0 Replies Latest reply: Nov 9, 2012 5:11 PM by surge3 RSS

    Slingbox Security Breach \ Hacked

    surge3

      I already posted about this in another thread, but I thought I would start a new discussion as I have verified the following exploit on both an iPhone and an iPad, and as a result of this exploit, someone has permanent control over my slingbox.

       

      Here is how to reproduce the security problem:

       

      1.) Login from a PC or Mac to Slingbox.com using your web browser

      2.) On your iPhone or iPad, open the Slingbox application and login -- click Connect and view the stream.

      3.) On the PC or Mac, change your Slingbox.com password -- also change your Slingbox admin password and the Slingbox viewing password

      4.) Go back on your iPhone or iPad; close the Slingbox application (double tap home button, hold the icon, tap the "x")

      5.) Re-open the Slingbox application on your iPhone or iPad -- you are not asked to login again with the new Slingbox.com password or the new admin or viewing password for the slingbox -- the stream plays automatically.

      6.) On the PC or Mac, attempt to watch the stream on Slingbox.com using your web browser -- it will say someone else is already watching and you must type in your admin password to disconnect them.  Do so.  You should now be watching the stream on your PC or Mac via your browser.

      7.) On your iPhone or iPad -- a box should pop up similar to this:

      https://community.sling.com/servlet/JiveServlet/downloadImage/2-7478-1390/Mobile+Photo+Jun+16%2C+2010+7+25+54+PM.jpg

      8.) Press "Yes" -- your PC or Mac stream will be disconnected.

       

      Problems:

       

      1.) The iPhone and iPad are permanently logged in and can disconnect anyone at any time without entering in the admin password

      2.) If one were to change their Slingbox.com password, their admin password, and their viewing password, and iPhone or an iPad that has already logged in at least one time can still view the stream

       

      Please, test this for yourselves and post your feedback \ thoughts about this.

      In my situation, a person who I do not know has permanent control over my slingbox and I have no way to lock them out except for leaving my slingbox unplugged -- and therefor rendered useless.

       

      I welcome any suggestions on how to lock-out someone who I do not want having access.