Web Controller: Disable or Put A Password!

Welcome Guest! To enable all features please Login or Register.

Notification

Error

Web Controller: Disable or Put A Password! - Hundreds of vMix Instances are unsecured and can be hacked at any time.

Options

Previous Topic Next Topic

xemles		#1 Posted : Tuesday, November 17, 2020 9:08:20 AM(UTC)
Rank: Advanced Member Groups: Registered Joined: 11/25/2019(UTC) Posts: 42 Location: Bordeaux Was thanked: 2 time(s) in 2 post(s)		Hello, A bit ago, I made a mistake, I was using the Web Controller on a Remote Server and forgot to put a password. Someone hijacked it, it lasted only a few seconds because I knew what I was doing, but it still happened. I wanted to make this message as a warning, and as an advice. Web Controller is enabled by default, so if you are using vMix on a server or a network without any firewall, please check and disable it in Settings -> Web Controller. But Why? Let me explain. I wanted to check if I was alone with my vMix exposed on the Internet, and I found hundreds of them, from Churches to TV Productions, going by Podcasts Hosts, Sports Productions, Web TVs using vMix as their Playout System and many more. What's the risk? With the Web Controller without a password, anybody can have a total control over your vMix. From changing inputs, to start or stop streaming, changing titles in your vMix. Anything. Just check by yourself with the Developer API what is possible. As you can see, they can event "Send Keys" on your PC, so if they know what they're doing, they could even take over your streaming machine. I contacted in the past few days dozens of companies, individuals, French and English speaking to tell them about this vulnerability, sadly I could not contact all of them with just the informations in their vMix and not everyone took it seriously and there is still a lot of them unprotected. Please vMix Team, please disable Web Controller by default or allow only local networks to access it with the default settings. (Please don't just put a "default password" that would be the same on every device since it would end up being leaked anyways) Also vMix team, I have a bunch of IP Addresses that I can't contact because their vMix doesn't have enough information so if I can give you those IPs so you can let them know that would be really cool. A Congolese TV Channel didn't take me seriously while I can literally do anything on their channel. I couldn't contact those dozens of Church, because how are you going to explain them just the concept of IP Addresses. I couldn't contact dozens of companies where I don't speak their language. Please, do something before malicious people do.


User Profile View All Posts by User View Thanks


	Wanna join the discussion?! Login to your vMix Forums forum account, or Register a new forum account.

DWAM		#2 Posted : Tuesday, November 17, 2020 5:43:19 PM(UTC)
Rank: Advanced Member Groups: Registered Joined: 3/20/2014(UTC) Posts: 2,721 Location: Bordeaux, France Thanks: 243 times Was thanked: 794 time(s) in 589 post(s)		Et bé le bordeluche, on fait une crise de parano ? Although some risks really exist, the biggest issue is not vMix WebController being on by default. Why ? - first without port forwarding and appropriate rules on the router/firewall to explicitely allow access to port 8088, nothing can happen from the internet - in case you set up the firewall to allow access, you still can define "who" can use this access - alternatively access can be restricted over the internet only to those using your own VPN Regarding the LAN users, there are 2 contexts: - are you on your own LAN and do you control who can plug/connect to your infrastructure ? - are you on a LAN you have no control over, like a shared network or a co-working place ? In the 1st case I believe the risks are very limited (unless you don't treat your people right) In the 2nd case, vMix and your Windows PC bring all the security features required to secure your setup. I don't think the issue here is having a WebController enabled for LAN by default. The issue is most people don't know and don't care enough about networking and security and don't want to learn as long as "it" works. They will certainly learn the hard way, one day or another, when it's too late... So I agree it's important to talk and inform about these issues, but I disagree it's vMix fault. vMix is not to blame (it brings and relies on an OS that have everything required to make it safe). People are responsable for their use, their actions, their knowledge or lack of knowledge. Would you blame the hammer that was used to kill someone? Instead of diffusing fear, if you really care about this, write a good practise manual... Do not blame vMix... Teach people... People are the biggest risk!
		WWW
1 user thanked DWAM for this useful post.		elvis55 on 11/17/2020(UTC)
User Profile View All Posts by User View Thanks

MickeyMJJ		#3 Posted : Tuesday, November 17, 2020 5:59:26 PM(UTC)
Rank: Advanced Member Groups: Registered Joined: 12/14/2018(UTC) Posts: 129 Location: Clermont-Ferrand Thanks: 30 times Was thanked: 9 time(s) in 8 post(s)		I think indeed that everyone must take their responsibilities, and here it is not for the developers of vMix to do so. When you allow external access, you are supposed to understand the risks and know how to manage your firewall. Michael.
		WWW

