Thursday, November 03, 2016

Onkyo receivers, very insecure networked devices

I've been working now awhile on my Onkyo Qt ISCP library and there is one not so funny thing about the protocol. There is no authentication or authorization whatsoever. So basically if you happen to be on the same network as a networked Onkyo you can do whatever you like.

From the not-too-bad: Change radio channel, switch input
To the not-so-nice: Turn the volume up as high as it goes, stream something nasty

Even the device setup web interface is open to everyone.

So don't put a networked Onkyo on a public IP and keep it on a private network that no outsiders can access.


No comments: