(jamesbvaughan.com)

287 points jamesbvaughan | 1 comments | 25 Jul 24 15:11 UTC | HN request time: 0.22s | source

Show context

xyst ◴[27 Jul 24 00:12 UTC] No.41083506[source]▶

Why do speakers even expose a web api in the first place? It’s just easily available without any security?

Hope this person segmented this device away from other devices. The lack of basic security in the IoT space is astounding to me.

replies(3): >>41083589 #>>41083868 #>>41084691 #

1. jamesbvaughan ◴[27 Jul 24 00:27 UTC] No.41083589[source]▶

>>41083506 #

It is concerning. On this particular model, it's available over plain HTTP, provides no auth settings, and provides an easy input for uploading new firmware.

https://jamesbvaughan.com/volume-controller-1/basic-web-inte...

↑

Reverse-engineering my speakers' API to get reasonable volume control