Remote attack flaw found in IPTV streaming service

The bug could be used by hackers to intercept your streaming and steal your information.
Written by Charlie Osborne, Contributing Writer

A critical remote execution flaw has been found in a Ukrainian TV streaming device manufacturer which, if exploited, granted attackers the power to seize control of the streaming service and content on display.

According to Check Point Research, Infomir -- a Ukrainian IPTV (Internet Protocol Television), OTT (Over-the-Top) and VoD (Video-on Demand) content streaming provider was the source of the security flaw.

On Wednesday, researchers said in a blog post that Infomir's web management platform, Ministra -- also known as Stalker -- is used to manage set-top boxes (STBs). The platform acts as a conduit between consumer STBs and television service providers which buy into the platform.

See also: BlackSquid malware uses bag of exploits to drop cryptocurrency miners

Ministra does require authentication to access -- but a logic problem ballooned into a major security vulnerability which removed this protection.

The team was able to circumvent the demand for authentication and seize control of some admin AJAX API functions due to a sanitization key failure, leading to the potential for SQL and PHP Object injection and the remote execution of code.

TechRepublic: How to protect your customers' personal identifiable information

Check Point says that it is difficult to estimate the full impact of the security flaw, but as over 1000 content providers and resellers are connected to Ministra, there would likely be a "very high" number of worldwide customers which may have been impacted.

"In order to receive the television broadcast, the STB connects to the Ministra and service providers use the Ministra platform to manage their clients," the researchers say. "The risks would be their entire customer database of personal information and financial details could be stolen, as well as allowing an attacker to potentially stream any content they choose on to the screens of their customer network."

CNET: Amazon's helping police build a surveillance network with Ring doorbells

The vulnerability was first discovered and reported in 2018 and was patched prior to public disclosure in Ministra version 5.4.1. However, as some service providers may not have applied the fix, the vulnerability has also been reported to the CTA Forum.

Europol’s top hacking ring takedowns

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards