rn701 Posted September 20, 2022 Share Posted September 20, 2022 Nice update. ARC missing some things like access to bookmarks, Tidal mixes/new releases. Plus, normal people aren't going to be able to figure out the setup. I can't imagine recommending it to a friend or relative, then having to try to explain it. Link to comment
cjf Posted September 21, 2022 Share Posted September 21, 2022 I'm wont be using ARC but I agree that it sounds like a mess from a security standpoint. The only way I would even consider using it would be by setting up OpenVPN or similar on the Firewall/Router and use the matching VPN App on the Phone with Certificate based authentication. Connect to the VPN, then play your music thru ARC. At that point, you've done all you can to protect yourself if the use of this feature is important to you. I am curious though, does this mean Roon is now allowing routed RAAT or does the rat get kicked to the curb while using this feature? The Computer Audiophile 1 My Audio System -Last Updated May 20 2021 Link to comment
The Computer Audiophile Posted September 21, 2022 Author Share Posted September 21, 2022 2 minutes ago, cjf said: am curious though, does this mean Roon is now allowing routed RAAT or does the rat get kicked to the curb while using this feature? That’s a great question. Ravenna works over a WAN link :~) cjf 1 Founder of Audiophile Style | My Audio Systems Link to comment
R1200CL Posted September 21, 2022 Share Posted September 21, 2022 6 hours ago, The Computer Audiophile said: Had you heard UPnP can be used nefariously? 6 hours ago, The Computer Audiophile said: Had you heard UPnP can be used nefariously? Yes, no doubt. Hence also I use iPfire. But I haven’t heard those services mentioned being an issue. And not related to UPnP. Link to comment
R1200CL Posted September 21, 2022 Share Posted September 21, 2022 1 hour ago, cjf said: Connect to the VPN, then play your music thru ARC. That I’ve been doing a long time. Don’t need Arc. (Using iPfire). cjf 1 Link to comment
Mercman Posted September 21, 2022 Share Posted September 21, 2022 6 hours ago, rn701 said: Nice update. ARC missing some things like access to bookmarks, Tidal mixes/new releases. Plus, normal people aren't going to be able to figure out the setup. I can't imagine recommending it to a friend or relative, then having to try to explain it. I think I’m normal and I was able to explain ARC to my friend. I was even able to set it up! My wife would probably debate my “normality” 😂 R1200CL 1 Steve Plaskin Link to comment
ale76 Posted September 21, 2022 Share Posted September 21, 2022 14 hours ago, botrytis said: says NOT to use uPnP, I am no tech expert, but uPnP is not a must have for ARC. I manually opened the port I needed for the Core to see ARC and it works like a charm. R1200CL 1 Link to comment
botrytis Posted September 21, 2022 Share Posted September 21, 2022 4 hours ago, ale76 said: I am no tech expert, but uPnP is not a must have for ARC. I manually opened the port I needed for the Core to see ARC and it works like a charm. They are saying for the phone add on to be connected remotely. Current: Daphile on an AMD A10-9500 with 16 GB RAM DAC - TEAC UD-501 DAC Pre-amp - Rotel RC-1590 Amplification - Benchmark AHB2 amplifier Speakers - Revel M126Be with 2 REL 7/ti subwoofers Cables - Tara Labs RSC Reference and Blue Jean Cable Balanced Interconnects Link to comment
The Computer Audiophile Posted September 21, 2022 Author Share Posted September 21, 2022 UPnP is recommended by Roon, not required. The other option is manually forwarding the port. botrytis 1 Founder of Audiophile Style | My Audio Systems Link to comment
botrytis Posted September 21, 2022 Share Posted September 21, 2022 I WOULD never use UPnP - it is turned off on all my devices, The system has a built-in fundamental flaw. Hence, why all the IoT devices are vulnerable. In a perfect world, it might be OK. We live in not so good times. Current: Daphile on an AMD A10-9500 with 16 GB RAM DAC - TEAC UD-501 DAC Pre-amp - Rotel RC-1590 Amplification - Benchmark AHB2 amplifier Speakers - Revel M126Be with 2 REL 7/ti subwoofers Cables - Tara Labs RSC Reference and Blue Jean Cable Balanced Interconnects Link to comment
Mercman Posted September 21, 2022 Share Posted September 21, 2022 12 minutes ago, botrytis said: I WOULD never use UPnP - it is turned off on all my devices, The system has a built-in fundamental flaw. Hence, why all the IoT devices are vulnerable. In a perfect world, it might be OK. We live in not so good times. From Danny at Roon: Roon authenticates your user credentials and uses an encrypted transport. No unintended users can access your Roon. If Roon is not running, then no one listens on the port that is forwarded, so nothing external can access anything inside your network. It’s like a phone number that never answers. If somehow you already had rogue/malicious software on your network, it could access your network freely and it doesn’t need to open ports at all. It can tunnel traffic from the outside to the inside freely. UPnP or not, it’s game over if you have malicious software inside the network. Those claiming that the UPnP setting make your network insecure are clearly not familiar with how malicious software works. If some rogue software could configure your router to open ports, it can also do that by opening an outbound tunnel. In fact, it’s probably more reliable to open the tunnel than it is to mess around with the router variations and UPnP/NATPMP/PCP support. But forget about tunnels or ports, it can just do the nefarious actions itself. At that point, its all up to local OS security. R1200CL 1 Steve Plaskin Link to comment
