Streamers and security

[Cebolla]

Case in point - what UPnP/DLNA streamer manufacturers have checked and (where required) updated their devices to comply with the recently updated OCF UPnP Device Architecture 2.0 specification, to avoid the CallStranger vulnerability?

[Cebolla]

1 hour ago, wklie said:

 

I need more time to look into the potential impact, if any, but If I'm not mistaken, typical streamers are not internet-facing in the context of the CallStranger.  Our streamers cannot be accessed or controlled over the internet except via Spotify Connect.

 

I don't believe it is much if anything to do with being directly accessed or controlled over the internet and more about the possibility of rogue UPnP control points on the same network subscribing to the streamer's UPnP events with callback delivery URLs not on the same network that could well be attack targets on the internet. So the UPnP Device Architecture spec change explicitly gets the streamer to actively check subscriber UPnP event URLs and reject any as appropriate.

[Cebolla]

On 6/19/2020 at 10:42 AM, FIndingit said:

Manufacturers of audio equipment never mention much about information security. They should, right? At least to show us they have thought about it.  

 

You can definitely use Lumin to start a list of those streamer / network music player manufacturers that not only show they've thought about security, but also care about it too!