Smartphone app security flaw

Did you know that you can download an app for your smartphone to control your WDTV? I did, but did you also know that said app requires no authenticiation to interact with your device, even if you’ve set up a password for the WDTV? I discovered this when some friends were over one night. I went upstairs to put my son to bed, and when I came back downstairs I found one of my friends merrily browsing YouTube videos on the WDTV with his phone. 

The device should have an option to require a password to interact with it. Even Bluetooth devices require a code for pairing.

tribunal88 wrote:

 I discovered … one of my friends merrily browsing YouTube videos on the WDTV with his phone.

Why on earth did you give your friend access to your internal network if he’s going to start nosing around and messing with your stuff??

At any rate, what app was he using?   The WD-provided app is nothing more than a remote control – can’t access or control anything that the regular remote can’t do…

If he was using a DLNA “controller” app, well, that’s a shortcoming of DLNA.  There’s no authentication or security specificied in the standards, and any DLNA controller can pretty much do anything with any DLNA server without security challenges.

Firstly, you’re right, and I gave him some “stern reproof” about it.

Secondly, I’m imagining a child fiddling with the WDTV from elsewhere in the house while others are trying to watch something. While it’s easy enough to take the device away and give them correction, a passcode for the device allows the entire situation to be avoided.

Thirdly, and in my defense, I’m in the process of segmenting my network into VLANs. This includes a public wireless area with its own subnet where devices can get to the internet, but that’s all. Note: this won’t address the misbahaving child issue.

tribunal88 wrote:

 this won’t address the misbahaving child issue.

… actually, it probably would.  If the WD and the mobile devices aren’t on the same broadcast domain, the mobile device app won’t be able to detect the WD at all.