Jump to content
IGNORED

Roon Arc and Mobile


Recommended Posts

I'm wont be using ARC but I agree that it sounds like a mess from a security standpoint. 

 

The only way I would even consider using it would be by setting up OpenVPN or similar on the Firewall/Router and use the matching VPN App on the Phone with Certificate based authentication. Connect to the VPN, then play your music thru ARC.

 

At that point, you've done all you can to protect yourself if the use of this feature is important to you.

 

I am curious though, does this mean Roon is now allowing routed RAAT or does the rat get kicked to the curb while using this feature?

 

 

Link to comment
6 hours ago, The Computer Audiophile said:

Had you heard UPnP can be used nefariously?

 

6 hours ago, The Computer Audiophile said:

Had you heard UPnP can be used nefariously?

Yes, no doubt. Hence also I use iPfire. But I haven’t heard those services mentioned being an issue. And not related to UPnP. 

Link to comment
6 hours ago, rn701 said:

Nice update. ARC missing some things like access to bookmarks, Tidal mixes/new releases.

 

Plus, normal people aren't going to be able to figure out the setup. I can't imagine recommending it to a friend or relative, then having to try to explain it.


I think I’m normal and I was able to explain ARC to my friend. I was even able to set it up!

 

My wife would probably debate my “normality” 😂

 

 

Steve Plaskin

Link to comment
4 hours ago, ale76 said:

I am no tech expert, but uPnP is not a must have for ARC. 

I manually opened the port I needed for the Core to see ARC and it works like a charm.  

 

They are saying for the phone add on to be connected remotely.

Current:  Daphile on an AMD A10-9500 with 16 GB RAM

DAC - TEAC UD-501 DAC 

Pre-amp - Rotel RC-1590

Amplification - Benchmark AHB2 amplifier

Speakers - Revel M126Be with 2 REL 7/ti subwoofers

Cables - Tara Labs RSC Reference and Blue Jean Cable Balanced Interconnects

Link to comment

I WOULD never use UPnP - it is turned off on all my devices, The system has a built-in fundamental flaw. Hence, why all the IoT devices are vulnerable.

 

In a perfect world, it might be OK. We live in not so good times.

Current:  Daphile on an AMD A10-9500 with 16 GB RAM

DAC - TEAC UD-501 DAC 

Pre-amp - Rotel RC-1590

Amplification - Benchmark AHB2 amplifier

Speakers - Revel M126Be with 2 REL 7/ti subwoofers

Cables - Tara Labs RSC Reference and Blue Jean Cable Balanced Interconnects

Link to comment
12 minutes ago, botrytis said:

I WOULD never use UPnP - it is turned off on all my devices, The system has a built-in fundamental flaw. Hence, why all the IoT devices are vulnerable.

 

In a perfect world, it might be OK. We live in not so good times.

From Danny at Roon:

 

Roon authenticates your user credentials and uses an encrypted transport. No unintended users can access your Roon.

If Roon is not running, then no one listens on the port that is forwarded, so nothing external can access anything inside your network. It’s like a phone number that never answers.

If somehow you already had rogue/malicious software on your network, it could access your network freely and it doesn’t need to open ports at all. It can tunnel traffic from the outside to the inside freely. UPnP or not, it’s game over if you have malicious software inside the network.

Those claiming that the UPnP setting make your network insecure are clearly not familiar with how malicious software works. If some rogue software could configure your router to open ports, it can also do that by opening an outbound tunnel. In fact, it’s probably more reliable to open the tunnel than it is to mess around with the router variations and UPnP/NATPMP/PCP support. But forget about tunnels or ports, it can just do the nefarious actions itself. At that point, its all up to local OS security.

Steve Plaskin

Link to comment
3 minutes ago, R1200CL said:

I suspect Danny D, has an idea about what he talks about 😀

 

Not based on what the EXPERTS in Networking and Internet Security people say I trust them more.

 

Remember, not everyone knows everything.

Current:  Daphile on an AMD A10-9500 with 16 GB RAM

DAC - TEAC UD-501 DAC 

Pre-amp - Rotel RC-1590

Amplification - Benchmark AHB2 amplifier

Speakers - Revel M126Be with 2 REL 7/ti subwoofers

Cables - Tara Labs RSC Reference and Blue Jean Cable Balanced Interconnects

Link to comment
22 minutes ago, Mercman said:

From Danny at Roon:

 

Roon authenticates your user credentials and uses an encrypted transport. No unintended users can access your Roon.

If Roon is not running, then no one listens on the port that is forwarded, so nothing external can access anything inside your network. It’s like a phone number that never answers.

If somehow you already had rogue/malicious software on your network, it could access your network freely and it doesn’t need to open ports at all. It can tunnel traffic from the outside to the inside freely. UPnP or not, it’s game over if you have malicious software inside the network.

Those claiming that the UPnP setting make your network insecure are clearly not familiar with how malicious software works. If some rogue software could configure your router to open ports, it can also do that by opening an outbound tunnel. In fact, it’s probably more reliable to open the tunnel than it is to mess around with the router variations and UPnP/NATPMP/PCP support. But forget about tunnels or ports, it can just do the nefarious actions itself. At that point, its all up to local OS security.

