(jamesbvaughan.com)

287 points jamesbvaughan | 4 comments | 25 Jul 24 15:11 UTC | HN request time: 0.618s | source

1. xyst ◴[27 Jul 24 00:12 UTC] No.41083506[source]▶

Why do speakers even expose a web api in the first place? It’s just easily available without any security?

Hope this person segmented this device away from other devices. The lack of basic security in the IoT space is astounding to me.

replies(3): >>41083589 #>>41083868 #>>41084691 #

2. jamesbvaughan ◴[27 Jul 24 00:27 UTC] No.41083589[source]▶

>>41083506 (TP) #

It is concerning. On this particular model, it's available over plain HTTP, provides no auth settings, and provides an easy input for uploading new firmware.

https://jamesbvaughan.com/volume-controller-1/basic-web-inte...

3. giraffe_lady ◴[27 Jul 24 01:35 UTC] No.41083868[source]▶

>>41083506 (TP) #

“The S in IoT stands for secure.”

4. denysvitali ◴[27 Jul 24 05:51 UTC] No.41084691[source]▶

>>41083506 (TP) #

I was looking for this comment. Basically he managed to get a sort of unauthenticated R/W access to the file system.

This is really concerning

↑

Reverse-engineering my speakers' API to get reasonable volume control