Jump to content

Recommended Posts

This is a subject for the experts really, maybe that’s why I don’t see much discussion about it here. But streamers (and other network connected music players) are IOT devices and the security flaws of IOT are the talk of the town. 
 

Manufacturers of audio equipment never mention much about information security. They should, right? At least to show us they have thought about it.  

Share this post


Link to post
Share on other sites

Not all are IOT devices. Many are just internet devices like other computers and have similar security. 


Main listening (small home office):

Main setup: Surge protector +_iFi  AC iPurifiers >Isol-8 Mini sub Axis Power Conditioning+Isolation>CAPS IV Pipeline Server + Sonore 12V PS>Roon (Audiolense DRC)>RPi4 (dietpi)>Kii Control>Kii Three >GIK Room Treatments.

Secondary Listening: (1) CAPS Pipeline>Matrix Element i Streamer/DAC (XLR)>Schiit Freya>Kii Three .(2) CAPS>ifi iDAC SPDIF>Kii Control.

Bedroom: SBTouch to Cambridge Soundworks Desktop Setup. Living Room/Kitchen: RB Pi 3B+ running RoPieee to a pair of Morel Hogtalare. 

All absolute statements about audio are false :)

Share this post


Link to post
Share on other sites

Case in point - what UPnP/DLNA streamer manufacturers have checked and (where required) updated their devices to comply with the recently updated OCF UPnP Device Architecture 2.0 specification, to avoid the CallStranger vulnerability?


We will win because our NHS is the beating heart of this country. It is the best of this country. It is unconquerable. It is powered by love.

-- Boris Johnson

 

We are far more united and have far more in common with each other than things that divide us.

-- Jo Cox

Share this post


Link to post
Share on other sites

Anything you connect to your network  is a potential pathway through vulnerabilities for hackers to gain access to all of your devices. Even smart light bulbs have been found to have certain vulnerabilities to allow hackers to gain access. The latest advice from the security community is to use the three router process where you use each routers NAT capabilities to create two separate isolated networks, one for your IOT devices and one for your PCs and phones. 

 

See https://www.grc.com/sn/sn-545.pdf for a description of the Three Dumb routers configuration.

Share this post


Link to post
Share on other sites

This something that many people do not realize.  Our youngest generation is growing up with this as the norm and without having the benefit and experience of living in the not-so-smart world many of us grew up in.  Now everything is connected to the internet and plenty of half-baked freebie apps easily downloadable to your smart devices.  We have smart homes, smart cars, smart audiophile streamers, credit cards etc.  I used to laugh at people that said they do not need the internet but now I am thinking they are not so far out there.  You need to be smart about all this and vigilant with credentials and passwords.  These days based on the latest attack vectors, it is user education that is the best defense, human firewalls in addition to the hardware.


RIG:  MB Pro - Benchmark DAC3 L Nord SE NC500 MKII | Paradigm Sig S6 Cables:   Van Damme XLR Canare 4S11 Biwire Lifatec optical Wireworld power

Share this post


Link to post
Share on other sites

This is exactly what I am working on today. I have been reading Ubiquiti support documents all day and I think I may finally be getting a handle on this. My Sonore device still needs to be on my main network however, so knowing they take security seriously would be nice.


No electron left behind...

Share this post


Link to post
Share on other sites
On 6/19/2020 at 6:34 PM, Cebolla said:

Case in point - what UPnP/DLNA streamer manufacturers have checked and (where required) updated their devices to comply with the recently updated OCF UPnP Device Architecture 2.0 specification, to avoid the CallStranger vulnerability?

 

I need more time to look into the potential impact, if any, but If I'm not mistaken, typical streamers are not internet-facing in the context of the CallStranger.  Our streamers cannot be accessed or controlled over the internet except via Spotify Connect.


Peter Lie

LUMIN Firmware Lead

Share this post


Link to post
Share on other sites
54 minutes ago, wklie said:

 

I need more time to look into the potential impact, if any, but If I'm not mistaken, typical streamers are not internet-facing in the context of the CallStranger.  Our streamers cannot be accessed or controlled over the internet except via Spotify Connect.

 

I know Aurender can connect to their server/streamers remotely...


No electron left behind...

