My kitchen radio, a noxon iRadio, plays happily music from my UPnP server. This is what I bought it for. Unfortunately for me, it is also able to store favorites online, list thousands of online radio stations and play them.
So far so good. Two problems:
- The main menu is cluttered with 5 menu entries that only work when you are actually online.
- When trying to access your favorites list, the radio wants to sync your online favorites in.
While this items are no problems themselves, the combination of them and the fact that I am offline at home are a problem. When you open one of those 5 menu entries or the favorites, the radio hangs. This is because it can't reach any servers it wants to connect to. A mail to the support got me in contact with one of the developers, and he told me that setting the timeout down to some seconds - so that it would be usable for me - is not possible, and never will. Not to speak of deactivating the whole online crap.
So with no help to expect from the producer (Ha! When do you ever get that?) I had to find a solution myself. By installing tcpdump on my home server (which also acts as gateway) and running
tcpdump -i ppp0 -s 1500 -w noxon.tcpdump
while clicking around the menu, I got some data that helped me to identify the problem. The file can be opened with Wireshark.
This lid up my mind: The radio sends 6 DNS requests and waits for the domains (radio567.vtuner.com, radio5672.vtuner.com and gatekeeper.my-noxon.net) to be resolved. This it what hangs the radio - when I'm offline, no DNS requests can be answered apart from the names of my own machines.
So some entries in the gateway's /etc/hosts file made the radio react even when I am offline: It simply redirects the host names to some non-existant ip address. Favorites, here we come!
Inspecting the network communication dump file further told me how the radio's menu system works. The main menu entries call just some hard coded URLs which responds with an XML file that tells what to display.
On all requests, the radio transmits its own MAC address, language and firmware version number. The MAC address authenticates you when retrieving your favorites. This means by providing a different MAC, you could retrieve someone else's favs.
To prevent that simple attack on your privacy, the radio retrieves an encryption token which is later used to encrypt the mac address. The only problem seems to be that this token does not change for at least a day. So as soon as you capture someone's radio network traffic, you have full access to their favorites as long as the token does not change.
What also bothers me a bit is that both servers (vtuner and my-noxon gatekeeper) return the same encryption token, although they are different boxes and they use different scripting languages (asp and PHP). This could be a sign that this token is hard-coded. In that case, the only thing that prevents one to retrieve everyone's favorites (and other my-noxon services the one could even have paid for) is that the encryption method is secret.
Seems a bit like security by obscurity. Here are some encryption examples. The token is used to get the encrypted mac address:
Real MAC: 00:16:E3:EA:52:B9 Encryption examples: token: 0000000000000000 mac: 3B834F07044E1DA94792258E5E777FE9 token: 0000000000000001 mac: E696881E02E16DBB6CD734CDE5413387 token: 1111111111111111 mac: 5F7B1751BB0AAB22F90A72B0997718EE token: a6703ded78821be5 mac: B2FB31BE594C9FD322408AB8CC8F7679
XML Menu structure
The XML data coming back from the sites is a ListOfItems that either tell the radio to display a message, or list some directories and radio station streams.
Display -- Empty List --
Previous http://radio567.vtuner.com/setupapp/radio567/asp/BrowseXML/loginXML.asp?gofile= http://radio5672.vtuner.com/setupapp/radio567/asp/BrowseXML/loginXML.asp?gofile=
Dir Afrika http://radio567.vtuner.com/setupapp/radio567/asp/BrowseXML/navXML.asp?gofile=S-ByLocation-Africa http://radio5672.vtuner.com/setupapp/radio567/asp/BrowseXML/navXML.asp?gofile=S-ByLocation-Africa
Dir Asien http://radio567.vtuner.com/setupapp/radio567/asp/BrowseXML/navXML.asp?gofile=S-ByLocation-Asia http://radio5672.vtuner.com/setupapp/radio567/asp/BrowseXML/navXML.asp?gofile=S-ByLocation-Asia
The lists can be made non-cachable (Why should we respect HTTP headers?) by providing a <NoCache>Yes</NoCache> directly after the opening ListOfItems tag.