Announcements:

06/09/2006 New IPv6 block has been assigned.

Search Site:

Local Weather
Welcome():
GMT/UTC Spokane
Borg On FOCUS():


Author Unknown
(Click Image)

The Internet Traffic Report monitors the flow of data around the world.   Internet Storm Center (ISC)
Infocon Status: SANS.edu Internet Storm Center - SANS Internet Storm Center
Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: SANS.edu Internet Storm Center - SANS Internet Storm Center SANS.edu Internet Storm Center


Sign Up for Free!   Forgot Password?
Last Daily Podcast (Wed, Jun 29th):HiByMusic Scans; OpenSSL Heap Overflow; ZuoRat;

Latest Diaries

Possible Scans for HiByMusic Devices

Published: 2022-06-28
Last Updated: 2022-06-28 15:52:36 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

HiBy is a brand of portable music players built around the Android operating system. Probably a bit comparable to the now-defunct iPod touch, the device does use a close to "stock" version of Android and adds its own "HiByMusic" application as a music player. The hardware includes a Snapdragon ARM CPU standard on Android devices and attempts to distinguish itself with DACs claimed to be better than those found in other devices.

image of hiby music device
Image of HiBy device from store.hiby.com

 

 

The device offers a feature to load custom network radio station URLs via a "radio.txt" file. The file is a simple text file with a list of URLs. For example:

Radio Dismuke 1920s-30s pop/jazz, http://74.208.197.50:8020/stream.mp3
SomaFM: Heavyweight Reggae, http://ice2.somafm.com/reggae-256.mp3
SomaFM: Groove Salad, http://ice5.somafm.com/groovesalad-256.mp3
SomaFM: Groove Salad Classic, http://ice4.somafm.com/gsclassic-128.mp3
(sample of a radio.txt file found here: https://www.head-fi.org)

I was a bit surprised that we recently started seeing some scans looking for radio.txt files based on our "First Seen" report. The number of submissions is small. (see the URL History for radio.txt)

So the question is: why?

  • I found one vulnerability specific to HiByMusic: CVE-2021-44124 . It is a simple directory traversal and may result in information leakage. I don't think this is all that interesting but sure. Maybe other vulnerabilities have not yet been made public, or the attacker is looking for generic Android issues
  • radio.txt files may include internal audio sources that are not openly advertised. This could leak information.
  • Or just someone essentially trying to build a "radio station spider" to find as many publicly available radio stations as possible. Anybody knows if this "radio.txt" file is unique to HiByMusic, or if other players use files like this?

At least one more report is not linked to our data observing requests for radio.txt.

Any ideas about what's going on here? 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Encrypted Client Hello: Anybody Using it Yet?
Jun 27th 2022
2 days ago by Johannes (0 comments)

My Paste Command
Jun 26th 2022
2 days ago by DidierStevens (0 comments)

More Decoding Analysis
Jun 26th 2022
2 days ago by DidierStevens (0 comments)

Malicious Code Passed to PowerShell via the Clipboard
Jun 25th 2022
4 days ago by Xme (0 comments)

Python (ab)using The Windows GUI
Jun 24th 2022
5 days ago by Xme (0 comments)

FLOSS 2.0 Has Been Released
Jun 23rd 2022
6 days ago by Xme (0 comments)

Malicious PowerShell Targeting Cryptocurrency Browser Extensions
Jun 22nd 2022
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
1 year ago by Rick (0 replies)

API port data
created Apr 25th 2021
1 year ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
1 year ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
1 year ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
1 year ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
Jan 22nd 2022
5 months ago by Xme (0 comments)

A Quick CVE-2022-21907 FAQ
Jan 14th 2022
5 months ago by Johannes (0 comments)

Method For String Extraction Filtering
Apr 9th 2022
2 months ago by DidierStevens (0 comments)

CinaRAT Delivered Through HTML ID Attributes
Feb 11th 2022
4 months ago by Xme (0 comments)

Obscure Wininet.dll Feature?
Jan 21st 2022
5 months ago by Xme (0 comments)


DShield (DSHIELD) website  

Return to Top

News(): [Valid RSS]
Friday June 09, 2006
New IPv6 block has been assigned.
[ Posted by:
sgrayban | Time: 03:59:10 AM ]
[ Category: Site News | Comments(disabled due to spamming) ]


This IPv6 block is now assigned by RIPE.

RIPE handle: SG4196-RIPE
Allocated range: 2a01:b0:10d9::/48

[ News Powered by Borgnet News ]

Return to Top

Copyright():
??? @ MEMBER OF PROJECT HONEY POT
Spam Harvester Protection Network
provided by Unspam
Creative Commons License
All content on this website (including text, photographs, audio files, and any other original works), unless otherwise noted, is licensed under a Creative Commons License.

Star Trek® is a registered trademark of Paramount Pictures.
No copyright infringement is intended and no profit is being made.

Website & Content
Copyright © 1997-2005 Scott Grayban
Legal Notice /\/\ Copyright Infringement /\/\ Privacy/TOS /\/\ Sitemap
Page last updated: Thursday July 09, 2020 - 05:30:36 PM PDT
$Id: index.shtml 241 2008-09-26 05:30:09Z sgrayban $