Share this post


Link to post
Share on other sites
1 hour ago, wklie said:

 

I need more time to look into the potential impact, if any, but If I'm not mistaken, typical streamers are not internet-facing in the context of the CallStranger.  Our streamers cannot be accessed or controlled over the internet except via Spotify Connect.

 

I don't believe it is much if anything to do with being directly accessed or controlled over the internet and more about the possibility of rogue UPnP control points on the same network subscribing to the streamer's UPnP events with callback delivery URLs not on the same network that could well be attack targets on the internet. So the UPnP Device Architecture spec change explicitly gets the streamer to actively check subscriber UPnP event URLs and reject any as appropriate.


We will win because our NHS is the beating heart of this country. It is the best of this country. It is unconquerable. It is powered by love.

-- Boris Johnson

 

We are far more united and have far more in common with each other than things that divide us.

-- Jo Cox

Share this post


Link to post
Share on other sites

Where does the packet inspection of routers come into the equation? Aren't they up to spec or is there a device that sniffs threats out?

 

I gather anything can be compromised if the lure of ransomware is enough, eg Lion Breweries. 


AS Profile Equipment List        Say NO to MQA

Share this post


Link to post
Share on other sites
1 hour ago, gadio4533 said:

FIrewall, it all comes through central point.

Well that's the premise and where the controls are effective. Examination of my ex local Asus router shows the protection was a client of McAfee that did sniff out some dubious websites, but would that be clever enough to detect a stream of audio packet data that has an underlying code in it? 

 

If that's the case, the streamer  may not need protection and be as dumb as it comes. The more you make protections, the bigger the risk of letting in undesirables, since you can't think of 'everything', seems to be the way of IT, huh, there's something in the future that can cause 'vulnerabilities', another word for for IT parlance which means, oh, yeah, forgot/didn't realise about that one. 


AS Profile Equipment List        Say NO to MQA

Share this post


Link to post
Share on other sites

Here's a link about the Lion Breweries ransomware attack. It took a week or so for the plants to be online again and I suppose the IT manager looking for another job. He could have said 'told you so' and was denied money to upgrade security. Would have been cheaper to upgrade, than face the week of lost production. Production managers aren't the kindest of people on the planet.


AS Profile Equipment List        Say NO to MQA

Share this post


Link to post
Share on other sites

I have this between everything in my house and the outside world:  https://store.ui.com/collections/unifi-network-routing-switching/products/udm-pro

 

I use 1Password which generates completely random passwords, don't run in admin mode on my computers, have my IoT devices on a separate VLAN, pay for Adguard which seems to work pretty damn well across my Macs and idevices, and have Little Snitch on my Macs to see what's going on.

 

I'm not sure there is anything else I can do to protect a streamer from the outside world.


No electron left behind...

Share this post


Link to post
Share on other sites
1 hour ago, AudioDoctor said:

I have this between everything in my house and the outside world:  https://store.ui.com/collections/unifi-network-routing-switching/products/udm-pro

 

I use 1Password which generates completely random passwords, don't run in admin mode on my computers, have my IoT devices on a separate VLAN, pay for Adguard which seems to work pretty damn well across my Macs and idevices, and have Little Snitch on my Macs to see what's going on.

 

I'm not sure there is anything else I can do to protect a streamer from the outside world.

Hire one of those Marines you sewed up a while back and put a pic of him holding some bad ass gun as your default picture. :)

Share this post


Link to post
Share on other sites
1 hour ago, bobflood said:

Hire one of those Marines you sewed up a while back and put a pic of him holding some bad ass gun as your default picture. :)

 

Will a picture of me saying GRRRR work?


No electron left behind...

Share this post


Link to post
Share on other sites
On 6/26/2020 at 2:55 PM, One and a half said:

Lion Breweries ransomware attack.

I'd be interested to know how they got compromised.  These days it is almost always a socially engineered attack so probably a typical PEBKAC vector.


RIG:  MB Pro - Benchmark DAC3 L Nord SE NC500 MKII | Paradigm Sig S6 Cables:   Van Damme XLR Canare 4S11 Biwire Lifatec optical Wireworld power

Share this post


Link to post
Share on other sites

I am in contact with our UPnP stack provider for this issue.

 

Although this task shall remain on my To-Do list in the coming weeks or months, this post does not constitute a promise to address this issue.


Peter Lie

LUMIN Firmware Lead

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...