hdhomerun.local

[BitShifter]

Access Control
1. There's no authentication challenge presented.
2. The documentation implies that the device is performing access control by only allowing access from a device that is on the local network. Can you explain your algorithm here? It seems that the claim is merely that the algorithm checks that the client address must be in the range of HDHR assigned address subnet. It seems that I should set up a proxy in front of this interface that presents an auth challenge.

Encryption in Transit
Why is the WebUi not at least running 1-way SSL (TLS)?

[nickk]

The HDHomeRun is for use on your home private network, protected from the internet by your home router. Anyone in your home can access it (by design).

There are no restrictions on subnets, although it won't be discovered across a subnet unless you do IPv6 site-multicast routing.

There isn't a login/password or anything else that needs to be secured in transit within your home. Cloud services such as guide and DVR services are secured with TLS.

[BitShifter]

Okay. So, it merely relying on network routing and firewalls. This if someone finds a way to hack themselves a connection on the router, they're in. I know that this isn't a major threat. I was just curious about SiliconDust's cybersec implementation on the device. Thanks.

[nickk]

Okay. So, it merely relying on network routing and firewalls. This if someone finds a way to hack themselves a connection on the router, they're in. I know that this isn't a major threat. I was just curious about SiliconDust's cybersec implementation on the device. Thanks.

The thing is, what is this hacker who got into your LAN going to do having access to the HDHomeRun device web pages? They could run a channel scan I guess.

The box itself is secure. There is no telnet/ssh, no serial port, no busybox, no shell of any kind, and no filesystem on flash. Firmware is monolithic, encrypted, and signed. If you connect a hard drive it can only be used for data storage (no executable code, symlink support disabled).

One other fun thing - you know how every device tells you not to remove power while it installs updates?
Feel free to remove power at any time while installing new firmware in the HDHomeRun... it won't harm anything.

[BitShifter]

I always say that software / hardware systems are secure until an exploit occurs. I don't view it as a major vulnerability, but I tend to focus more on defense than offense.