View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Set-Top Box TV Streaming Device Vulnerability Lets Hackers into Your TV and Private Data

Entire customer database of personal info and financial details were at risk.

By CBR Staff Writer

Checkpoint researchers have identified critical vulnerabilities in a set-top box (STB) TV streaming device that would allow a hacker to gain remote control of users’ screens.

The set-top box device enables a connection between a television service provider and the user’s TV, allowing them to stream content. The set-top boxes are connected and controlled by a web management platform called Ministra.

Checkpoint were able to use an authentication bypass to escalate an attack against the platform that gave them access to customers’ financial information, personal information and their set-top box database.

The first vulnerability in the system was found in Ministra’s web management platform for the STB devices, which is PHP based.

The online platform has an admin interface which asks for authentication, however they managed to bypass this mechanism and were given access to the AJXA API functions. This allowed them to initiate a SQL injection through which they were able to access the ‘prepareDataTableParams’ which lead to the ability to execute code on the server.

TV Streaming Device Vulnerability

Checkpoint researcher Ronen Shustin wrote in his report that: “After some tests, it was clear that the keys passed to the order-by, select and like functions were vulnerable to SQL Injection. As we control keys in the query, we can perform either blind or reflected SQL injection.”

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

“The root cause of this vulnerability is that the `prepareDataTableParams` function which allows user-controlled data to influence keys which are not sanitized properly later.”

Once the vulnerabilities stacked they were eventually able to get to the Object Injector which let them execute arbitrary code on to the server, which if done maliciously could affect not just the service provider, but would give access to customers’ TVs through the set-top box.

The set-boxes in question were manufactured by Infomir a Ukrainian maker of Internet Protocol Television, Over-the-Top and Video-on Demand devices.

Each device connects to a platform called Ministra which facilitates the internet connection and manages users.  Checkpoint estimate that there are over a 1000 TV streaming service providers who use the Ministra platform worldwide, with users globally.

Checkpoint informed Infomir over a year ago about vulnerability and they have subsequently rolled out a patch, Checkpoint has not ruled out the possibly that resellers of the devices have not patched their service.

See Also: Entrust Datacard Wraps Up nCipher Acquisition

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU