Roku jailbreak gives users control over what channels they install
Roku has responded, saying the RootMyRoku vulnerabilities are now mitigated in its v9.4 software
It's been years since the GTV Hacker team revealed a method to get root access on Roku devices, but now they operate under the Exploitee.rs banner and once again point out a software crack for the streaming hardware.
According to RootMyRoku developer llamasoft, the exploit takes advantage of a pair of vulnerabilities to enable a persistent root jailbreak. It should work on RokuOS v9.4.0 with the Realtek WiFi chip, which includes "almost all" Roku TVs and some of the boxes. RokuOS 10 blocks this particular method, but you may not have received the update yet.
Obviously this is useful for enthusiasts wanting more control of their box, but it does present some security issues, and on the Github page, the developer pleads with Roku to follow the lead of other companies in creating a bug bounty program. That would pay people who find these exploits, giving them more of a reason to find and highlight them so they can be fixed, rather than enabling any kind of nefarious activity.
Update (5/18): Roku has replied with a statement, noting that customer data has not been exposed and the company also says it has mitigated the vulnerabilities in devices running Roku OS 9.4 as well.
As part of our continuous monitoring, the Roku security team identified and addressed vulnerabilities in the Roku OS – though these vulnerabilities did not expose customer data and we did not identify any malicious activity. We always want to do everything we can to maintain a secure environment for Roku, our partners, and our users, and we therefore mitigated the vulnerabilities and updated Roku OS 9.4 with no impact to the end user experience.
Presenting a root #jailbreak for most Roku TVs and some Roku set top boxes:https://t.co/ur8kdjrKuB
We've been working hard on this one, so I'm glad to finally be able to share it! A big thank you to ammar2 and popeax from the @Exploiteers Discord.#infosec— /dev/null (@rmDevNull) May 18, 2021