Kodi includes a powerful web interface that can be used with any browser, but also sits behind the remote control application you use on your phone, or the web front end on your tablet – if you’re using Kore, or Chorus, or one of the numerous alternatives, then you’re using this interface. However, it has recently been brought to our attention that not all users follow security best practices when enabling this functionality, and are thus exposing themselves to danger. This is partially our fault, since we have not been completely clear about the implications of enabling external interfaces in Kodi. The next Kodi release, 19.x “Matrix”, will provide more context when interfaces are enabled, and require a password for the web interface by default. This blog post will detail how you could be affected by an exposed interface at the moment, however, and what to do about it.
- Do not use the Kodi web server without setting a reasonably-secure password.
- Do not expose any Kodi external interface (web server, JSON-RPC, event server …) directly to the Internet.
- Do not enable any external interface in Kodi that you don’t actually use. This is especially true for the JSON-RPC service when exposed on all interfaces.
The interfaces Kodi provides for external control are, by design, very powerful. It’s possible to use the remote control functionality to execute arbitrary code on the box that Kodi runs on, just like you could do this using a traditional IR remote when sitting in front of the TV. In effect, this means that a machine can be completely taken over by an attacker that has access to the web or JSON-RPC interface.
Also, keep in mind that neither JSON-RPC over TCP nor EventServer (enabled with the “Allow remote control from applications” setting in Kodi) offer any authentication, so they should usually be restricted to access solely from the box on which Kodi is running (“Allow remote control from applications on this system“).
We hope this clears some of the confusion and, as always, you can head to the forums if you have any questions.
With grateful thanks to Jacob Baines of Tenable, Inc., for highlighting this problem.