Hey folks!
So I’ve been noodling around with midi communications on the desk via Osculator, while simultaneously testing VPN stuff with the new director updates and I’ve discovered a bit of an obscure vulnerability, or at the very least, a very good April fools’ joke to keep in your back pocket:
If you VPN in to connect via director, TCP midi driver will also allow you to connect your local machine. I was able to, over WAN, using Osculator (https://osculator.net) + Osc Widgets (https://github.com/ETCLabs/OSCWidgets) , map sine functions to specific faders on the desk. Instant Vegas mode!
Here’s the thing: you need VPN access (and presumably network creds, unless you were foolish in your integration,) *and* you need to know the ip of the console you’re trying to exploit, in order to connect TCP midi driver.
…but once you have those things, you could really ruin somebody’s day if you were so inclined. The most malicious thing I can think of here is the feedback loop detection dLive has internally in scene recall. Osculator doesn’t care about that, and it would be super easy to have it look for an incoming scene, then map that to another scene on an outgoing recall command, then tie all of that in to somebody’s login creds on the dLive itself.
…not that *I* would do that to my a2. …but I certainly thought about doing it.
At any rate, it’s obscure enough that I doubt many people will attempt such a thing, but again: good goooood reason to make sure your dLive install network is secured!
Blessings,
Richard
Jack_AH 6 years, 3 months ago.
