Security vulnerabilities in enttec devices

danTt

Well-Known Member
Joined
Aug 24, 2011
Location
NY

It should go without saying that lighting networks should usually be completely separate, and should have proper access control in any situation where they need to be bridged, but this is a good reminder.
 
  • Like
Reactions: FMEng and macsound

macsound

Well-Known Member
Joined
Jun 15, 2018
Location
San Francisco, CA
Interested to see how this shakes out. Seems like similar issues as related to IoT devices which by nature must be connected to the internet to operate as designed. But because they're such small devices, everyone just treats them like a $2 ground lift adapter and throws whatever components inside that work.

Slight tangent - when Apple knock off 5w USB chargers started causing fires and someone dissected the knock off vs the apple and realized how much intentional engineering went inside a "free" apple charger and how dangerous the knock offs were, it was amazing and eye opening, especially for those with 240v power, knowing how well Apple isolated the high from low voltage parts inside the little white cube.
http://www.righto.com/2012/05/apple-iphone-charger-teardown-quality.html
 

rsmentele

Well-Known Member
Premium Member
Fight Leukemia
Joined
Apr 6, 2010
Location
Madison, WI
Heard this is due to a known backdoor in Linux. If not closed, security is compromised.... and then you get put on this website
 

rphilip

Active Member
Joined
Mar 5, 2008
Location
SW Michigan
Does anyone know if this is likely limited to the listed product? I've got an Entec Node ODE (unsure if Mk1 or Mk2) that's on a firewalled network but that does have internet access.

Philip
 

Rob

Well-Known Member
Joined
Jun 10, 2009
Location
On a river near Toronto
Those interested in this topic may want to read what Acuity has done in this regard. Download the Cybersecurity PDF on this page. I write a lot more about it on this page and discuss some of our initiatives to secure E1.31 sACN.

Protocol published this article I wrote in the Winter 2020 edition of the magazine talking about security in general terms.
 

danTt

Well-Known Member
Joined
Aug 24, 2011
Location
NY
Heard this is due to a known backdoor in Linux. If not closed, security is compromised.... and then you get put on this website
I don't see how any known backdoor would cause all of the following. I could potentially see it causing #3, but the other ones seem to be pure developer lack of effort.
3.2.1 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321
3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79
3.2.3 IMPROPER ACCESS CONTROL CWE-284
3.2.4 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732
 
  • Like
Reactions: ScottT