Homes signed up to AT&T's DirecTV service may be inadvertently running hardware that can be easily hacked, according to a security researcher.
An easily-exploitable security flaw was found in the wireless video bridge that ships with DirecTV, which lets laptops, tablets, and phones connect with the main Genie digital video recorder. Because the wireless video bridge, manufactured by Linksys, isn't protected by a login page, anyone with access to the device could obtain sensitive information about the device.
Trend Micro's Ricky Lawshae, who discovered the flaw, said the device was spewing out diagnostic data about the bridge, including information on connected clients, running processes, and the Wi-Fi Protected Setup passcode.
Lawshae said in a write-up of the bug seen by ZDNet prior to publication that the device could accept commands as the "root" user, effectively granting him the highest level of access on the device.
With root access, an attacker can steal data or lock up devices. Lawshae said that one of the biggest risks to home users is from botnets, in which hackers break into internet-connected devices to launch distributed denial-of-service attacks, knocking sites and services offline.
"It literally took 30 seconds of looking at this device to find and verify an unauthenticated remote root command injection vulnerability," said Lawshae. "The vendors involved here should have had some form of secure development to prevent bugs like this from shipping."