[ZihangZ]

Yeah, this is pretty common once a device has any real DSP in it. There's usually some stripped-down Linux on an ARM SoC underneath, and the vendor BSP just happens to ship with sshd on.

Not necessarily malice, more like nobody on the audio side really owns the rootfs.

The big question is whether it's only listening on the USB-side network, or on the actual LAN. First one is annoying. Second one would actually bother me.

[hhh]

It is listening on the LAN. It connects over wifi only when you use certain features, so i didn’t test if that interface is listening as well.

[ZihangZ]

Yeah, LAN is the line for me. USB-side sshd is a weird dev leftover; LAN means it’s now in the home threat model.

[surajrmal]

Linux defaults are unfortunately not great for production of devices of this nature. By comparison, android ships with 3 default image types, eng, userdebug, and user. By creating this system of preconfigured defaults, it makes it easy to avoid this sort of mistake.