poscaenium
New member
- Joined
- May 7, 2024
- Messages
- 1
Your Device is realy nice but PLEASE patch your firmware. Bitdefender founds 422 (!!!) High Risk Issues.
Security
- Thread starter poscaenium
- Start date
Additionally it's extremely difficult to stay on top of all CVEs these days, they get created for absolutely anything under the sun.
In the case of a device like WiiM, I simply don't expect them to be able to and it can be largely mitigated by having the device is on a private network and not reachable from the internet. I do hope that they make a reasonable effort in patching the ones in the stack that does process data/responses from 'foreign' servers though (IE the various music services).
drjdawg2600
New member
- Joined
- Jun 25, 2024
- Messages
- 2
I disconnected my mini just because of the uncertainty. I need to figure out if there is a way for me to block the device from the external worldwide web and only use it for my local network. I’m going to start working on that.
- Joined
- Nov 6, 2022
- Messages
- 864
Hi Team,
We have carefully reviewed the reported security vulnerabilities through router and antivirus software using the CVE database. The alerts were false alarms triggered by outdated version numbers of Linux kernels or third-party libraries. To mitigate these vulnerabilities, we can either update all kernels/libraries or apply patches; we chose the latter approach and raised these alarms. Please note, our firmware and software have undergone rigorous security testing with Amazon and Google, given the integration of built-in Alexa and Chromecast audio features. We have also collaborated with a third-party security team and successfully passed their tests.
Meanwhile, our team will work on resolving these false alarms triggered by version number checks.
We have carefully reviewed the reported security vulnerabilities through router and antivirus software using the CVE database. The alerts were false alarms triggered by outdated version numbers of Linux kernels or third-party libraries. To mitigate these vulnerabilities, we can either update all kernels/libraries or apply patches; we chose the latter approach and raised these alarms. Please note, our firmware and software have undergone rigorous security testing with Amazon and Google, given the integration of built-in Alexa and Chromecast audio features. We have also collaborated with a third-party security team and successfully passed their tests.
Meanwhile, our team will work on resolving these false alarms triggered by version number checks.
I recommend that you publish CVEs that you fix, it's good practice and provides a quick way to point people who have concerns.
I work for a Linux distribution vendor, we have the exact same problem of scanners relying on versions when we back port fixes. In some cases we don't even need to do that because the CVE isn't actually applicable in our context or configuration, that sort of thing. But we do document it all.
drjdawg2600
New member
- Joined
- Jun 25, 2024
- Messages
- 2
I liked your reply. So true, but I'm still worried. Keep thinking all my IoT junk will be acting as a server for some hackers. I fell into the trap of HomeKit and home automation (originally X10 junk) and I'm also a very old electrical engineer trying new stuff (R Pi & Python). Maybe too much news...You want to stay safe? Don’t connect on internet is that simple if you’re paranoid about hacking and security. You will likely get mug walking late at night that you would on internet.
