Your Roku is Spying On You

plexi59 said:
They don't have to act as a DNS server. All they need to do is put their NIC in promiscuous mode. They'll see all packets that way, and they will be able to capture unencrypted ones.
.
Click to expand...

How is that possible unless you are using a hub?

How would the Roku sniff packets the switch never sent its way?
 
WiFi acts like a "hub" in this case. Basically WiFi is a totally brain dead standard in which all adapters shout at each other and if the other side couldn't hear them they retransmit. I doubt most people bother with anything other than WiFi. A lot of my relatives aren't technical, and they don't. For my parents and my wife's parents I've done everything the "right" way, but few people have access to me. :)

Edit: actually, never mind. Apparently only WEP encrypts everything with the same key. WPA uses a key + a different nonce per client, which in effect means clients can't see each other's traffic, at least not in plain text. You can still maliciously decrypt traffic, of course, but it's hard to do, and I strongly doubt that's something Roku would do. It's probably also illegal.

More on decryption: https://wiki.wireshark.org/HowToDecrypt802.11. TL;DR: if you didn't capture the handshake when the adapter pairs to AP, you're SOL. If you did capture the handshake packets -- decryption is piece of cake.
 
Last edited by a moderator:
iaresee said:
You’d need to be able to configure the router to use the pi-hole as the DNS server for your network. You should also make the pi-hole the DHCP server for the network for maximum effect.
Click to expand...

This is where I am stuck. I am trying to go with option 1 in this guide, but its just not written clearly enough for me to follow:
https://discourse.pi-hole.net/t/how-do-i-configure-my-devices-to-use-pi-hole-as-their-dns-server/245. Its a bit late now so will sleep on it and attack it again tomorrow evening.
 
plexi59 said:
WiFi acts like a "hub" in this case. Basically WiFi is a totally brain dead standard in which all adapters shout at each other and if the other side couldn't hear them they retransmit. I doubt most people bother with anything other than WiFi. A lot of my relatives aren't technical, and they don't. For my parents and my wife's parents I've done everything the "right" way, but few people have access to me. :)

Edit: actually, never mind. Apparently only WEP encrypts everything with the same key. WPA uses a key + a different nonce per client, which in effect means clients can't see each other's traffic, at least not in plain text. You can still maliciously decrypt traffic, of course, but it's hard to do, and I strongly doubt that's something Roku would do. It's probably also illegal.

More on decryption: https://wiki.wireshark.org/HowToDecrypt802.11. TL;DR: if you didn't capture the handshake when the adapter pairs to AP, you're SOL. If you did capture the handshake packets -- decryption is piece of cake.
Click to expand...

Oh wifi.. right.
 
To be honest - I didn't read the entire thread, but I fixed this issue late last year.
I dumped all my "home" router gear and installed a Ubiquiti network behind my cable modem (300 mbps). I added a USG, 2 * Switch 8-60w and 2 & AP AC PRO wap's.
All my iOT devices (google, thermostat, fridge, etc.) are on an isolated "iot" network. They can scan all day long and all they will see is each other. They have no access to my other segmented networks.
I have 3 others.. 1 is guest, where I throttle bandwidth and kick them off after 4 hrs - stops my kids friends from hogging bandwidth for their games.
Another is for admin purposes (my back door) , and the 3rd is the generic home network most folks have - for pc's phones, etc.
 
s0c9 said:
To be honest - I didn't read the entire thread, but I fixed this issue late last year.
I dumped all my "home" router gear and installed a Ubiquiti network behind my cable modem (300 mbps). I added a USG, 2 * Switch 8-60w and 2 & AP AC PRO wap's.
All my iOT devices (google, thermostat, fridge, etc.) are on an isolated "iot" network. They can scan all day long and all they will see is each other. They have no access to my other segmented networks.
I have 3 others.. 1 is guest, where I throttle bandwidth and kick them off after 4 hrs - stops my kids friends from hogging bandwidth for their games.
Another is for admin purposes (my back door) , and the 3rd is the generic home network most folks have - for pc's phones, etc.
Click to expand...
I've been seriously considering a Ubiquity setup. And there are VLANs for my IoT stuff in the near future.
 
iaresee said:
I've been seriously considering a Ubiquity setup. And there are VLANs for my IoT stuff in the near future.
Click to expand...
that's how I have mine setup.. More expensive that a typical home setup? Yea... but DPI (deep packet inspection) is worth the extra alone.
I can see where and what EVERY device is doing.. and who my top users are.. :)
 
This thread has be confused because I'm not networking savvy (other than setting up networks to run my PA mixers).
I have a Rasb PI sitting in a drawer at home. Never put it together. Sounds like this is the perfect use for it.
Will have to work on this over the weekend!
 
Don't be confused, set up Pi Hole and enjoy the faster, mostly ad-free internet. Irrespective of whether you manage to set it up, also set up uBlock Origin extension in your favorite browser(s), and 1Blocker or similar ad blocker on iOS (you're SOL if you're on Android -- Google will permanently log everything you do), and disable all third-party cookies in your browser settings.

Leave all of this advanced stuff for later, or even for never.
 
JJunkie said:
Netcomm NF7
Click to expand...

s0c9 said:
that's how I have mine setup.. More expensive that a typical home setup? Yea... but DPI (deep packet inspection) is worth the extra alone.
I can see where and what EVERY device is doing.. and who my top users are.. :)
Click to expand...