User Profile View All Posts by User View Thanks

Pepsi(~)		#4 Posted : Tuesday, November 17, 2020 7:20:58 PM(UTC)
Rank: Advanced Member Groups: Registered Joined: 9/9/2020(UTC) Posts: 94 Location: Noord-Brabant Thanks: 3 times Was thanked: 13 time(s) in 12 post(s)		I do agree with DWAM. Why would you connect any system directy to the internet. And if so the webportal is very useful if you are in the same network. (But just not behind your computer) But even if there is a user ID and password (what you can set by the way) it is still HTTP. And HTTPS will shift the performance from why vmix is there to other topics. In the broadcasting it is all about low latency and put performance in that. Most systems run with a local admin account in a broadcasting network. Without anti virus. (I do have anti virus running, only not during a broadcast)


User Profile View All Posts by User View Thanks

xbamaris		#5 Posted : Wednesday, November 18, 2020 12:50:21 AM(UTC)
Rank: Member Groups: Registered Joined: 3/27/2013(UTC) Posts: 15 Location: Wisconsin Was thanked: 1 time(s) in 1 post(s)		While I agree there should be some form of password for the API, you can get around this with firewall rules probably on the vMix machine. Or put it on its own vLan and control the firewall rules with your main firewall.
		WWW

User Profile View All Posts by User View Thanks

xemles		#6 Posted : Wednesday, November 18, 2020 2:37:37 AM(UTC)
Rank: Advanced Member Groups: Registered Joined: 11/25/2019(UTC) Posts: 42 Location: Bordeaux Was thanked: 2 time(s) in 2 post(s)		Originally Posted by: DWAM Et bé le bordeluche, on fait une crise de parano ? Although some risks really exist, the biggest issue is not vMix WebController being on by default. Why ? - first without port forwarding and appropriate rules on the router/firewall to explicitely allow access to port 8088, nothing can happen from the internet - in case you set up the firewall to allow access, you still can define "who" can use this access - alternatively access can be restricted over the internet only to those using your own VPN Regarding the LAN users, there are 2 contexts: - are you on your own LAN and do you control who can plug/connect to your infrastructure ? - are you on a LAN you have no control over, like a shared network or a co-working place ? In the 1st case I believe the risks are very limited (unless you don't treat your people right) In the 2nd case, vMix and your Windows PC bring all the security features required to secure your setup. I don't think the issue here is having a WebController enabled for LAN by default. The issue is most people don't know and don't care enough about networking and security and don't want to learn as long as "it" works. They will certainly learn the hard way, one day or another, when it's too late... So I agree it's important to talk and inform about these issues, but I disagree it's vMix fault. vMix is not to blame (it brings and relies on an OS that have everything required to make it safe). People are responsable for their use, their actions, their knowledge or lack of knowledge. Would you blame the hammer that was used to kill someone? Instead of diffusing fear, if you really care about this, write a good practise manual... Do not blame vMix... Teach people... People are the biggest risk! I'm not being paranoid, there is hundreds of vMix that are setup without any proper firewall and they're not in my LAN. On dedicated servers, there's most likely not a firewall. If I say that it's not because I'm paranoid, it's because I've seen it. I agree it isn't vMix's fault, but they could still do things to protect their users and avoid that.


User Profile View All Posts by User View Thanks

xemles		#7 Posted : Wednesday, November 18, 2020 2:40:03 AM(UTC)
Rank: Advanced Member Groups: Registered Joined: 11/25/2019(UTC) Posts: 42 Location: Bordeaux Was thanked: 2 time(s) in 2 post(s)		Originally Posted by: xbamaris While I agree there should be some form of password for the API, you can get around this with firewall rules probably on the vMix machine. Or put it on its own vLan and control the firewall rules with your main firewall. You have to understand that most people don't even know what LAN is. I've seen dozens of churches, webtvs where I can get into their vMix, just because they didn't setup anything


User Profile View All Posts by User View Thanks

xemles		#8 Posted : Wednesday, November 18, 2020 2:41:16 AM(UTC)
Rank: Advanced Member Groups: Registered Joined: 11/25/2019(UTC) Posts: 42 Location: Bordeaux Was thanked: 2 time(s) in 2 post(s)		Originally Posted by: MickeyMJJ I think indeed that everyone must take their responsibilities, and here it is not for the developers of vMix to do so. When you allow external access, you are supposed to understand the risks and know how to manage your firewall. Michael. "When you allow external access" The people I've talked to didn't even know external access was allowed, just because it was there by default.


User Profile View All Posts by User View Thanks

Users browsing this topic
Guest

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Privacy Policy | Powered by YAF.NET | YAF.NET © 2003-2024, Yet Another Forum.NET
This page was generated in 0.173 seconds.

Important Information: The vMix Forums uses cookies. By continuing to browse this site, you are agreeing to our use of cookies. More Details Close

Live Production Software Forums

Notification