I've said this dozens of times on here, but IMHO the correct solution to this problem is:

1. Allow the user to choose between developer control and owner control, but only at first setup / after a factory reset. This prevents somebody with physical access from easily and covertly installing a backdoor.

2. Have a scary screen on boot announcing that "your device has been hacked", bypassable via a secret combination that isn't displayed on the screen. This isn't a problem for anybody who roots the device themselves, but instantly gives the game away if a third-party messes with it.

In the off chance anybody from Rode sees this: This makes me want to purchase your gear. Don't change it.

It's funny this comes up now. Tomorrow I'm dragging my Zoom R20 recorder on-site to use as an overly-featured USB audio interface for a single-mic live stream. If I'd know this about Rode a week ago I'd have purchased one of these and could have left my R20 hooked-up in the home studio!

I had to upgrade the firmware in my HP printer a couple years ago.

It’s a printer that I think was released in ~2009 (I am not able to check right now), and in order to upgrade the RAM to 256MB I needed to do a firmware update.

I dreaded this, but then I found out that all you do to update the firmware was FTP a tarball to the printer over the network. I dropped it in with FileZilla, it spent a few minutes whirring, and my firmware was updated.

Then I got mad that firmware updates are ever more complicated than that. Let me FTP or SCP or SFTP a blob there, do a checksum or something for security reasons, and then do nothing else.

I think it should be locked down to require some kind of physical button input to enable the commands, putting it in some kind of "DFU" mode. Otherwise anything with USB access could brick your device by flashing a bad firmware.

I don't want my audio interface to run SSH (and have some random authorized key added), personally.

My audio interface is a Linux computer with FPGAs inside (that actually get field-programmed), with two gigabit Ethernet jacks that each talk to different parts of the machine.

But I don't think anyone here would care about that. It's not such an unusual arrangement. I guess it's kind of impressive to use it on my desk at home, but in pro audio world it's actually kind of mundane.

Maybe I'll write about it more after I get the gumption to gain a root shell on it (or brick it, whichever comes first). I think you guys might find that part more interesting. :)

And your video dongle might be a Unix computer: https://www.macrumors.com/2025/02/04/doom-apple-lightning-hd...

Current ram/storage squeeze aside, chips are cheap. Cheap as chips.

Hard to beat the cost and compatibility of linux too.

Linux defaults are unfortunately not great for production of devices of this nature. By comparison, android ships with 3 default image types, eng, userdebug, and user. By creating this system of preconfigured defaults, it makes it easy to avoid this sort of mistake.

It is listening on the LAN. It connects over wifi only when you use certain features, so i didn’t test if that interface is listening as well.

> You would have to be a Hotz tier hacker if you wanted to do anything close to this only last year

This isn't true at all. Yes, LLMs have made it dramatically easier to analyse, debug and circumvent. Both for people who didn't have the skill to do this, and for people who know how to but just cannot be bothered because it's often a grind. This specific device turned out to be barely protected against anything. No encrypted firmware, no signature checking, and built-in SSH access. This would be extremely doable for any medium skilled person without an LLM with good motivation and effort.

You're referring to George Hotz, which is known for releasing the first PS3 hypervisor exploit. The PS3 was / is fully secured against attackers, of which the mere existence of a hypervisor layer is proof of. Producing an exploit required voltage glitching on physical hardware using an FPGA [1]. Perhaps an LLM can assist with mounting such an attack, but as there's no complete feedback loop, it still would require a lot of human effort.

[1] https://rdist.root.org/2010/01/27/how-the-ps3-hypervisor-was...

From the article, it sounds like he used Claude Code as an alternative to Wireshark and Google to decode USB HID traffic and find protocol documentation, respectively.

I suppose this could save a bit of time if you don't already have Wireshark installed, with a minor risk of hallucinations.

Other than this, he used Docker for some reason* to edit ~root/.ssh/authorized_keys and /etc/shadow in the firmware tarball, then wrote a quick Python script to send the relevant HID messages and copy the modified tarball to a volume mounted from a USB drive exposed by the device in response to one of the HID messages.

Maybe he used Claude to do some of this other stuff. Who knows? But the only thing in the post or the linked scripts that wasn't immediately obvious to me is why he installed the whois package in his Ubuntu container, but it turns out that, in Debian, the mkpasswd utility is installed by the whois package for historical reasons[1].

So basically, you have to be an insane hacker, or else have a basic working knowledge of Linux system administration (or at least know how to use the man(1) command; then again Google would probably suffice as an alternative) and how to write trivial programs in any language with bindings to a USB HID library.

* Presumably because he was on a Mac and didn't have a Linux box handy to generate the hashed password (which requires using glibc crypt(3) in a way that isn't compatible with macOS libc crypt(3), so nontrivial on a Mac).

Not sure why he needed password authentication in the first place, but, at the author's request, I won't shoot him.

I will, however, point out that, unless the sshd_config file on the device already set PermitRootLogin to something other than the default "prohibit-password", password authentication wouldn't have worked to log in as root, even with PasswordAuthentication set to "yes".

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=116260

This 1000% - I’ve used AI to enable SSH in one Phase One digital back I own, and to reverse engineer and patch the firmware on another to make the back think it’s a different back - Credo 50 to IQ250! The internals are literally the Sam.

its really nice to not have to spend hours looking thru packet captures and stuff, i enjoy digging but as i'm getting older I have less time to spend 16 hour days looking at random firmware blobs

LLM are not capable of doing that for most things. Having an open ssh device does not require any special "skill".

Damn, maybe I can throw an agent at trying to unlock IMEI spoofing on my Unifi LTE modem. That one guy on twitter who does all the LTE modem unlocking never replied to my tweet :(

If it’s embedded Linux with no HAB it’s not hard to make “adjustments.” Just use file and binwalk to figure out what it is and break it open.

there’s barely any hacking here

the guy found this through looking at the firmware but nmap -p 22 would have also found this

So like the first thing you would do to attack the device

I found an issue exactly like this on an ISP-provided router. I am nowhere near geohot but also didn’t even do as much as the guy in the article lmao

the rodecaster can connect to two computers, and we are both generally in the same discord call. so we have both microphones routed into one input for a computer, and the other person joins with their mic muted and the audio just comes from one client. since the mixing is local there's no echo. email me if you have more questions :)

I recently vibe coded a jack mixer in Rust. It can ingest and relay audio via LAN. I have around 40 ms latency, 50-60 ms if relaying via wifi.

It would solve the issue in a similar way. One pc runs the mixer. The mixer has an input channel for local mic.

Other PC broadcasts their mic to the mixer, which comes in as 'channel 2'.

You can even have music playing on your local PC, either the mixer or broadcaster creates a local sink.

It's all then mixed in the mixer, there's 3 outputs. You could say use the main out to send to discord.

And the monitor line would be used to output Discord audio, which can then be relayed to the other PC for realtime listening.

Doesn't a headset with directional boom microphone do the trick? I may be misinterpreting the problem statement though :-).

Looks like the https://www.getzola.org/themes/radion/ theme

not really an objective, I hope RODE continues to keep it open

It's a Sydney company. But parts are now manifactured in China. So who added this backdoor to listen to its customers? The CIA has similar companies doing it over popular loudspeakers. Could also be the Chinese.

TLA syndrome strikes again, I have no idea what CRA refers to here.

I would like for SSH to be turned off, but I also like that I can just do that myself.

Normally when I look at these devices firmware they’re horrific beasts with insane issues everywhere. This just requires a config change to fix the single thing I don’t like about it. There’s plenty of outrage in the world :)