Ubiquiti is good, I just wished they had a router+powered switch in one combo for home users :)

Cloudkey v2 is also looking good as I'm looking into security cameras.
 
JJunkie said:
Netcomm NF7
Click to expand...

Login into the webview panel of your router. Then click the "Show advanced view". Navigate to DHCP Server tab/page.

Under Primary DNS, put the IP address of your pi-hole device.

You probably also want to reserve using the same IP for your pi-hole device. Click fixed mapping, and find your pi-hole IP in the client list and copy it into one of the ID slots. Now your pi-hole will always have the same IP.
 
AlbertA said:
Login into the webview panel of your router. Then click the "Show advanced view". Navigate to DHCP Server tab/page.

Under Primary DNS, put the IP address of your pi-hole device.

You probably also want to reserve using the same IP for your pi-hole device. Click fixed mapping, and find your pi-hole IP in the client list and copy it into one of the ID slots. Now your pi-hole will always have the same IP.
Click to expand...

Thanks so much that is exactly what i needed. Do i have to input the mac address as well?
 
I'm with everybody here; it's a shame you have to be very tech savvy to secure all of these IoT gizmos and apps/services that leak information when they 'phone home'. You really cannot trust the security/privacy of many/most IoT/internet enabled devices. I saw a demo of how you can hack a TV and turn on it's camera (which also disabled the LED that tells you the camera is on) and wasn't all that surprised at how trivial it was to do.

Considering that most IoT gizmos have poor security right out of the box and will likely never get updates this can be a recipe for big time grief.

Hackers throughout the world are all over this stuff. It's becoming common to read of people discussing a topic in their living room and getting targeted ads (or emails sent to a contact list relating to the topic discussed; that happened recently via Alexa to a couple) on their phone relating to the subject discussed almost immediately (I've personally have had that happen at least three times so far).

I cannot/will not trust any voice activated service (Alexa, Siri, etc.) as they listen to you all the time, and that audio data is going somewhere for a server to process (with dubious data retention policies and no guarantee that no-one can access the audio). Have read of too many privacy breaches regarding a lot of these services over the last while. Hook your furnace thermostat/controller up to wifi....suuuuuuure...not in my lifetime.

I frequently sniff my traffic with Wireshark and analyze it to see exactly what's going on and have made several disturbing discoveries over the years.

A few months ago I was looking at small/mini PC's to run pfSense (firewall), Snort (intrusion detection software), and Squid (a highly configurable proxy server) as it was becoming clear that you cannot trust most consumer level firewalls in any way (even the 'better' ones); they can, and do, get hacked, aren't that good at what they do, don't get timely security updates (if at all), all of that.

I was fortunate to get a high end Fortinet firewall/security appliance to use at home for as long as I need it and didn't look back; it's amazing (and unsettling) what strong network analytics will reveal.

I agree, it's a shame that you have to be a 'network guru' to secure this stuff as most people don't have the expertise to harden their networks/devices to ensure privacy and security of home networks and data. I'll never, ever, connect anything made by Google, in particular, in my home. A Samsung TV with Voice Command and a web-cam?? An insecure, exploitable, surveillance device right in your living room. Yay.

Implementing VLAN's to put insecure devices on their own network segment and isolating them is absolutely the way to go IMO, as well as implementing deep packet inspection and being able to manage network access control for apps/services in a very granular fashion to prevent things like 'Roku surveillance'. It seems like I'm reading about a breach of home network devices (IoT, thermostats, TV's, security cameras, etc.) weekly.

The entire world is knocking on your door, looking for openings to exploit, 24/7/365.

<tin foil hat on> lol.
 
Last edited:
There is always 1.1.1.1 if you want simple. Still have to trust the people running that so... Anyway your ISP has all your traffic and it’s only a matter of time before they start jamming customers right at the source. TimeWarner already started doing this if you use their DNS servers.

Running your own DNS server is a good first step and Pi-Hole is pretty cool unless you have other people in the house and all of a sudden they can’t get website xyz to load, now you are your own families IT guy.

On your own personal computers (or from your router) you can use 1.1.1.1 for DNS. Then load SRWare Iron Browser, force it to open in incognito and load uBlock, Ghostery and Click&Clean plugins.

Makes for a nice internet experience. No advertisements or other BS.
 
Texhex said:
There is always 1.1.1.1 if you want simple. Still have to trust the people running that so... Anyway your ISP has all your traffic and it’s only a matter of time before they start jamming customers right at the source. TimeWarner already started doing this if you use their DNS servers.

Running your own DNS server is a good first step and Pi-Hole is pretty cool unless you have other people in the house and all of a sudden they can’t get website xyz to load, now you are your own families IT guy.

On your own personal computers (or from your router) you can use 1.1.1.1 for DNS r. Then load SRWare Iron Browser, force it to open in incognito and load uBlock, Ghostery and Click&Clean plugins.

Makes for a nice internet experience. No advertisements or other BS.
Click to expand...
There's a number of public DNS servers out there. I use my own DNS service and backup is 8.8.8.8 :)
One other thing you MIGHT want to look at is a VPN service.. It "hides" you on the interweb, so if you rotate your IP DAILY, they won't be able to target you. Also, on win boxes, update your hosts file to route known ad sites to 127.0.0.1
Here's mine (from my Spybot pgm)
 

Attachments

  • hosts.txt
    960.4 KB · Views: 18
You must log in or register to reply here.
Back
Top Bottom