Researchers publicly disclosed a zero-day exploit in a piece of television hardware on Wednesday after trying to get the device maker to fix the flaw over the past few months.
The device, Linksys WVBR0-25, is a wireless video bridge that DirecTV parent company AT&T gives to new customers for the satellite television service. A Trend Micro researcher and DirecTV customer found that, without authentication, the WVBR0-25 hands out information including connected clients and running processes.
A wireless video bridge is an access point (similar to a router) used by DirecTV to send signals to a user’s wireless set top boxes.
The easy-to-exploit vulnerability allows hackers to potentially gain root access and take full control of the device. The device also fails to properly sanitize data and leaves the door wide open to remote attackers taking over the device, said Dustin Childs, director of communications for Trend Micro ZDI.
Although the issue was reported over half a year ago by Trend Micro’s Zero Day Initiative (ZDI), Linksys ceased communication with the researcher and has not fixed the problem, a Trend Micro representative said.
“The exploit allows remote code execution on a vulnerable device,” Childs said. “An attacker can leverage this bug to get a root shell on the device. Since they’re root, they can take any action available to the system: Install software, exfiltrate data, encrypt files, etc.”
A representative Belkin, Linksys’s parent company, told CyberScoop on Thursday that the company provided a firmware fix to DirecTV and is waiting for that company to send software updates to customers.
Childs explained that attackers first need to reach the vulnerable device on the network and most of the devices will have some form of isolation from the internet. Once an attacker routes to the device, they can gain root access on the system.
Devices like this can be used in potent botnets, a tactic hackers currently used in in 100,000-device-strong armies.
The issue was reported on June 14, 2017, just over 180 days ago by Ricky Lawshae, a Trend Micro researcher who goes by @HeadlessZeke on Twitter.
Lawshae recommends Linksys WVBR0-25 limit the devices that connect with the vulnerable device.
Trend Micro has not detected the exploit in the wild, but the devices remain vulnerable.
Update: The story was updated to add a comment from a Belkin representative.