Login at Kodi Home

Karlo8321 · 2022-01-04, 12:56

Hi all,

from reading this text on the kodi.tv site, I'm unsure how "secure" the usage of Kore actually is:
https://kodi.tv/article/kodi-remote-acce...endations/

I'm using KORE on my android phone and OSMC / Kodi on a raspberry Pi 3b. It works flawlessley.

But with some quotes of the linked page, I have some questions:
"Do not use the Kodi web server without setting a reasonably-secure password."
- I set a password for the HTTP webserver, so this should be okay

"Do not expose any Kodi external interface (web server, JSON-RPC, event server ...) directly to the Internet."
- I would assume that in normal router configurations without opening ports etc. this should be default so also no issue, correct?
- Or what is meant by "expose directly to the internet". The RaspberryPi has internet access, but I did not open any ports within router configuration

"Do not enable any external interface in Kodi that you don't actually use. This is especially true for the JSON-RPC service when exposed on all interfaces."
- The help of KORE lets us enable both checkboxes "Allow remote control from applications on this system"&"Allow remote control from applications on other systems"
- but the help of Kodi says we should not do this...

"This is why you should never run the web server without authentication. It allows anyone with access to the server port to completely control your box. Even if you do not expose the web server to the Internet, other machines including your PC or laptop can do this. This is possible from a standard web browser (via JavaScript), so you might visit a malicious web page that does this in the background and not even realise that it's happening."
"Also, keep in mind that neither JSON-RPC over TCP nor EventServer (enabled with the "Allow remote control from applications" setting in Kodi) offer any authentication, so they should usually be restricted to access solely from the box on which Kodi is running ("Allow remote control from applications on this system")."

So what does this all mean? Is activating KORE a security risk by design?

**Klojum** · 2022-01-04, 14:09

(2022-01-04, 12:56)Karlo8321 Wrote: I set a password for the HTTP webserver, so this should be okay

Some people keep it simple, and use 'kodi' as the password. Just as safe as '12345'.

(2022-01-04, 12:56)Karlo8321 Wrote: what is meant by "expose directly to the internet

It depends on the underlying operating system. Kodi itself is only an application, so network stuff is to be dealt with by the OS.
Normally, a router with no open ports should make things relatively safe.

(2022-01-04, 12:56)Karlo8321 Wrote: but the help of Kodi says we should not do this

This is about local network connections, not about wan/internet connections. Unless you want to configure your network that way.

(2022-01-04, 12:56)Karlo8321 Wrote: So what does this all mean? Is activating KORE a security risk by design?

See reply above.

Karlo8321 · 2022-01-04, 17:35

(2022-01-04, 14:09)Klojum Wrote:
(2022-01-04, 12:56)Karlo8321 Wrote: ut the help of Kodi says we should not do this
This is about local network connections, not about wan/internet connections. Unless you want to configure your network that way.

Thank you very much for your answers. How do you mean the quoted statement? What is about local network connections?

**Klojum** · 2022-01-04, 18:03

Any open port on a router is a potential security risk. Be it for web/print/file servers or other stuff.
The risks are less when there are no open server ports on the router. I mean, controlling Kodi from outside your own network sounds a bit daft but technically possible.

Karlo8321 · 2022-01-06, 16:42

Thank you for your explanations.

I'd like to understand the concept a little better. When I set a password for the HTTP webserver, this is "safe" as long my router does not have any port forwarding. The enabling of SSL only would be a higher security level for people that actually have access to my local network and they could read the sent password. But from outside my own network it makes no difference if I enable SSL or not.
Even if they would use som "trapped" website with some java script code as also discussed here 151926 (thread)
Is this assumption correct?

But what is about the JSON-RPC / Eventserver where it says there is no authentification at all, this then could be "trapped" by such a website, correct?
And with that it could take ful control over the device, download malware to the external attached drives etc.?