Security researchers have publicly disclosed an unpatched zero-day vulnerability within the firmware of AT&T DirecTV WVB kit after trying to get the device the to patch This kind of easy-to-exploit flaw over the past few months.
The problem will be using a core component of the Genie DVR system of which’s shipped free of cost with DirecTV along with can be easily exploited by hackers to gain root access along with take full control of the device, placing millions of people who’ve signed up to DirecTV service at risk.
The vulnerability actually resides in WVBR0-25—a Linux-powered wireless video bridge manufactured by Linksys of which AT&T provides to its completely new customers.
DirecTV Wireless Video Bridge WVBR0-25 allows the main Genie DVR to communicate over the air with customers’ Genie client boxes (up to 8) of which are plugged into their TVs around the home.
Trend Micro researcher Ricky Lawshae, who will be also a DirecTV customer, decided to take a closer look at the device along with found of which Linksys WVBR0-25 hands out internal diagnostic information by the device’s web server, without requiring any authentication.
When trying to browse to the wireless bridge’s web server on the device, Lawshae was expecting a login page or similar, although instead, he found “a wall of text streaming before [his] eyes.”
Once there, Lawshae was able to see the output of several diagnostic scripts containing everything about the DirecTV Wireless Video Bridge, including the WPS pin, connected clients, running processes, along with much more.
What’s more worrisome was of which the device was accepting his commands remotely along with of which too at the “root” level, meaning Lawshae could have run software, exfiltrate data, encrypt files, along with do almost anything he wanted on the Linksys device.
“the idea literally took 30 seconds of looking at This kind of device to find along with verify an unauthenticated, remote root command injection vulnerability. the idea was at This kind of point of which I became pretty frustrated,” Lawshae wrote in an advisory published Wednesday on Trend Micro-owned Zero Day Initiative (ZDI) website.
“The vendors involved here should have had some form of secure development to prevent bugs like This kind of by shipping. More than of which, we as security practitioners have failed to affect the adjustments needed within the industry to prevent these simple yet impactful bugs by reaching unsuspecting consumers.”
Lawshae also provided a video, demonstrating how a quick along with straightforward hack let anyone get a root shell on the DirecTV wireless box in less than 30 seconds, granting them full remote unauthenticated admin control over the device.
The vulnerability was reported by the ZDI Initiative to Linksys more than six months ago, although the vendor ceased communication with the researcher along with had yet not fixed the problem, leaving This kind of easy-to-exploit vulnerability unpatched along with open for hackers.
So, after over half a year, ZDI decided to publicize the zero-day vulnerability, along with recommended users to limit their devices of which can interact with Linksys WVBR0-25 “to those of which actually need to reach” in order to protect themselves.