Roku streaming devices and smart TVs running Roku’s OS have come under fire due to an article by Consumer Reports that says the devices are vulnerable to hacking. Under scrutiny is Roku’s decision to provide a remote control API that does not require any kind of authentication before it can be used to control the streaming devices and TVs.
Roku streamers and TVs can be remotely controlled through a mobile app. Fire TV, Apple TV, and Android TV devices have the same functionality through their own remote control apps but a key difference that is unique to Roku’s implementation is that there is no authentication necessary to grant the remote access to the hardware. This means that anyone with access to a Roku user’s home network is able to take control of the Roku device. Since Roku remote access is on by default, Consumer Reports considers it a vulnerability because an attacker can “pump the volume from a whisper to blaring levels, rapidly cycle through channels, open disturbing YouTube content, or kick the TV off the WiFi network.”
Roku likely chose to leave their remote control API unrestricted to make using their remote app an easy experience. Without authentication, users can immediately use the Roku remote app without needing to authorize access, like you have to do with the Fire TV Remote App. A completely open remote control API also encourages 3rd-party developers to support Roku devices, as is evident by the numerous Roku remote control apps available.
For comparison, there are three ways to control a Fire TV device over a network. Those methods include the official Fire TV Remote app, the Android Developer Bridge (ADB), and through a connected Echo device using Alexa. Unlike Roku’s remote control API, all three Fire TV control methods require having physical access to the Fire TV or logging into the Fire TV owner’s Amazon account. Simply being on the same network is not enough to remotely control a Fire TV, Fire TV Stick, or Fire TV Edition television.
Having unrestricted remote control access to a Roku device may not seem like a big issue because an attacker would need access to the device’s network, which very likely requires authentication. However, as Consumer Reports points out, access to the network, and therefore the Roku device, can be gained by a user being “tricked into clicking on a link in a phishing email or if they visited a site containing an advertisement with the code embedded.”
Roku says “there is no security risk to our customers’ accounts or the Roku platform” but the fact is that it’s simply lazy development to not have a system in place to authorize API access to their devices, like Apple, Amazon, and Google have all done. Disabling Roku’s remote API, by going to Settings > System > Advanced System Settings > External Control > Disabled, will block unauthorized access but understand that all remote apps, including Roku’s official app, will stop working.