Except i have this vidid picture in my head - how on learning the news, couple of CxO @Roku would be running around, flailing their appendages and wailing how everything is lost and what a PR disaster that is. Which personally makes me concerned that some management knee-jerk reaction may lead to unreasonable actions like shutting down ECP (AKA throwing the baby out with the bathwater).
So I want to bring this here for discussion, together with some ideas/suggestions. I hope it does not trigger a common NIH syndrome.
My proposals for a fix:
- By default, limit UPnP and ECP access to only the local network (i.e. they accept incoming connections only from IPs within the network mask)
- There are legitimate cases where UPnP/ECP access might be needed from outside the players subnet (e.g. network segmentation; multi-segment SOHO). That's relatively rare but allow for that akin to the "disable network pings" in Platform Secret Screen. I.e. allow with a checkbox the system integrator to broaden the horizon; to lift the limitation at their own risk.
- If after all that, restart and factory reset from the menu are still a concern - implement a PIN feedback loop for these. I.e. when restart is selected, ask the user to confirm by punching a 2-digit PIN code - which is different every time. This will verify that indeed whosever invokes the operation has a "visual access" to the player, can see the screen prompt.