The Roku is a small computer that enables you to stream videos and music to your TV. Before the rise of smart TVs it was one of the easiest ways to watch Netflix in your living room and it still seems to be thriving. I hadn't thought much about them recently until I saw a great series of posts on Reddit recently on the security of the Roku:
- Roku API doesn't have authentication and allows remote reboot: http://x42.obscurechannel.com/2015/07/25/restart-a-roku-via-bash/
- Roku WPS Pin cracked: http://x42.obscurechannel.com/2015/07/26/cracking-the-roku-v2-wpa2-psk/
Much of the smart TV world is full of low-hanging fruit in terms of security. For example, this is me running a network scan on my Vizio TV:
In case you can't make it out: scanning the TV with Nmap launches an update and shows the application menu - no authentication required. As such, it isn't a huge surprise to learn that the Roku offers an API to control the device that doesn't have authentication enabled. And to be fair, the use case for the API is to allow local users to control their Roku over the phone. They're not meant to be directly exposed on the Internet. Aside from the security implications, this also provides an opportunity to learn a bit about which Roku devices are most popular and which apps users install the most. First, I scanned the Internet for devices then downloaded the results. If you have access to the Shodan command-line client you can get the data using:
shodan download --limit -1 roku-data "port:8060 Roku"
It seems there are around 1,868 Roku devices directly on the Internet as of July 26, 2015. I expect this number to fluctuate depending on the timezone that the scan is performed, but it's a good starting point to learn more about Roku's usage. To start off, I wanted to learn which Roku devices sell the most so here is a ranking of the Top 10 Most Popular Roku devices:
- Roku 3: 514
- Roku Stick: 376
- Roku 2: 169
- Roku 2 XD: 163
- Roku 2 XS: 161
- Roku LT: 121
- Roku 1: 116
- Roku HD: 93
- Roku Streaming Player 2050X: 41
- Roku Streaming Player 2100X: 28
The total number of devices isn't huge but I think it's awesome that we can empirically measure which products sell the most using real data. And it's interesting that the most expensive model, the Roku 3, is also the most popular one. Usually, the low- and mid-range models for a product are most visible on the Internet but that isn't the case this time. In terms of specific model numbers the breakdown is as follows:
- 4200X: 538
- 3500X: 350
- 3050X: 163
- 3100X: 162
- 2720X: 146
- 2500X: 93
- 2400SK: 61
- 2050X: 41
- 2100X: 28
- 2400X: 28
Finally, I wanted to see which channels are most commonly installed on Roku devices. The Roku API will happily tell you all the channels that the device has running, so I gathered all the data and am making it accessible via 2 Gists:
- List of Channels: https://gist.github.com/achillean/110dd0fdd8d42c6fe08e
- List of Channels with Versions: https://gist.github.com/achillean/32b8f31b9072fd98a986
The Top 10 Channels as determined via Shodan are:
- Netflix
- Amazon Instant Video
- Hulu Plus
- VUDU
- Pandora
- YouTube
- Crackle
- Blockbuster
- Popcornflix
- Rdio
I was really surprised to see Blockbuster on this list, since I thought they were dead but apparently the video streaming is still online. Naturally, I wanted to compare my list to the official most popular channels on the Roku website. Theirs is:
- Netflix (-)
- Hulu Plus (+1)
- Amazon Instant Video (-1)
- Sling TV (+22)
- HBO GO (+11)
- Crackle (+1)
- Time Warner Cable (+39)
- PBS (+10)
- VUDU (-5)
- Acorn TV (+55)
The difference between the Shodan ranking and the Roku rankings is provided in the parenthesis. For example, Hulu Plus moved up 1 rank in the Roku ranking while VUDU fell 5 compared to Shodan's. The sample size is much smaller than what Roku has and maybe people that put Roku devices on the Internet simply prefer YouTube over PBS or Acorn TV. But Sling TV, Time Warner Cable and Acorn TV aren't anywhere close to the top 10 in the Shodan ranking yet they're very high in Roku's list.
It's also possible to determine how often people update/ patch their channels. For example, this is the breakdown for the various versions of the Netflix channel:
| Application | Version | Count |
|---|---|---|
| Netflix | 3.1.6040 | 694 |
| Netflix | 4.2.14 | 406 |
| Netflix | 4.1.214 | 292 |
| Netflix | 2.5.1 | 115 |
| Netflix | 4.2.12 | 65 |
| Netflix | 4.2.6 | 9 |
| Netflix | 3.1.6038 | 2 |
Based on these results it looks like most customers don't update their channels/ apps on the Roku. For a complete breakdown of all version and apps please check out the CSV. Let me know if you find anything interesting/ cool/ weird in the data!