R1200CL Posted September 21, 2022 Share Posted September 21, 2022 I suspect Danny D, has an idea about what he talks about 😀 Link to comment
botrytis Posted September 21, 2022 Share Posted September 21, 2022 3 minutes ago, R1200CL said: I suspect Danny D, has an idea about what he talks about 😀 Not based on what the EXPERTS in Networking and Internet Security people say I trust them more. Remember, not everyone knows everything. Current: Daphile on an AMD A10-9500 with 16 GB RAM DAC - TEAC UD-501 DAC Pre-amp - Rotel RC-1590 Amplification - Benchmark AHB2 amplifier Speakers - Revel M126Be with 2 REL 7/ti subwoofers Cables - Tara Labs RSC Reference and Blue Jean Cable Balanced Interconnects Link to comment
The Computer Audiophile Posted September 21, 2022 Author Share Posted September 21, 2022 22 minutes ago, Mercman said: From Danny at Roon: Roon authenticates your user credentials and uses an encrypted transport. No unintended users can access your Roon. If Roon is not running, then no one listens on the port that is forwarded, so nothing external can access anything inside your network. It’s like a phone number that never answers. If somehow you already had rogue/malicious software on your network, it could access your network freely and it doesn’t need to open ports at all. It can tunnel traffic from the outside to the inside freely. UPnP or not, it’s game over if you have malicious software inside the network. Those claiming that the UPnP setting make your network insecure are clearly not familiar with how malicious software works. If some rogue software could configure your router to open ports, it can also do that by opening an outbound tunnel. In fact, it’s probably more reliable to open the tunnel than it is to mess around with the router variations and UPnP/NATPMP/PCP support. But forget about tunnels or ports, it can just do the nefarious actions itself. At that point, its all up to local OS security. 18 minutes ago, R1200CL said: I suspect Danny D, has an idea about what he talks about 😀 Danny is a smart guy, but we should look at history as being the best predictor of the future. Here is just one example of many. https://www.minim.com/blog/the-upnp-security-exploit-affecting-millions-of-home-devices "A UPnP capability called SUBSCRIBE allows for substantial amounts of data to be processed by these devices, leading to a Distributed Denial of Service (DDoS) attack. The large-scale vulnerability has been given the entry number of CVE-2020-12695, now named CallStranger. The DDoS attack that CallStranger causes is performed by convincing devices to send status updates and periodic capability announcements to third parties. This quickly adds up with the sheer number of devices causing a DDoS of a remote targeted service, but the devices themselves will be largely unaffected. Detecting the CallStranger exploit is tricky because of this, so Minim picks up on the excessive activity it causes, rather than the malware itself. According to Sam Stelfox, a Software Engineer at Minim, users would be able to tell if they’re affected by CallStranger by a network slowdown: “It could also potentially be chained with other vulnerabilities on a device to do even more damage.” CallStranger: a UPnP exploit CallStranger exploits a security flaw in the Universal Plug and Play network protocol and was first reported on by Yunus Çadırcı, the Cyber Security Senior Manager at EY Turkey. The vulnerability can be used to: Bypass DLP and network security devices to steal data Utilize millions of Internet-facing UPnP-enabled devices as a source of amplified reflected TCP DDoS Scanning internal ports from Internet-facing UPnP devices Çadırcı speculates that it may take a long time for vendors to provide the necessary patches to prevent the malware from exploiting the protocol because it’s an issue with the protocol itself, rather than a platform or software-specific issue. However, the good news for the technically advanced is that he’s developed a script to check for the malware." botrytis 1 Founder of Audiophile Style | My Audio Systems Link to comment
The Computer Audiophile Posted September 21, 2022 Author Share Posted September 21, 2022 Home Network Vulnerability — UPnP by Mike Saxton, PhD https://www.goodwin.edu/enews/faculty-article-home-network-vulnerability-upnp/ botrytis 1 Founder of Audiophile Style | My Audio Systems Link to comment
The Computer Audiophile Posted September 21, 2022 Author Share Posted September 21, 2022 UPnP-enabled Home Devices and Vulnerabilities "Earlier this year, users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site. The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward public ports to the private devices and be open to the public internet." https://www.trendmicro.com/en_us/research/19/c/upnp-enabled-connected-devices-in-home-unpatched-known-vulnerabilities.html botrytis 1 Founder of Audiophile Style | My Audio Systems Link to comment
