Hacking My Roku TV (Sort Of)
The other day I was bored, and started thinking to myself… “What devices are actually running on my network?”. Thats when I decided to run an nmap scan on my LAN and see for myself.
Identifying Hosts and Ports
I didn’t come across much as I don’t really have many smart devices in my house currently. However, I did come across some interesting ports running on my Roku smart TV:
I figured with IoT devices its probably worth running a full portscan with -p- as its not uncommon that they’d have services running on non-standard ports. To my surprise, I found a port on 8060 hosting an XML file containing some metadata about the TV:
I decided to research exactly what this was, and came across documentation for that port specifically:
“Whether you want to launch your channel content from Roku Search or fancy controlling your Roku device remotely, you will need to learn how to use External Control Protocol (ECP).
ECP enables a Roku device to be controlled over a local area network by providing a number of external control services. The Roku devices offering these external control services are discoverable using SSDP (Simple Service Discovery Protocol).
ECP is a simple RESTful API that can be accessed by programs in virtually acny programming environment. The easiest way to test ECP is to use the cURL command to send POST/GET requests to your network connected Roku device.”
So essentially what we’re interfacting with here is ECP (External Control Protocol), which allows a Roku device to be controlled by any device connected to the same LAN. Its just a basic RESTful API which we can issue GET/POST requests to via something like curl.
The actual idea behind it is to allow developers (or anyone really) to implement any kind of out-of-the-box ideas when it comes to controlling and accessing their devices.
A great example from the documentation:
“There have been many creative and successful applications using ECP by third-party developers; one great example is the Rokie iPhone/iPod remote app which turns your iPhone/iPod into a Roku remote control replacement:”
It has a few other useful cases, but lets be honest, we don’t care about that. What we really care about is how we can utilize it to mess with our friends or family. (Yeah I know… skiddie antics.)
Interacting with the API
It’s simply a matter of identifying the right endpoints and understanding how to interact with them to perform the desired actions. The documentation lists them all in great detail and even shows example curl requests you can make:
| Command | Description | Example |
|---|---|---|
| keypress/key | Equivalent to pressing down and releasing the remote control key identified after the slash. You can also use this command, and the keydown and keyup commands, to send keyboard alphanumeric characters when a keyboard screen is active, as described in Keypress Key Values. This command is sent using an HTTP POST with no body. | curl -d '' http://ROKU_IP_HERE:8060/keypress/home |
The most interesting ones for sure are the keypress , launch, and query.
To know which key’s I was allowed to pass, I found the documentation on Roku’s actual website shows us a few more keypress values that the documentation I referenced above didn’t:
My personal favourites are definitely PowerOff and VolumeDown/Up/Mute . We could issue those like so:
1
2
curl -d '' http://ROKU_IP_HERE:8060/keypress/PowerOff
curl -d '' http://ROKU_IP_HERE:8060/keypress/VolumeMute
Closing Thoughts
That’s about it. I just figured it would be fun to share this so others can learn about how interesting IoT devices can be, and maybe you’ll share the same feeling as me when whoever you’re messing with thinks you’re some absolute masterhacker and that you should instead “invest those skills into hacking a bank”.