mobile | archive | rss | email }

web o blag!Brain Dump: A Web-o Blag

SMS "briand" to 50500 for contact info


brian dewitt

is...

+ a TechStar
+ a socialthing! founder
+ a former Indiefeed webjay
+ host of defiradio

has a...

+ dog
+ flickr
Facebook
+ Google Profile
+ linked in
+ list of links
+
Fuelly

likes...

+ The Highway Girl
+ The BlogoBlag
+ Andrew
+ Devin
+ Jeremy
+ Micah
+ M Y D L
+ Music Tumblr
+ Penny Arcade
+ Photo Focus
+ Rabmls
+ Startup Weekend
+ Threadless
+ wine
+ xkcd

January 29

Your TiVo, Roku and Other Devices Give You Away Via Wifi

Or Wi-fi Devices Broadcast Identifying Information

Recently received a Roku Digital Video Player (Roku.com for more info) and was configuring it to work via wifi. During setup, I had Airport Utility (Apple’s management program for their routers) open and I noticed something interesting.

Once your Roku DVP is connected to your wi-fi network, do the following:

  • Open Airport Utility
  • Click the Manual Setup button
  • This opens the Summary tab. Click the Wireless Clients item
  • Click the DHCP Clients tab.

This lists all devices that connect to the router via wifi. The Roku DVP’s client id is its serial number.

Now, why is this important? For three reasons. (1)If you put the box away somewhere and don’t want to move it, you can find out the serial number without disconnecting the box to look at the serial number on the back. NOTE: You can also find the serial number in the Roku screens by:

  • press the Home icon button on the Roku remote
  • go to Settings
  • scroll to, and select, Player Info

(B) there is no B
And (3), does this pose a security issue? The fact that the device serial number is being transmitted over the air might be a problem. I’ll play around with some wifi sniffing tools to see how easy/difficult it is to grab that info. My initial impression is it will not be difficult if using something like Wireshark.

The potential reason for concern is what if someone grabs that serial number and calls Roku pretending to be you? Could they have your box disabled? Transferred to a different account? If someone is close enough to grab your wifi traffic, it wouldn’t be difficult to grab your name and address. It would be even easier if the trend in my neighborhood of using the last name for your router’s SSID is prevalent elsewhere.

Also interesting is that other devices that use wifi (printers, TiVO, iPod Touches, Blackberrys, etc) show up with Client IDs that are either their model number, device name or some seemingly random character letter combination. For example, my iPod Touch shows up with a Client ID of BriTouch, my iPod’s name. If - like a lot of people in my neighborhood - my wifi network’s SSID were my last name, now the would be “ne’er-do-well(s)” would have my first and last name. as well as my address. This information is usually enough to verify yourself as someone with most companies.