From SpinetiX Support Wiki

Jump to: navigation, search

This page relates to security of the SpinetiX devices.

See the dedicated article about Meltdown and Spectre vulnerabilities.

Operating System

The SpinetiX player hardware is designed exclusively for running SpinetiX firmware and no unsigned code can be executed on the device!

The SpinetiX player operating system is built into the device firmware and is based on the Linux kernel, with different adaptations and security patches applied specifically for SpinetiX players. The embedded OS cannot be changed in any way and no other OS can be installed on the player.

The player embedded firmware governs how the device is functioning and provides low-level control, monitoring and data manipulation of the SpinetiX device. All firmware releases are signed by SpinetiX - any firmware that is not supplied by SpinetiX will not install on the SpinetiX player as the signatures are not identical. This ensures complete security from malicious code and extremely high reliability.

No third-party drivers or applications can be installed on the player, including any drivers for Wifi USB adapters, touchscreens or other USB devices - for interactivity via USB, only the HID standard protocol is supported.


  • The HMP device was designed to be used within a local network and it is not recommended to have the HMP connected directly to the Internet, as it does not have a firewall. For more details about remote access, see the Network access page.
  • The two essential ports for access to an HMP are: TCP 80 (for access to Control Center) and TCP 81 (for publishing). The rest of the network ports that might be used by the HMP are detailed on the Ports page.
  • The HMP supports basic, digest, and NTLM authentication methods for connecting to web servers requiring authentication.
  • When accessing the HMP protected areas (e.g., HMP Control Center, Fusion etc.), digest access authentication is used.
  • The HMP supports SNMP version 2c (with read-only access), does not generate SNMP traps, and runs the Net-SNMP 5.4 (fully patched). The access to SNMP is disabled by default. For more details, see SNMP monitoring page.
  • The IEEE 802.1X network protocol is not implemented on the HMP. As alternatives, MAC address filtering at the switch port level or MAB (MAC Authentication Bypass) can be used in a protected network environment.


All player models are able to access remote resources via HTTPS.

DiVA, HMP300 and HMP350 devices can be accessed using a secured URL (HTTPS).

  • The web interface is now also available on the standard HTTPS port (443) and is thus reachable via https://HMP_address .
  • The WebDAV interface for content publishing over HTTPS is available on port 9802 (standard WebDAV port) and is this reachable via https://HMP_address:9802 .
  • The SSL/TLS certificate is an automatically generated self-signed certificate.
  • Since 4.0.0 firmware, it is possible to upload user certificates using the Server Certificates section of the Network settings

HMP200, HMP130, and HMP100 models cannot be accessed using a secured URL (HTTPS).


Possible SSL errors

  • SSL handshake failed: SSL error code -1/1/336032856
    This can happen when the hostname reported by the server does not the match hostname given in the SSL certificate. Make sure your server configuration uses correct values for ServerName and NameVirtualHost.
  • Server certificate verification failed: certificate has expired, certificate issued for a different hostname, issuer is not trusted
    This can happen when the certificate has expired or has been issued for a different hostname or when the issuer is not trusted.
  • SSL handshake failed: SSL error: unknown message digest algorithm
    The sha256WithRSAEncryption algorithm was not supported before 3.1.0 release. The solution is to update the firmware on the HMP or use sha1WithRSAEncryption algorithm when generating the certificate.

Access security

The access to the HMP can be protected by passwords configurable on the "Security" page in Control Center interface.

Note Note:
If you have multiple HMPs and you want to set / change their passwords in a centralized manner and not manually from Control Center - for instance to set a new password for all the HMPs every 30 days - you can use the RPC set_password feature of the player.

Security warnings

False positives

Some security-scan products, also known as vulnerability and configuration assessment products (for instance Nessus), might find various security warnings related to player, however these are false positives (that means nothing to worry about). Some examples of such security warnings are presented below (the format is "Service (Port)"):

  • hosts2-ns(81/tcp): WebDAV
    The WebDAV module is enabled on the port 81 on the device (i.e. HMP internal content server) in order to allow pushing content onto HMP.
    It cannot be disabled because it is one of the HMP fundamental services; nevertheless the access to the content interface can be secured by setting a password for the content user (of course, the password should be set before running such security tests).
    The main HMP interface (running on port 80) cannot be searched or be modified using WebDAV, except for the /content path, where the HMP content interface is replicated (but that includes the security settings as well). Of course, the administration area should be secured as well.

Apache modules

Sometimes, network security scans might reveal potential vulnerabilities affecting the version of Apache being used, however the HMP only implements a limited set of modules, so these do not apply.


See the dedicated page about Common Vulnerabilities and Exposures.

See also the dedicated article about Meltdown and Spectre vulnerabilities.

Passwords stored by Elementi

The credentials required when accessing players, Publish Locations or resources from web servers, are managed from Menu > Settings > Network Credentials... dialog. The passwords are not displayed in clear until the button "Show Passwords" is clicked.

The data is stored as encrypted hashes inside profile.xml file (found from Application Data \ SpinetiX \ Elementi folder), under the "credentials" section:

  <spx:auth realm="" host="" user="content" passwd="QAAANCoAwE/Cl+sBUYdUu+Ow..."/>
  <spx:auth realm="Content Area" host="http://spx-hmp-XXXXXXXXXXXXX.local.:81" user="content" passwd="bJ9WAQAAANCMnd8BE8AA..."/>
  <spx:auth realm="" host="" user="" passwd="AQAAANCMnd8APEQma+rpGYWmxLmCcZ1Lc..."/>
  <spx:auth realm="SYNO_WebDAV Storage" host="http://synology-nas:5005/projects/MyProject/" user="hmp" 
Note Notes:
  • The profile.xml file cannot be copied and used to another machine because the data is encrypted with the UID of the login name of the user account of the machine; even if another user has the same name, the UID will not be the same.
  • If you have a group of HMPs all using one password, delete the value of the "host" parameter above (leaving just two double-quotes). This will result in Elementi / HMD attempting to use this password first for every player it publishes to. Players with different passwords will give the standard login dialog.
  • If you have multiple groups of HMPs with different passwords per group, you can copy and paste the entire <spx:auth> tag above and replace the hostname in each case.
This page was last modified on 16 March 2018, at 19:38.