Google MediaServer

Google has a MediaServer, which is part of Google Desktop. It is a very simple MediaServer that does nothing more than make services like YouTube and Picasa available via a few MediaServer profiles. On GNUcitizen there was a claim that there would be security problems in the Google MediaServer. Time for some myth debunking:

The GNUcitizen people say: " UPnP does not have any mechanisms for authenticating with your devices. Therefore, anyone can mess with your media. Good that Google has implemented some kind of IP/MAC based lockout features in the Media Server, but I as you understand these checks are insufficient."

Indeed Google has implemented restrictions on what device can access the MediaServer on your PC. In fact, you have to explicitely add them or allow all devices to be able to browse your data. If you click the box "allow everyone" and all of a sudden everyone on the network can see your private Picasa pictures then that is not a fault of UPnP. It would be the same as sharing your private directory with CIFS with guest access or anonymous FTP.

So, they do have a point that it might be better to have something stronger than just IP/MAC based restrictions. It is a shame that the UPnP standard for authenticating with your devices (it exists, it is called DeviceSecurity, and was made in 2003) has never taken off, because this would solve a lot of these problems.

But if you look at the functionality the Google MediaServer offers, then you see that the threat is actually quite low. You can only view and browse things, just as you would be able to do if someone would stay logged in in his/her Google account. You can't modify (upload, change, delete) data. You can't open up the data to other people that are not on your LAN (unless your LAN is broken into of course). So what is the big fuss, GNUcitizen?

© 2006-2011, Armijn Hemel/upnp-hacks.org