MSS-SK-2026-0003

Dummy security strategy allows all operations (default)

Summary

src/dummysecurity.ts returns true for shouldAllowWrite/shouldAllowPut/checkACL, no-op authorizeWS, passthrough filterReadDelta. This is the DEFAULT on new installs. Any LAN device can read all data, write deltas, install plugins.

Impact

Default install equals entire vessel exposed to the LAN (marina WiFi, guest networks).

Evidence — code citations

research/audits/signalk/validation/evidence/MSS-SK-2026-0003/

Proof of concept

research/audits/signalk/exploits/0003-dummy-security-default.js/

0003-dummy-security-default.js — single-file