Currently any Home user can hijack themselves into the full server administration (via Web) by simply brute-forcing their way through the 4 digit pin “security”, that lacks proper mitigation.
Sometimes it’s as easy as looking at the TV: Hide PIN entry so not everybody in the room can see it // mod: enter pin via remote’s keypad
Anyone can simply guess the four digits, start at 0000 and try it for a few minutes every evening OR take the very simple approach in doing it via the web (e.g. a browser extension that fills out the form and presses enter for you or a very simple loop of http request [Try one out, Firefox Network Tab → Save to cURL → Replace PIN in a simple loop]).
Additionally the option to use a more secure PIN (e.g. Security on Login (Alphanumeric Pin, 6 digit Pin)) would be great as well.
Potential Solutions:
- Require the account password for any action that goes beyond watching content (accessing server/account settings)
- Notifications (E-Mail/Mobile Push) on every login that was done using the PIN
- Make it possible to have more secure PINs
