Security researchers hack Roku streaming media player

photo: Brian, Flickr

After [Fabrizio Siciliano]’s post became popular on the subreddit Netsec, [John Matherly,Shodan] decided to shine a light on the Roku. He scanned his Vizio TV with Nmap; it launched “an update and shows the application menu – no authentication required. As such, it isn’t a huge surprise to learn that the Roku offers an API to control the device that doesn’t have authentication enabled. And to be fair, the use case for the API is to allow local users to control their Roku over the phone. They’re not meant to be directly exposed on the Internet. Aside from the security implications, this also provides an opportunity to learn a bit about which Roku devices are most popular and which apps users install the most. – Ms. Smith, Network World