a victim of a real-world attack, a TV user would need to be using a phone or laptop running on the same WiFi network as the television, and then visit a site or download a mobile app with malicious code. That could happen, for instance, if they were tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded.”

            “[b]The exploits didn’t let us extract information from the sets or monitor what was playing.[/b] The process was crude, like someone using a remote control with their eyes closed. But to a television viewer who didn’t know what was happening, it might feel creepy, as though an intruder were lurking nearby or spying on you through the set.”

          • Reflex says:

            This was the method of exploiting the flaw that CR was able to find. There is no way to know that that is as far as it can be taken, only that it is what they found in their testing. To the best of my knowledge, CR is not part of the hacking community, white or black hack.

            Hacks start with vulnerabilities which are then used to hunt for privilege escalations. This flaw will provide a ready staging ground for the latter to be found.

      • OG Charlie says:

        Eh, I’d rather have the Roku phone app to continue to “just work” instead having having to hope that the app/box are signed into the same account so the box shows as available to choose in the app and having to put in a pin number to sync them together like on the Fire TV.

        If you’re downloading non-official apps from bad actors or somebody gain access your home network without permission, this Roku ‘security risk’ is the least of your worries.

        • Reflex says:

          The Google Play store often is the ‘bad actor’ you cite. Routinely tens of thousands of apps are culled for malicious behavior. It’s pretty trivial to create an authentication method that, say, puts a code on the screen which you then verify on the device. This is not rocket surgery.

          • AFTVnews says:

            I’m with Reflex on this one. If Roku doesn’t want to bother with authentication for the API, it should have at least been disabled by default. Better yet, require a PIN that’s displayed on the TV to be entered by default and give the option to disable the PIN/authentication so that lazy 3rd-party apps can still work.

            The potential attack avenue isn’t someone connecting to your WiFi, like so many people are focusing on, it’s a malicious ad on a website or a malicious app on your phone, which is a daily occurrence for many.

            The Roku API allows for remote channel/app installation and deep linking directly to content. It’s not just about being annoying by raising the volume. One very plausible scenario is someone using the open API to load a specific YouTube video in order to cash in on ad revenue. Mr. and Mrs. Joe Schmoe would just need to browse to a site serving malicious ads on their outdated phone and a video would start playing on their Roku. It would happen over and over and they’d have no idea what was going on. They’d chalk it up to a bug or a fluke while someone overseas is cashing in the ad revenue.

            Yes, in the grand scheme of things, this vulnerability is minor, but it’s still a vulnerability none the less.

  8. greg says:

    obviously having unwanted people on your LAN is a huge security risk…. access to the roku is the least of your worries. I dont think there needs to be any authentication on media players in a home.. just secure your wifi. even in a business.. any halfway decent IT guy will implement a guest wifi or vlan that doesnt have access to the company vlan. as for other security risks on the roku, anytime you entire a password its encrypted before it goes out on the net. its no different than logging into netflix or youtube on your phone.

  9. tech3475 says:

    One thing people may be forgetting is that not everyone may be using their own Wifi.

    For example, I’ve been to hotels where there was no firewall between devices/rooms and I know people who take just a tablet and a streaming stick with them.

    I’m surprised they don’t implement even a basic PW on the device which can keep the API open but provide basic protection.

    • greg says:

      as long as its installed correctly a hotel guest wifi only allows each device to send traffic to the gateways MAC address, not to the other MACs on the same lan. but again if you dont have good wifi security, any device is vulnerable to an attack, so the roku is the least of your worries

      • Reflex says:

        While yes, using device isolation is a good thing, 1) I often see it not implemented at all, and 2) it is not unbreakable either, it is just another security layer.

  10. All2Skitzd says:

    Universal remote controls are the real threat, they could point it in my window and turn the TV up real loud and change channels

  11. HeffeD says:

    This is a reply to Reflex’s comment #720116, because I’m unable to reply directly for some reason…

    Is the API really that all-encompassing? Would Roku really provide an open API for third-party developers to create their own remote control apps that would allow admin level access to their device? Can someone really use this API to script the box to download whatever unspecified payload they wish?

    I haven’t read the API’s documentation, so I’m just speculating, but I have to ask, if this is possible, why hasn’t it happened yet? This API has been around since 2015, and has been “unsecured” this entire time. As many Roku’s as there are in the world, this is a very attractive infection vector! At the very least, I would expect some Whitehat organization to have produced a proof of concept exploit…

    • Reflex says:

      You can use the remote control to install plugins and applications via the Roku store. Potentially it can be used to install via other means, I am unclear if it has any sort of browser or other method to sideload apps. If a malicious user got an app into the Roku store, this would be one way to force it onto the device. Since the remote control could be scripted and run via a malicious app on a phone, they could do anything with it that you can do with your remote on your tv.

      • Frank says:

        Except you can restrict app installations to require a pin. If you do this the ECP can’t install an app without knowing and entering the pin on the device.

  12. tampa8 says:

    AFtvNews summed it up well. At a minimum it should be required to turn on the ability but really a pin needs to be entered. Security is only as good as it’s weakest point, like so many things.

Leave a Reply

Your email address will not be published. Required fields are marked *


Get AFTVnews articles in your inbox!

Get an email anytime a new article is published.
No Spam EVER and Cancel Anytime.