Hacking Around with FiOS’ Motorola Set Top Boxes


I apologize for this extremely technical post. If you don’t understand technology, go read something else. Otherwise…

I am a very nosy person when it comes to my home network (must be the admin in me). I looked in the router and noticed an automatic port forwarding rule was added, forwarding any TCP traffic to 192.168.1.101:8082 (which is my set top box). When accessed from a browser, I get a Motorola login prompt, but have no idea what the password is. If anyone knows, throw it in the comments. So there is a web based interface to the STB which I can’t access. Interesting.

So Verizon has an Android App that controls my DVR from on the go. Apparently, it authorizes with the box using a pin and the cell phone number, and then is able to connect to the home network and schedule a recording. Which gave me an idea…

If I ARP poison my router and do a man in the middle attack, I could essentially packet sniff traffic coming to the router and passing to the box. So I set that up and then sent a command to DVR something from my phone. No dice – Verizon uses SSL certificates and it knew something was bonked, so I couldn’t even communicate with the DVR from my phone. Very cool, how they’re using SSL – it keeps people like me (or real hackers) from sniffing my own traffic.

There was a ton of UDP traffic and here are some interesting things I pulled out of the packet sniffer:

  • User Agent of something (maybe the STB): Mozilla/4.0 (compatible; AP:Fios-Mercury/09.97; PL: Motorola-DCT/23.51; BX:### UA: ##### U; en-US)
  • Yeah, most of the rest of it is useless…

I’m sure I can get some Defcon guys to break in, I’m just not that good. And now, back to doing nothing.