TCP Midi exploit!

Forums Forums dLive Forums dLive troubleshooting TCP Midi exploit!

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Jack_AH Jack_AH 2 weeks, 1 day ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #67862

    Hey folks!

    So I’ve been noodling around with midi communications on the desk via Osculator, while simultaneously testing VPN stuff with the new director updates and I’ve discovered a bit of an obscure vulnerability, or at the very least, a very good April fools’ joke to keep in your back pocket:

    If you VPN in to connect via director, TCP midi driver will also allow you to connect your local machine. I was able to, over WAN, using Osculator (https://osculator.net) + Osc Widgets (https://github.com/ETCLabs/OSCWidgets) , map sine functions to specific faders on the desk. Instant Vegas mode!

    Here’s the thing: you need VPN access (and presumably network creds, unless you were foolish in your integration,) *and* you need to know the ip of the console you’re trying to exploit, in order to connect TCP midi driver.

    …but once you have those things, you could really ruin somebody’s day if you were so inclined. The most malicious thing I can think of here is the feedback loop detection dLive has internally in scene recall. Osculator doesn’t care about that, and it would be super easy to have it look for an incoming scene, then map that to another scene on an outgoing recall command, then tie all of that in to somebody’s login creds on the dLive itself.

    …not that *I* would do that to my a2. …but I certainly thought about doing it.

    At any rate, it’s obscure enough that I doubt many people will attempt such a thing, but again: good goooood reason to make sure your dLive install network is secured!

    Blessings,

    Richard

    #67909
    Profile photo of Jack_AH
    Jack_AH
    Moderator

    Hi Richard,

    This reply is more for the benefit of anyone else reading this rather than a direct reply, but we would never suggest connecting dLive directly to the internet, or even a local network, it’s strongly suggested that the dLive is only connected to a dedicated network for running director, iPad apps, IP devices and other dLive specific applications.

    Whilst it is of course possible to connect dLive to the internet, this should only be done after robust security measures such as firewalls and NATs have been put in place only to allow trusted connections to dLive.

    It is a piece of Pro Audio equipment, not a network security device!

    All the best,

    Jack

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.