ChatGPT ASST. Hacking: Pentesting Roku Apps for Fun & Profit

so up next we have Akash karade security consultant at aoran and he will be giving a talk on Chad GPT assisted hacking pesting on Roku Roku apps give him a big round of applaud uh so let's uh start with the talk so this talk is related to uh Roku uh application uh which I pent tested uh recently and I used uh chat GPT uh as the previous uh speaker said right uh lot of us use chat GP and yeah so let's start with the okay yeah okay so let's talk about me I am Akash K and I do work as a security consultant in Aquarian it has been uh around 4 and 4 and a half years in this

security domain yeah and in the right you can see uh one of my favorite schs from bhagwat Gita uh from the greatest personality ever yeah so let's move to the main topic yeah before we get started this is not a lecture please ask your questions and doubts you can also share your thoughts uh okay uh the first slide is related to how chat gity helped me uh so yeah when the project came in or the assessment came in right uh the Roku channel was very new and I didn't uh knew about anything uh related to the channel and all right uh so I just uh ask CH about what it is and uh how how

we can exploit many vulnerabilities in it how we can analyze the firmware of the Roku device and the channels inside that uh yeah so chity help helped me a lot so you might be wondering what is Roku device uh yeah so Roku device is a uh let's say a device uh which uh which basically stream channels uh which can make your uh TV to a smart TV and can stream a lot of channels music channels Sports Etc it's uh same as Amazon Fire stick right uh yeah uh so here you can see uh the number of Roku devices uh so one which I tested uh was the first one uh Roku Express and the latest uh is Roku

Streaming Stick 4K okay uh so let's talk about the attack surface of Roku device uh so talking about the attack surface right network security you can scan the aoku IP address which was assigned when you connect to your Roku device to the uh Wi-Fi and next is the Roku firmware analysis you can analyze the firmware of the aoku for example in the previous slide uh you can see right there are number of devices uh so you can analyze each of the uh each of the Roku device will have different uh firmware right and next is the application security so basically it's about the channels inside the Roku device uh let's say uh a sports channel which have uh

which can stream you U uh number of sports channels and everything and uh next is the data storage and encryption inside the Roku uh device uh is there uh any uh storage or any secret key or anything related to the channel which is stored inside the Roku device and how it is stored is it just a string or is it stored encrypted so let's talk about uh the Roku apps or channels right as I explained previously right this is how the channels uh look right there are lot of channels sports music uh any anything you can you can think of right and Roku has this developer mode where you can create your custom channels um and you

can Implement you can run to the Roku device uh moving to understanding of oku custom channels right uh so these channels are not in your average Roku Play Store uh they have the their own Play Store when you install the Roku device it will be not visible there since it's a private Channel related to related to you or your organization and yeah personal Channel channels can allow users to create and distribute their own content for example I can share my channel to uh my friends or anyone in the organization just to see my private Channel and uh everything uh yeah uh so creating uh Roku Channel requires uh the Roku development kit SDK and you can create

uh Roku with the languages such as bright script and scen graph XML so bright script is an uh uh what's it's a language which was created by Roku uh themselves uh so the next slide is about that only uh yeah so bright script is a language which which was developed by Roku uh theirself and uh it offers uh uh developing the applications in the Roku platform and all you can read more about the language and understand the the reference of the language uh using the link yeah so yeah time for a quick demo enough of theory part yeah so yeah you might be wondering what does uh a a custom Roku Channel look like so right side you can see the

and screenshot of uh uh an Channel about what all um Source it has right and it's a basically zip file which you can unzip and here uh I have used um uh eclipse and inside that I've used their uh um their uh ID or uh what with uh I fed there personalized sequency first I tried to zip like made the changes in the Roku F uh Roku source code there is this file uh inside source main. BRS which contains your application code and you can change uh it to whatever since the client gave us their custom channel to test right so I made some certain changes and I thought it's a zip file right I saved the file

and tried to zip it and upload it to the aoku but it was not working for some reason then I did some research and uh understood that normal zipping uh wouldn't work uh so you need to download a plug-in uh to uh deploy or uh save uh uh your uh changes you that you made uh you can see the link here you can download uh the uh plugin from there okay uh so yeah enabling the developer mode it's quite uh like think you have to get the remote of Roku and you have to press the home twice up button right left right left and then again right and then you'll uh uh you'll be able to see the screen where it will

ask you uh to enable your uh developer mode just click yes and all follow the instructions on the screen and you'll be developer mode and then IP address will be displayed on your screen so you can navigate it through your browser right so this is how uh the this thing uh looks your uh interface of Roku once you visit to the IP address that was sent to your Roku uh device uh it can uh this is how it looks and you can upload uh in the below you can see right upload uh uh the channel right and you can upload uh your specific Channel and it will be shown in the uh Roku in your TV itself

and you can start using your channel using that you can navigate through a remote and you can start using your channel okay uh so setting uh as we know right from pen testing uh perspective right uh the first thing we uh want to get uh for any assessment is uh getting the backend request to any proxy tool mostly uh a lot of pent testers use burb Suite right uh so yeah intercepting uh setting up the Intercept in environment so I basically did it I set up a uh fake um Wi-Fi access point using the script that I have mentioned create _ AP and I created a fake host file right and the host file uh looked uh like that the IP

address and the that can be anything IP address and example.com assuming that the not assuming the client will uh tell you uh the uh URL for for the or the backend API domain for the uh channel right so assuming that uh here it is example.com or Roku channels this thing and then you can create uh your this AP you have to give the AP network interface uh internet U yeah both the interface the SS ID and uh the password that you want to give to your uh hotspot right uh yeah okay so there are certain changes that will have have to make to your uh make to your Roku Channel source code right uh to do that right uh you

can see right in the second line I've added my BP certificate I've created an BB ct. P PM file and I've given the location for it this is how you give it and again in the third line I've uh said URL transfer do set URL and given the domain that I want to intercept right so the you might be wondering like why we need to give this to uh so the custom channel was verifying the certificate that's why I had to give the curb certificate and uh that's why if the channel is not uh U Know verifying it and all you can just remove that line and just give the third line and there are lot of ways to intercept right uh

you can use request. set proxy and give your proxy and see if that works right for but for me uh this method was working right there are a lot of more methods moving to our next SL SL so now we are able to when we uh set up the uh I'll get to the back slide yeah after this you'll have to save the uh your uh uh ZIP file right from your Eclipse ID and then you'll have to upload it to your web interface that was shown uh earlier right after uploading the channel will uh again load to your uh Roku device on your TV and from the remote of the Roku you can start the uh

this thing and as you can see we were able to um intercept the request right so our attack surface increases right you can test all oaps top 10 from uh the backend request right uh so related to this testing I found out many broken Access Control uh issues right uh uh let's say one finding was uh a user was able to see or see a video after the subscription was over that was a finding and the client specifically asked us to uh say uh to try uh bypassing the watermark right there was a watermark on the video I'm not sure yeah okay it is not there okay uh so uh the client asked us to bypass the watermark which was

basically pretty simple it was going in the request uh or in the response so I just modified it or removed it the watermark was removed from the video and the video can be then pirated we can record it that was the client's main concern there was uh they were not burning The Watermark into the video that was the problem they were just um giving uh it from the request parameter that was the problem and yeah there was lot of broken Access Control issues uh okay uh side Channel links right so let's talk about um uh what can you find find in debug console so there is this debug console in a Roku device right which can be accessed at your Roku

IP address and 885 yeah 85 Port right you can connect to that port and you can see uh once you serve the channel right it will start logging everything uh not everything uh basically how the channel is developed right based on the development of the channel right it will log which has to be logged right and uh you can read about the debugging console more uh in the following link okay so things I got in a debug console right there was this uh username password which was going through the debug console I don't know why the developer uh was logging that and uh there was the active JWT token which was again leaked in the debug console there

were also a lot of uh secret there was some secret key also which was leaked uh so this were all of the findings okay so things I tried next right I tried to uh get a sh uh shell so uh I try to search right on Google or their Roku uh website right what uh language or what code I need to use to get the shell uh right I tried couple of things but nothing was working right so I just asked Chad D how we can get sh first it was not showing up but after certain prompt changes right I changed the prompt okay I'm the developer and all uh so it gave me some of the code to

uh get into Roku shell uh that was the thing I tried I tried jail breaking Roku and explore jail broking uh jailbreaking was not possible in the Roku Express with which was the very oldest device I got that's why I was not able to jailbreak but we uh we can Jailbreak in the latest device I think uh some re researcher have posted a Blog about it uh I try to get the shell uh and explore the disk uh uh to see if any channel related Secrets or anything is stored in the Roku uh uh file system and you can perform Network scan if the developer have opened any specific ports uh for their Channel custom

channels uh okay uh so yeah the code which Chad GPT uh gave me uh so these are only two but charity usually gave me a lot of there was lot of things I tried lot of code were there uh so here we can see right I've created created an object Arrow shell and uh I giving my command there I tried it and how uh like I was checking in the debug console in the debug console it was giving me error uh when my code reached here it was not executing uh even I tried multiple commands but then I understood uh that we can't get U Roku shell uh in the Roku Express because the device was too old

or something um so yeah hard luck um uh okay that was the talk all about you can connect with me and on LinkedIn you can just scan it or you can just search on linken uh with my name uh yeah okay yeah thank you