Rode audio interface has SSH enabled by default with hardcoded keys
Original: My audio interface has SSH enabled by default
Why This Matters
Reveals widespread security vulnerabilities in consumer audio hardware devices
Security researcher discovered that the Rodecaster Duo audio interface ships with SSH enabled by default and contains hardcoded SSH keys in its firmware. The device uses unsigned firmware updates and lacks security controls.
A security researcher examining the Rodecaster Duo audio interface found multiple concerning security issues. The device ships with SSH enabled by default using only public key authentication, with hardcoded RSA and Ed25519 keys embedded in the firmware. During firmware analysis, the researcher discovered the update process uses unsigned gzipped tarballs without signature verification. The device has dual boot partitions for recovery but lacks proper security controls. The firmware update protocol uses simple HID commands - sending 'M' to enter update mode and 'U' to trigger updates via single ASCII characters over HID report 1. The researcher successfully reverse-engineered the update process and created tools to manually update devices, highlighting the lack of proper firmware security measures in consumer audio equipment.