Western Digital TV Media Player Streams Multiple Security Flaws

The firmware of Western Digital TV Media Player contains several security vulnerabilities of critical severity, according to researchers. The flaws are easiest to exploit if the attacker is on the same network as the device, but successful attempts from the Internet are also possible.

WDTV Media Player allows users to enjoy multimedia files of varying formats on the TV screen. The source can be anything from a USB drive, network storage device or a computer on the network, to streams from online personal accounts; it also comes with ethernet and wireless support.

Security researchers at consultancy company SEC-Consult found eight vulnerabilities in the current firmware version (1.03.07) of WDTV media players and have discovered eight vulnerabilities, including some that show even larger vendors fail to implement minimum security standards for their products. Among the oversights disclosed is the availability of the same decryption key in all products, which can be used to access other users’ data (e.g. credentials for online accounts). On the same note, the device lacks protection against brute-force attacks, allowing repeated guesses until the right password is found. This form of attack is made easier in this case because user names are not supported, so the attacker has to discover only one element.

The list of vulnerabilities published by SEC-Consult enumerates the possibility to upload an arbitrary file to the built-in web server, with no need to authenticate. The web server also runs with root privileges on the system, permitting it to execute unauthorized code with the highest permissions, the researchers say in their advisory

A cross-site request forgery (CSRF) flaw in the WDTV Media Player makes it vulnerable to attacks even if it is not reachable from the Internet. According to the security report, “all executable files in the webserver are vulnerable to CSRF which allow an attacker to forge any type of request to any file.” For successful CSRF exploitation, the attacker needs the IP address of the device, a piece of information that is more difficult to learn or guess with other LAN devices than the router. 

A general use scenario that has the device connected to the Internet is not described by the vendor, and this should lower the severity of these findings. However, a vulnerable gadget on the network is a risk that should be considered because it could serve as a doorway to devices with more sensitive data (photos, videos, banking information, credentials for online services).

The vulnerable TV Media Player from Western Digital has been off the vendor’s website since last year, indicating the product has likely been discontinued (no official announcement exists, though) and explaining why the last firmware for this device was released more than a year ago.

Image credit: JoeySmyth