Aesculus;372658 Wrote: > Security is not a problem. I have the net firewalled and do not allow > any incoming connections outside the firewall to that IP address. > > Keep in mind that the Net interface is not using the Denon Web > controller, but the underlying control language (serial) via the IP > interface. It also allows for 2-way functions which IR cannot do.
A perimeter firewall won't fully protect you. The attacker doesn't need direct access to the Denon; the attacker would use your web browser to attack it. It looks like the Denon web interface -- unless you have a device *inside* your network blocking web requests from devices *inside your own network*, or unless you can actually disable it -- is vulnerable to CSRF and probably DNS Rebinding attacks. If your PC can connect to port 80 on the Denon, you're probably at risk. CSRF has been well understood for at least 7 years now; DNS Rebinding for a bit over one year. From what I've seen, the Denon developers didn't defend against either attack. http://en.wikipedia.org/wiki/Cross-site_request_forgery http://en.wikipedia.org/wiki/DNS_rebinding -- peterw http://www.tux.org/~peterw/ free plugins: http://www.tux.org/~peterw/#slim AllQuiet BlankSaver ContextMenu FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher SettingsManager SleepFade StatusFirst SyncOptions VolumeLock ------------------------------------------------------------------------ peterw's Profile: http://forums.slimdevices.com/member.php?userid=2107 View this thread: http://forums.slimdevices.com/showthread.php?t=56624 _______________________________________________ discuss mailing list [email protected] http://lists.slimdevices.com/lists/listinfo/discuss
