Runeaudio some thoughts

I spent a few hours this weekend mucking about with an old V2 Raspberry pi and the open source product roon audio. It’s a pretty good little media management system. I can keep all my music (I’ve copied it to a usb attached to the pi) in one place and access – play that data from the pi to the amplifier. The beauty of course is that I can control the playback and search etc via any device on my local network (be it a phone or computer, ipad, tablet – anywhere in the house). One thing that is nice is it’s simple interface, and it is fairly easy set up. But I also have a few concerns that I thought I’d mention hear.

Security Once you have burnt the roon audio image to your pi you just plug it in and start the device. You can access it via the url http://runeaudio.local/ or by working out the ip address / number (you might have to look at your router to find this).This is very convenient but the issue is the product is not Password protected. So if your neighbour some how hacks your wireless network password, he or she could crank up your music system at 4 AM as a prank!

Another thing to consider is that the image has – uses a root super god user, and the password to that user is publicly available.  So after that neighbour cranks up your music they can ssh to the device with root privileges! Also there is no basic user space (ie anyone on the network can control the server) although there is a hack that can be run via the htpasswd process within the web server . This allows you to hand code that functionality into the product. This is not ideal for a basic user! If you do install a roon audio server in your house – Do change the root ssh password, … NOW!

See this link for more information on how to do that. Also at the time of writing – wireless is not a secure medium. I recommend a long wireless password that will take hours if not days to hack. As it is currently configured a roon audio server could be a nasty attack vector for a hacker. Changing the root ssh user password is a good start but the file system is rather open (see screen shot) and that could be problematic if not managed in a better way. Unfortunately this is typical of may IOT style products – they need to take security as an important issue – an  initial configuration script could easily manage all of these faults and create a rounder better more secure product. So to sum up.

Ease of setup 8/10
User interface 8/10
Security 2/10

I’ll be keeping an eye on this product – If your not comfortable with the command line and security is important (it should be to everyone!)  it’s probably a good idea not to use this product just now – but if they get their act together around the security issues, I think it has the potential to be something that rivals some of the more expensive commercial products.