botrytis Posted September 21, 2022 Share Posted September 21, 2022 https://security.stackexchange.com/questions/118918/is-upnp-still-insecure https://www.passwordcoach.com/priority-3-disable-universal-plug-and-play-upnp https://www.upguard.com/blog/what-is-upnp https://techgenix.com/what-is-upnp/ I think there is enough info to show UPnP is an accident waiting to happen. Current: Daphile on an AMD A10-9500 with 16 GB RAM DAC - TEAC UD-501 DAC Pre-amp - Rotel RC-1590 Amplification - Benchmark AHB2 amplifier Speakers - Revel M126Be with 2 REL 7/ti subwoofers Cables - Tara Labs RSC Reference and Blue Jean Cable Balanced Interconnects Link to comment
The Computer Audiophile Posted September 21, 2022 Author Share Posted September 21, 2022 4 minutes ago, botrytis said: https://security.stackexchange.com/questions/118918/is-upnp-still-insecure https://www.passwordcoach.com/priority-3-disable-universal-plug-and-play-upnp https://www.upguard.com/blog/what-is-upnp https://techgenix.com/what-is-upnp/ I think there is enough info to show UPnP is an accident waiting to happen. Absolutely. One of the huge issues is that many routers either haven't been updated or can't be updated to protect against even the known vulnerabilities. Plus, how many audiophiles can tell if their router is running the latest version of UPnP? I'd say less than 1%. Not because they aren't capable, but because there is no way to do it without root access to the device, in most cases. Founder of Audiophile Style | My Audio Systems Link to comment
botrytis Posted September 21, 2022 Share Posted September 21, 2022 4 minutes ago, The Computer Audiophile said: Absolutely. One of the huge issues is that many routers either haven't been updated or can't be updated to protect against even the known vulnerabilities. Plus, how many audiophiles can tell if their router is running the latest version of UPnP? I'd say less than 1%. Not because they aren't capable, but because there is no way to do it without root access to the device, in most cases. Spot on. I keep my router up to date and it is set to reject UPnP queries. Current: Daphile on an AMD A10-9500 with 16 GB RAM DAC - TEAC UD-501 DAC Pre-amp - Rotel RC-1590 Amplification - Benchmark AHB2 amplifier Speakers - Revel M126Be with 2 REL 7/ti subwoofers Cables - Tara Labs RSC Reference and Blue Jean Cable Balanced Interconnects Link to comment
Popular Post The Computer Audiophile Posted September 21, 2022 Author Popular Post Share Posted September 21, 2022 I also don't think anyone here wants to be alarmist or hate on Roon. There are just some facts that should be brought to light. The Roon team is brilliant. They've created a product, about which HiFi companies could only dream. But, nothing / nobody is perfect. I'd say the chances of something happening to Roon users with UPnP enabled on their routers is low, if we look at the numbers. The likelihood of something happening to the actual Roon server is incredibly small, to nearly nonexistent. It's all the other UPnP possibilities that people should be concerned with. Mercman, StreamFidelity and botrytis 2 1 Founder of Audiophile Style | My Audio Systems Link to comment
botrytis Posted September 21, 2022 Share Posted September 21, 2022 The old saying is anything made by humans is flawed. There is no perfect product. It is low, as Audiophiledom is a minority of users, but eyes open. Current: Daphile on an AMD A10-9500 with 16 GB RAM DAC - TEAC UD-501 DAC Pre-amp - Rotel RC-1590 Amplification - Benchmark AHB2 amplifier Speakers - Revel M126Be with 2 REL 7/ti subwoofers Cables - Tara Labs RSC Reference and Blue Jean Cable Balanced Interconnects Link to comment
ale76 Posted September 21, 2022 Share Posted September 21, 2022 2 hours ago, botrytis said: They are saying for the phone add on to be connected remotely. yep , got that. What I am saying is that I connected my phone remotely using ARC app by opening a port on my firewall. No need to enable uPnP ra990 1 Link to comment
loop7 Posted September 21, 2022 Share Posted September 21, 2022 I spent a few hours with ARC but I think I may be a bit lazy to stop using Plexamp for streaming music on a NAS that's not available via Apple Music or Qobuz (non-remasters, a few XRCDs, etc) The security issue has me thinking as well. Link to comment
ra990 Posted September 22, 2022 Share Posted September 22, 2022 14 hours ago, ale76 said: yep , got that. What I am saying is that I connected my phone remotely using ARC app by opening a port on my firewall. No need to enable uPnP I don't know why this isn't more clear. Upnp is just if you want to have Roon configure ARC port forwarding automatically. You can simply do this manually on your router and not have to worry about enabling Upnp. It's not required for ARC to work. R1200CL 1 Link to comment
Popular Post ale76 Posted September 22, 2022 Popular Post Share Posted September 22, 2022 2 hours ago, ra990 said: You can simply do this manually on your router and not have to worry about enabling Upnp. It's not required for ARC to work. exactly my point :-) R1200CL and ra990 2 Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now