logo

Live Production Software Forums


Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
tsioukas  
#1 Posted : Tuesday, July 28, 2020 7:26:59 PM(UTC)
tsioukas

Rank: Advanced Member

Groups: Registered
Joined: 7/10/2020(UTC)
Posts: 30
Man
Greece

Thanks: 7 times
Was thanked: 2 time(s) in 2 post(s)
I detect that TCP enabled only when Web Controller is enabled. Web Controller have authorization option, but TCP does not. This creates a big leak on VMIX security because if someone in the same network find that web controller is enabled, he can send TCP commands taking control of live or worst to destroy it (by adding even or even porn ;) ). It takes me max 1’ to detect IP/Port and 5’ to create a NodeJS remote controller. Also, hack is easier because it is impossible for someone to change the TCP port.

I think that

1) An authorization method for TCP connections (maybe on connect command or with a allow access pop up on VMix) must implemented
2) Also allow us to enable/disable TCP and change the Port Number (this will help us also to control more that one instance of VMIX)

Thank you in advance

EDIT : Until then personally I use firewall to protect my system by allowing access to specific MAC address but even this isn't too secure because remote attackers can find and duplicate this address.
stigaard  
#2 Posted : Tuesday, July 28, 2020 8:19:05 PM(UTC)
stigaard

Rank: Advanced Member

Groups: Registered
Joined: 5/20/2015(UTC)
Posts: 493
Man
Denmark
Location: Copenhagen, Denmark

Thanks: 378 times
Was thanked: 100 time(s) in 79 post(s)
+10
MartLeib  
#3 Posted : Tuesday, July 28, 2020 9:23:08 PM(UTC)
MartLeib

Rank: Advanced Member

Groups: Registered
Joined: 2/23/2017(UTC)
Posts: 189
Estonia

Thanks: 1 times
Was thanked: 52 time(s) in 42 post(s)
It may take 1 minute to detect IP/Port but it should take no time whatsoever for the remote controller, just fire up Hercules and send any command you want. But let's face it, your streaming network should be isolated anyway, for example, there is no way to secure BlackMagic ATEM remote control and if I remember correctly, then Behringer audio mixers have also no security settings, you should just secure your network. Easy as that.

But, if vMix should implement authentication, then it should not be pop up, that messes up in a case when I have external controller/software which needs to reconnect - instant popup on the screen, not good. Since TCP has no good authentication way, the IP white list may be one of the best options.
tsioukas  
#4 Posted : Tuesday, July 28, 2020 9:44:08 PM(UTC)
tsioukas

Rank: Advanced Member

Groups: Registered
Joined: 7/10/2020(UTC)
Posts: 30
Man
Greece

Thanks: 7 times
Was thanked: 2 time(s) in 2 post(s)
Originally Posted by: MartLeib Go to Quoted Post
It may take 1 minute to detect IP/Port but it should take no time whatsoever for the remote controller, just fire up Hercules and send any command you want.

My favorite tool, but I prefer code to pass multiple commands until vMix user detect what the hell is wrong, that's more funny ;)

Originally Posted by: MartLeib Go to Quoted Post
But let's face it, your streaming network should be isolated anyway, for example, there is no way to secure BlackMagic ATEM remote control and if I remember correctly, then Behringer audio mixers have also no security settings, you should just secure your network. Easy as that.

Yeap, I notice that also in my ATEM but at least it can connect it directly without any router. But how can isolate the vMix when at same time internet required to stream. Of course only with Firewall or a dual NAT you can do that but it's not always possible.

Originally Posted by: MartLeib Go to Quoted Post
But, if vMix should implement authentication, then it should not be pop up, that messes up in a case when I have external controller/software which needs to reconnect - instant popup on the screen, not good. Since TCP has no good authentication way, the IP white list may be one of the best options.

About that, when I say popup it's for first time only, after that vMix can add it into "safe" clients until restart. Of course a verification key on command it's better and I think easier on implementation.
MartLeib  
#5 Posted : Tuesday, July 28, 2020 10:24:13 PM(UTC)
MartLeib

Rank: Advanced Member

Groups: Registered
Joined: 2/23/2017(UTC)
Posts: 189
Estonia

Thanks: 1 times
Was thanked: 52 time(s) in 42 post(s)
Originally Posted by: tsioukas Go to Quoted Post
But how can isolate the vMix when at same time internet required to stream. Of course only with Firewall or a dual NAT you can do that but it's not always possible.


Firewall is the key. VLAN can help as well. You should have your own router that assigns IPs and controls traffic inside your streaming network anyway and there you can have a firewall as well.
tsioukas  
#6 Posted : Tuesday, July 28, 2020 10:37:43 PM(UTC)
tsioukas

Rank: Advanced Member

Groups: Registered
Joined: 7/10/2020(UTC)
Posts: 30
Man
Greece

Thanks: 7 times
Was thanked: 2 time(s) in 2 post(s)
Originally Posted by: MartLeib Go to Quoted Post
Firewall is the key. VLAN can help as well. You should have your own router that assigns IPs and controls traffic inside your streaming network anyway and there you can have a firewall as well.


Sounds like this "Because we have good lock in building, let’s leave unlocked our house door". Security on networks is like onion, you must have multiple layers to think that you are little bit safe.

MartLeib  
#7 Posted : Wednesday, July 29, 2020 4:36:59 AM(UTC)
MartLeib

Rank: Advanced Member

Groups: Registered
Joined: 2/23/2017(UTC)
Posts: 189
Estonia

Thanks: 1 times
Was thanked: 52 time(s) in 42 post(s)
Originally Posted by: tsioukas Go to Quoted Post
Originally Posted by: MartLeib Go to Quoted Post
Firewall is the key. VLAN can help as well. You should have your own router that assigns IPs and controls traffic inside your streaming network anyway and there you can have a firewall as well.


Sounds like this "Because we have good lock in building, let’s leave unlocked our house door". Security on networks is like onion, you must have multiple layers to think that you are little bit safe.



Not a single word from my posts should reflect that I'm against the authentication for TCP, if that's what you took away from my posts then you misunderstood. I completely agree with you regarding network security but you implied that "Of course only with Firewall or a dual NAT you can do that but it's not always possible." - I was just giving you a couple suggestions on how to tackle the problem. I have never had problems with my own router & firewall between the clients' network and our own local network. I have also denied the vMix TCP port on the firewall so it wouldn't leak through WAN, only usable in the LAN.

Anyway +1 to FR
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.