Jump to content
IGNORED

Streamers and security


Recommended Posts

This is a subject for the experts really, maybe that’s why I don’t see much discussion about it here. But streamers (and other network connected music players) are IOT devices and the security flaws of IOT are the talk of the town. 
 

Manufacturers of audio equipment never mention much about information security. They should, right? At least to show us they have thought about it.  

Say NO to ROON

Link to comment

Not all are IOT devices. Many are just internet devices like other computers and have similar security. 

Main listening (small home office):

Main setup: Surge protector +>Isol-8 Mini sub Axis Power Strip/Isolation>QuietPC Low Noise Server>Roon (Audiolense DRC)>Stack Audio Link II>Kii Control>Kii Three (on their own electric circuit) >GIK Room Treatments.

Secondary Path: Server with Audiolense RC>RPi4 or analog>Cayin iDAC6 MKII (tube mode) (XLR)>Kii Three .

Bedroom: SBTouch to Cambridge Soundworks Desktop Setup.
Living Room/Kitchen: Ropieee (RPi3b+ with touchscreen) + Schiit Modi3E to a pair of Morel Hogtalare. 

All absolute statements about audio are false :)

Link to comment

Anything you connect to your network  is a potential pathway through vulnerabilities for hackers to gain access to all of your devices. Even smart light bulbs have been found to have certain vulnerabilities to allow hackers to gain access. The latest advice from the security community is to use the three router process where you use each routers NAT capabilities to create two separate isolated networks, one for your IOT devices and one for your PCs and phones. 

 

See https://www.grc.com/sn/sn-545.pdf for a description of the Three Dumb routers configuration.

Link to comment

This something that many people do not realize.  Our youngest generation is growing up with this as the norm and without having the benefit and experience of living in the not-so-smart world many of us grew up in.  Now everything is connected to the internet and plenty of half-baked freebie apps easily downloadable to your smart devices.  We have smart homes, smart cars, smart audiophile streamers, credit cards etc.  I used to laugh at people that said they do not need the internet but now I am thinking they are not so far out there.  You need to be smart about all this and vigilant with credentials and passwords.  These days based on the latest attack vectors, it is user education that is the best defense, human firewalls in addition to the hardware.

RIG:  iFi Zen Stream - Benchmark DAC3 L - LA4  AHB2 | Paradigm Sig S6 Cables:  anything available

Link to comment

This is exactly what I am working on today. I have been reading Ubiquiti support documents all day and I think I may finally be getting a handle on this. My Sonore device still needs to be on my main network however, so knowing they take security seriously would be nice.

No electron left behind.

Link to comment
On 6/19/2020 at 6:34 PM, Cebolla said:

Case in point - what UPnP/DLNA streamer manufacturers have checked and (where required) updated their devices to comply with the recently updated OCF UPnP Device Architecture 2.0 specification, to avoid the CallStranger vulnerability?

 

I need more time to look into the potential impact, if any, but If I'm not mistaken, typical streamers are not internet-facing in the context of the CallStranger.  Our streamers cannot be accessed or controlled over the internet except via Spotify Connect.

Peter Lie

LUMIN Firmware Lead

Link to comment
54 minutes ago, wklie said:

 

I need more time to look into the potential impact, if any, but If I'm not mistaken, typical streamers are not internet-facing in the context of the CallStranger.  Our streamers cannot be accessed or controlled over the internet except via Spotify Connect.

 

I know Aurender can connect to their server/streamers remotely...

No electron left behind.

Link to comment
1 hour ago, wklie said:

 

I need more time to look into the potential impact, if any, but If I'm not mistaken, typical streamers are not internet-facing in the context of the CallStranger.  Our streamers cannot be accessed or controlled over the internet except via Spotify Connect.

 

I don't believe it is much if anything to do with being directly accessed or controlled over the internet and more about the possibility of rogue UPnP control points on the same network subscribing to the streamer's UPnP events with callback delivery URLs not on the same network that could well be attack targets on the internet. So the UPnP Device Architecture spec change explicitly gets the streamer to actively check subscriber UPnP event URLs and reject any as appropriate.

We are far more united and have far more in common with each other than things that divide us.

-- Jo Cox

Link to comment
1 hour ago, gadio4533 said:

FIrewall, it all comes through central point.

Well that's the premise and where the controls are effective. Examination of my ex local Asus router shows the protection was a client of McAfee that did sniff out some dubious websites, but would that be clever enough to detect a stream of audio packet data that has an underlying code in it? 

 

If that's the case, the streamer  may not need protection and be as dumb as it comes. The more you make protections, the bigger the risk of letting in undesirables, since you can't think of 'everything', seems to be the way of IT, huh, there's something in the future that can cause 'vulnerabilities', another word for for IT parlance which means, oh, yeah, forgot/didn't realise about that one. 

AS Profile Equipment List        Say NO to MQA

Link to comment

Here's a link about the Lion Breweries ransomware attack. It took a week or so for the plants to be online again and I suppose the IT manager looking for another job. He could have said 'told you so' and was denied money to upgrade security. Would have been cheaper to upgrade, than face the week of lost production. Production managers aren't the kindest of people on the planet.

AS Profile Equipment List        Say NO to MQA

Link to comment

I have this between everything in my house and the outside world:  https://store.ui.com/collections/unifi-network-routing-switching/products/udm-pro

 

I use 1Password which generates completely random passwords, don't run in admin mode on my computers, have my IoT devices on a separate VLAN, pay for Adguard which seems to work pretty damn well across my Macs and idevices, and have Little Snitch on my Macs to see what's going on.

 

I'm not sure there is anything else I can do to protect a streamer from the outside world.

No electron left behind.

Link to comment
1 hour ago, AudioDoctor said:

I have this between everything in my house and the outside world:  https://store.ui.com/collections/unifi-network-routing-switching/products/udm-pro

 

I use 1Password which generates completely random passwords, don't run in admin mode on my computers, have my IoT devices on a separate VLAN, pay for Adguard which seems to work pretty damn well across my Macs and idevices, and have Little Snitch on my Macs to see what's going on.

 

I'm not sure there is anything else I can do to protect a streamer from the outside world.

Hire one of those Marines you sewed up a while back and put a pic of him holding some bad ass gun as your default picture. :)

Link to comment
On 6/26/2020 at 2:55 PM, One and a half said:

Lion Breweries ransomware attack.

I'd be interested to know how they got compromised.  These days it is almost always a socially engineered attack so probably a typical PEBKAC vector.

RIG:  iFi Zen Stream - Benchmark DAC3 L - LA4  AHB2 | Paradigm Sig S6 Cables:  anything available

Link to comment
On 6/19/2020 at 6:34 PM, Cebolla said:

Case in point - what UPnP/DLNA streamer manufacturers have checked and (where required) updated their devices to comply with the recently updated OCF UPnP Device Architecture 2.0 specification, to avoid the CallStranger vulnerability?

 

Lumin Firmware 13.1 fixes the UPnP CallStranger vulnerability.  It is available for all 10 models of network music players and transports ever released by Lumin, including discontinued models.

 

Thanks for the links.

Peter Lie

LUMIN Firmware Lead

Link to comment
On 6/19/2020 at 10:42 AM, FIndingit said:

Manufacturers of audio equipment never mention much about information security. They should, right? At least to show us they have thought about it.  

 

You can definitely use Lumin to start a list of those streamer / network music player manufacturers that not only show they've thought about security, but also care about it too!

We are far more united and have far more in common with each other than things that divide us.

-- Jo Cox

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...