 

18 minutes ago, R1200CL said:

I suspect Danny D, has an idea about what he talks about 😀

 

Danny is a smart guy, but we should look at history as being the best predictor of the future.  

 

Here is just one example of many. 

 

https://www.minim.com/blog/the-upnp-security-exploit-affecting-millions-of-home-devices

 

"A UPnP capability called SUBSCRIBE allows for substantial amounts of data to be processed by these devices, leading to a Distributed Denial of Service (DDoS) attack. The large-scale vulnerability has been given the entry number of CVE-2020-12695, now named CallStranger.

 

The DDoS attack that CallStranger causes is performed by convincing devices to send status updates and periodic capability announcements to third parties. This quickly adds up with the sheer number of devices causing a DDoS of a remote targeted service, but the devices themselves will be largely unaffected.

 

Detecting the CallStranger exploit is tricky because of this, so Minim picks up on the excessive activity it causes, rather than the malware itself. According to Sam Stelfox, a Software Engineer at Minim, users would be able to tell if they’re affected by CallStranger by a network slowdown: “It could also potentially be chained with other vulnerabilities on a device to do even more damage.”

 

CallStranger: a UPnP exploit

 

CallStranger exploits a security flaw in the Universal Plug and Play network protocol and was first reported on by Yunus Çadırcı, the Cyber Security Senior Manager at EY Turkey. The vulnerability can be used to:

 

  • Bypass DLP and network security devices to steal data
  • Utilize millions of Internet-facing UPnP-enabled devices as a source of amplified reflected TCP DDoS
  • Scanning internal ports from Internet-facing UPnP devices

 

Çadırcı speculates that it may take a long time for vendors to provide the necessary patches to prevent the malware from exploiting the protocol because it’s an issue with the protocol itself, rather than a platform or software-specific issue. However, the good news for the technically advanced is that he’s developed a script to check for the malware."

Founder of Audiophile Style | My Audio Systems AudiophileStyleStickerWhite2.0.png AudiophileStyleStickerWhite7.1.4.png

Link to comment

UPnP-enabled Home Devices and Vulnerabilities

 

"Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward public ports to the private devices and be open to the public internet."

 

https://www.trendmicro.com/en_us/research/19/c/upnp-enabled-connected-devices-in-home-unpatched-known-vulnerabilities.html

 

Founder of Audiophile Style | My Audio Systems AudiophileStyleStickerWhite2.0.png AudiophileStyleStickerWhite7.1.4.png

Link to comment

Current:  Daphile on an AMD A10-9500 with 16 GB RAM

DAC - TEAC UD-501 DAC 

Pre-amp - Rotel RC-1590

Amplification - Benchmark AHB2 amplifier

Speakers - Revel M126Be with 2 REL 7/ti subwoofers

Cables - Tara Labs RSC Reference and Blue Jean Cable Balanced Interconnects

Link to comment
4 minutes ago, botrytis said:

Absolutely. One of the huge issues is that many routers either haven't been updated or can't be updated to protect against even the known vulnerabilities. Plus, how many audiophiles can tell if their router is running the latest version of UPnP? I'd say less than 1%. Not because they aren't capable, but because there is no way to do it without root access to the device, in most cases. 

Founder of Audiophile Style | My Audio Systems AudiophileStyleStickerWhite2.0.png AudiophileStyleStickerWhite7.1.4.png

Link to comment
4 minutes ago, The Computer Audiophile said:

Absolutely. One of the huge issues is that many routers either haven't been updated or can't be updated to protect against even the known vulnerabilities. Plus, how many audiophiles can tell if their router is running the latest version of UPnP? I'd say less than 1%. Not because they aren't capable, but because there is no way to do it without root access to the device, in most cases. 

 

Spot on. I keep my router up to date and it is set to reject UPnP queries.

Current:  Daphile on an AMD A10-9500 with 16 GB RAM

DAC - TEAC UD-501 DAC 

Pre-amp - Rotel RC-1590

Amplification - Benchmark AHB2 amplifier

Speakers - Revel M126Be with 2 REL 7/ti subwoofers

Cables - Tara Labs RSC Reference and Blue Jean Cable Balanced Interconnects

Link to comment

The old saying is anything made by humans is flawed. There is no perfect product.

 

It is low, as Audiophiledom is a minority of users, but eyes open.

Current:  Daphile on an AMD A10-9500 with 16 GB RAM

DAC - TEAC UD-501 DAC 

Pre-amp - Rotel RC-1590

Amplification - Benchmark AHB2 amplifier

Speakers - Revel M126Be with 2 REL 7/ti subwoofers

Cables - Tara Labs RSC Reference and Blue Jean Cable Balanced Interconnects

Link to comment
14 hours ago, ale76 said:

yep , got that.

What  I am saying is that I connected my phone remotely using ARC app by opening a port on my firewall. No need to enable uPnP

I don't know why this isn't more clear. Upnp is just if you want to have Roon configure ARC port forwarding automatically. You can simply do this manually on your router and not have to worry about enabling Upnp. It's not required for ARC to work.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...