Skip to main content

DirecTV Genie DVR May Have A Major Vulnerability

By January 2, 2018June 9th, 2022Cybersecurity

If you have a Genie DVR system, you should be aware of a major security flaw in the firmware that could allow a hacker to take complete control over the device.

At issue is the equipment offered by AT&T as part of their free DireTV WVB Kit. Researchers of the ZDI initiative and Trend Micro discovered a zero-day vulnerability in one of the core components of the system, Linksys WVBR0-25, which is a Linux-powered wireless video bridge. It is this bridge that allows customers to connect up to eight Genie client boxes connected to television sets in customers’ homes.

Trend Micro researcher Ricky Lawshae took a deep dive into the firmware and was able to get the Linksys WVBR0-25 to divulge a wealth of information from the device’s web server, without requiring any sort of authentication whatsoever. There wasn’t even a login screen, just a wall of easy-to-access text, which included:

  • Customer WPS PIN
  • Connected clients
  • Processes currently running

And more. Lawshae had this to say after completing his investigation:

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated, remote root command injection vulnerability. It was at this point I became pretty frustrated.

The vendors involved here should have some form of secure development to prevent bugs like this from shipping. More than that, we as security practitioners have failed to affect the changes needed in the industry to prevent simple yet impactful bugs from reaching unsuspecting consumers.”

It gets worse, though. When the ZDI Initiative reported this security flaw to the manufacturer, rather than issuing a patch to correct it, they simply ceased all communication. After more than six months of trying, and getting nowhere, ZDI decided to publicize the vulnerability in the hopes that doing so would finally prompt the company to take action.

Until they do, about your only option (aside from simply canceling your service) is to limit the number of devices that can interact with Linksys WVBR0-25 so as to limit your exposure.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.