Hi guys, I made a review of Zidoo Z9X with some performance benchmarks: https://slideshow.digital/2021/02/review-of-zidoo-z9x-i/. The most surprising thing I found during testing was the insecure network API (mentioned under https://slideshow.digital/2021/02/review-of-zidoo-z9x-i/#media-playback-security-issue), which is always enabled and can't be turned off or secured. Basically, if you are on the same network as Z9X, you can remotely uninstall apps or play videos and there is no way of stopping that. I tried raising the issue with the Zidoo support team, the answer was (I quote): "Users can decide whether connecting with public WiFi or not, Zidoo has no plan to turn it off for devices connected to the public WiFi network yet." What's your thought about this? Am I too paranoid for making a fuss about the insecure API? Milan
Can't think of many circumstances where this is a problem - unless I p**s the kids off by changing the WiFi password, I won't lose any sleep
I can agree that if you are using it at home, you should be mostly OK. You can even show off to your kids by changing the video from the other room However, if you would like to use it at the office, shop or anywhere commercially, it can become a bigger issue.
A lot of devices have simple IP protocols like this for CI installations, it's not unusual and there are plenty of other measures you can put in place to secure it if you really needed to. I don't really see this as a big problem.
What measures would you suggest? The only one which come to my mind is putting it behind a separate router/firewall dedicated just for this device. That would solve the problem, but it requires another device.
Yes, that would be easiest - add a router with an ethernet WAN connection, create a new subnet (I would usually use 10.0.0.*) and block all inbound traffic from the original subnet.