AltEPG

[randap]

Just seen this: http://www.bbc.co.uk/news/technology-29361794

It's a security bug found in BASH... I can't pretend I know or understand anything about this, but since my TiVo is "connected" I'm left wondering if we need to do something???

[DX30]

I wouldn't panic about your TiVo. Unless you have taken steps to configure your router to allow you to access your TiVo from outside your home network (e.g. so you can remotely set recordings) it is unlikely to be vulnerable. And anyway at the end of the day what is on your TiVo that is a security risk? While personally I would be annoyed to lose some TV recordings I'd soon get over it.

I'd be more worried about the impact of Shellshock on commercial websites. These are a much juicier target for hackers with the potential for thousands of customers credit card details etc being at risk.

[gcobb]

I can confirm that the Tivo software does include a version of bash which is susceptible to this bug.

However, like DX30, I do not think it is anything to worry about. The bash problem requires some route to exploit it. The most common route is via a web server running what are known as "CGI scripts". I am not aware that anyone has ever made a CGI-capable web server available for Tivo, In fact, the only web server I am aware of for Tivo is Tivoweb -- but that uses TCL scripts instad of bash scripts, so it is not vulnerable to this bug.

Of course, I would always recommend being careful in allowing remote access to your Tivo from outside your home network. Not because of Shellshock but because none of the Tivo remote services have been designed (or seriously tested) for security.

And, just in case you are worried, the way data is downloaded from AltEPG does not provide a route to infect your Tivo either.