- Jul 22, 2014
- 2,525
Security researchers from SEC Consult have found eight vulnerabilities in the firmware of Western Digital TV Media Player that allow hackers a multitude of ways to hack and take over the device.
WD TV Media Player is a device that you can connect to a smart TV and play content stored on a local network storage (NAS) device, USB thumb drive, a local PC, or stream content off the Internet.
Researchers find all sorts of security flaws
In an advisory released today, SEC Consult experts say they've found several high-severity flaws in the firmware of such devices.
These vulnerabilities range from SQL injections to CSRF bugs and allow attackers to upload rogue (backdoored) files on the device's built-in web server, execute code against the device's firmware, compromise its local SQLite database, and decrypt and steal a user data.
"By combining the vulnerabilities documented in this advisory an attacker can fully compromise a network which has the WDTV Media Player appliance installed by using it as a jump-host to aid in further attacks," SEC Consults write in their report.
No firmware available
Researchers say they've contacted Western Digital back in January, but after requesting a 90-day deadline extension, the company failed to issue a firmware update.
This might have something to do with the fact WD TV Media Player devices are semi-retired, not being available in the WD store anymore. Nonetheless, WD has not officially announced the product as retired.
Researchers only tested WD TV Media Player firmware version 1.03.07, but some of the below issues might affect older versions as well. SEC Consult recommends that owners take these devices offline until a firmware version becomes available.
Vulnerabilities
....
WD TV Media Player is a device that you can connect to a smart TV and play content stored on a local network storage (NAS) device, USB thumb drive, a local PC, or stream content off the Internet.
Researchers find all sorts of security flaws
In an advisory released today, SEC Consult experts say they've found several high-severity flaws in the firmware of such devices.
These vulnerabilities range from SQL injections to CSRF bugs and allow attackers to upload rogue (backdoored) files on the device's built-in web server, execute code against the device's firmware, compromise its local SQLite database, and decrypt and steal a user data.
"By combining the vulnerabilities documented in this advisory an attacker can fully compromise a network which has the WDTV Media Player appliance installed by using it as a jump-host to aid in further attacks," SEC Consults write in their report.
No firmware available
Researchers say they've contacted Western Digital back in January, but after requesting a 90-day deadline extension, the company failed to issue a firmware update.
This might have something to do with the fact WD TV Media Player devices are semi-retired, not being available in the WD store anymore. Nonetheless, WD has not officially announced the product as retired.
Researchers only tested WD TV Media Player firmware version 1.03.07, but some of the below issues might affect older versions as well. SEC Consult recommends that owners take these devices offline until a firmware version becomes available.
Vulnerabilities
....
