Roku jailbreak allows users to control the channels they install
The GTV hacker team revealed a way to gain root access on Roku devices for many years, but now they are running under the banner of Exploitee.rs and again pointed out the software vulnerabilities of the streaming hardware.
According to RootMyRoku developer llamasoft, the exploit takes advantage of a pair of vulnerabilities to enable a persistent root jailbreak. It should work on RokuOS v9.4.0 with the Realtek WiFi chip, which includes "almost all" Roku TVs and some of the boxes. RokuOS 10 blocks this particular method, but you may not have received the update yet.
Obviously this is useful for enthusiasts wanting more control of their box, but it does present some security issues, and on the Github page, the developer pleads with Roku to follow the lead of other companies in creating a bug bounty program. That wo
uld pay people who find these exploits, giving them more of a reason to find and highlight them so they can be fixed, rather than enabling any kind of nefarious activity.
Update (5/18): Roku has replied with a statement, noting that customer data has not been exposed and the company also says it has mitigated the vulnerabilities in devices running Roku OS 9.4 as well.
As part of our continuous monitoring, the Roku security team identified and addressed vulnerabilities in the Roku OS – though these vulnerabilities did not expose customer data and we did not identify any malicious activity. We always want to do everything we can to maintain a secure environment for Roku, our partners, and our users, and we therefore mitigated the vulnerabilities and updated Roku OS 9.4 with no impact to the end user experience.
Latest: Live with children’s robot companion Moxie