Roku jailbreak gives users control over what channels they install

Roku has responded, saying the RootMyRoku vulnerabilities are now mitigated in its v9.4 software

Sponsored Links

A Roku Premiere streaming box and remote control, taken on December 17, 2019. (Photo by Neil Godwin/Future Publishing via Getty Images)
What Hi-Fi Magazine via Getty Images

It's been years since the GTV Hacker team revealed a method to get root access on Roku devices, but now they operate under the Exploitee.rs banner and once again point out a software crack for the streaming hardware.

According to RootMyRoku developer llamasoft, the exploit takes advantage of a pair of vulnerabilities to enable a persistent root jailbreak. It should work on RokuOS v9.4.0 with the Realtek WiFi chip, which includes "almost all" Roku TVs and some of the boxes. RokuOS 10 blocks this particular method, but you may not have received the update yet.

Obviously this is useful for enthusiasts wanting more control of their box, but it does present some security issues, and on the Github page, the developer pleads with Roku to follow the lead of other companies in creating a bug bounty program. That would pay people who find these exploits, giving them more of a reason to find and highlight them so they can be fixed, rather than enabling any kind of nefarious activity.

Update (5/18): Roku has replied with a statement, noting that customer data has not been exposed and the company also says it has mitigated the vulnerabilities in devices running Roku OS 9.4 as well.

As part of our continuous monitoring, the Roku security team identified and addressed vulnerabilities in the Roku OS – though these vulnerabilities did not expose customer data and we did not identify any malicious activity. We always want to do everything we can to maintain a secure environment for Roku, our partners, and our users, and we therefore mitigated the vulnerabilities and updated Roku OS 9.4 with no impact to the end user experience.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget