SMB1 Security Issue - LACK OF RESPONSE FROM SONOS


Userlevel 3
Badge +3
  1. How many people are considering moving away from SONOS due to the lack of an official response from SONOS on the SMB 1 security issue?
  2. I have been a long time supporter of SONOS and am dismayed at their lack of response at the many threads on the SMB1 security issues.
  3.  I use a NAS to my music with SONOS and this was one of the primary reasons for my first purchase when they first introduced the product to the market.
  4. I had already stared upgrading my SONOS equipment to support S2 but have halted all purchases until I get an official response to the SMB1 issue.
  5. I have sent a E-Mail to the SONOS CEO requesting an official response and will update this thread when I get a response to my E-Mail.

19 replies

I’m not considering moving away from Sonos - I have a NAS that just has my modest music library stored on it and the fact it’s inside a (hopefully) secure monitored home network, I’m not too bothered by the SMB-1 vulnerability. My understanding is that the benefits of SMB-2, or higher, is that the music files transverse the network encrypted, rather than unencrypted, and so can presently be read and/or possibly diverted to a hacker that manages to breach my network in the first place. Seems like a lot of effort just to listen to a few songs?

I’m not going to lose sleep over that and I’m quite sure there are many vulnerabilities around us all, both known and perhaps unknown, that can likely be far worse. I do many things of course to keep the entire network perimeter secure and have things guarding the inside and monitoring the WAN traffic too, looking for intruders and trying to do my level best to keep things safe. This issue certainly isn't going to cause me to move away from my home sound system.

I’m quite sure there’s lots of other types of hacking to worry about, but I’m certainly not going to let the scaremongering around SMB change anything here. I’ve been using the music library for years and will no doubt continue to do so, as my now-old NAS will unlikely support the upgraded version of the protocol anyway.

Userlevel 7
Badge +17

I’m not moving away from Sonos because of this, but I would like te see it repaired - including a solution for the 64k limit. In this respect I expected more from the much hyped S2 software……

@Ken_Griffiths At this moment I do not have the time to investigate, but are you sure you represent the dangers of SMBv1 right? I seem to remember SMBv1 is also possibly opening up your system to viruses.

I’m not moving away from Sonos because of this, but I would like te see it repaired - including a solution for the 64k limit. In this respect I expected more from the much hyped S2 software……

@Ken_Griffiths At this moment I do not have the time to investigate, but are you sure you represent the dangers of SMBv1 right? I seem to remember SMBv1 is also possibly opening up your system to viruses.

If you can show me the evidence to the contrary I will happily stand corrected @106rallye, but my SMB traffic is restricted to transfer of my music inside my secure network - so to intercept it, someone has to first breach the perimeter anyway - my access to the internet is via a third party (paid) monitoring service - my emails are scanned separately before I receive them (paid service too) and like everyone I try to do my level best (within my own knowledge) to stay secure.

I guess anything, or everything, is hackable given time, but I try to apply a bit of common sense. I’m sure even ‘old’ hardware devices on anyone’s network are just as easily hackable too and by old, I mean anything perhaps over 12 months old, as that most probably provides enough time for its vulnerabilities to come to light.

The router Superhub-2 from the ISP provider VirginMedia in the U.K. was recently reported as being hacked, just as an example … but many folk are likely still using that device without addressing its recently identified vulnerability. So if that was my router (it isn’t by the way) I would rush to sort the issue ASAP, but the SMB vulnerability is not one I see as being that urgent… if the hacker can get into my secure network to begin to exploit it, then in my book my security will have already failed anyway.

The SMB issue is certainly not going to turn me away from Sonos, that’s for sure.

Userlevel 7
Badge +21

If you go back and look at past posts on SMB v1 you will see that if Sonos does move to fix it it will only be for S2 and the Sonos devices that have the internal memory needed to support the newer Linux kernel and the newer Samba software.

That is going to be a major project, lots of details are available in past posts too.

My bottom line is that the SMB v1 issue can be easily worked around and doesn’t require you to set your NAS to unsecure settings or expose your data to SMB v1 related security risks.

I’m just not dumping my house full of Sonos gear when a $35 Canakit Raspberry Pi Zero W kit will fix the problem with a few minutes of setup effort. Cheaper if you don’t need the full kit too.

Pi Setup guide: https://stan-miller.livejournal.com/357.html

Canakit Pi: https://www.amazon.com/CanaKit-Raspberry-Wireless-Complete-Starter/dp/B07CMVDHWB/ref=sr_1_8

 

You can also just make a dedicated Pi NAS for Sonos by adding an external drive:

https://stan-miller.livejournal.com/650.html

Userlevel 3
Badge +3

GOOD NEWS:

 

I just received a E-Mail response from SONOS from one that I sent to the CEO.

 

S2 supporting SMB 2 and 3 will definitely happen, so I don't think there's an issue with you letting the community know. It's just the time line that isn't set, so there's no set date.

 

He was hopeful that this might happen by the end of the year.

 

The E-Mail came from Matthew G “SONOS Supervisor Customer Care”


 

Userlevel 7
Badge +22

GOOD NEWS:

 

I just received a E-Mail response from SONOS from one that I sent to the CEO.

 

S2 supporting SMB 2 and 3 will definitely happen, so I don't think there's an issue with you letting the community know. It's just the time line that isn't set, so there's no set date.

Well finally some positive news on this. We know the One SL already has the updated SMB stack, but sadly it is buggy right now. Has anyone tried SMBv2 with a One SL? Maybe that works already. (For an accurate test you would need to power down everything that isn’t a One SL and do a Library Scan).

Userlevel 7
Badge +21

Might be fun to run some network probes against the newest Sonos gear too, see if they can return any OS info that points to changes from older gear.

Userlevel 7
Badge +21

Well I just lost 45 minutes of a long post with the version details from the nmap program, most of the time spent sanitizing personal info from the scans. <word the admins would have to remove!>

What I can recover:

Play 1:

Running: Linux 3.X

OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16

 

Arc and One SL

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9

Be interesting to see these lines from other Sonos kit, particularly Legacy / S1 stuff.

 

Command:  sudo nmap -A -v -O -sV 172.16.1.122
 

Since I made a backup of this post it is sure to go with no problems. :-(

Userlevel 7
Badge +20

For me this is great news, not because I need the SMB upgrade, like Ken I have a sacrificial raspberry Pi.

However that fact that Sonos is going to resolve this issue means they are still committed to supporting local Music libraries, which is a relief.  And who knows but maybe they will be voice assistant, which maybe could select music from local libraries?

Userlevel 7
Badge +17

Great news. Would this also mean an end to the 65k limit? Or are these two things not connected?

Userlevel 7
Badge +22

Great news. Would this also mean an end to the 65k limit? Or are these two things not connected?


Not directly connected, no, but if they are going to crack open local library support anyway then that would be the time to update the file database code as well. We know that S2 devices have a ton more flash and memory, which was one of the problems with fixing it in S1.

It would give more incentive for folks to move to S2 as well.

Userlevel 3
Badge +3

I will try to run NMAP on some of my SONOS equipment to provide some additional details. I still have three Generation 1 Play 5’s that cannot be updated to S2.

Userlevel 7
Badge +21

A lot of the limits on Sonos internal data/storage could be relaxed in S2, much of it wouldn’t even require a newer kernel.

It would take programmer time and testing which are expensive so Sonos is only likely to do stuff that are popular requests.

GOOD NEWS:

 

I just received a E-Mail response from SONOS from one that I sent to the CEO.

 

S2 supporting SMB 2 and 3 will definitely happen, so I don't think there's an issue with you letting the community know. It's just the time line that isn't set, so there's no set date.

 

He was hopeful that this might happen by the end of the year.

 

The E-Mail came from Matthew G “SONOS Supervisor Customer Care”


 


+1

I am the happy owner of an old setup still running S1 (I have a Sonos Connect to feed my HiFi system) and I am using both streaming from online services and my local library (on a NAS).

Recently my girlfirend had an issue with her new MacBook that required to update the minimum SMB version on the NAS to SMB2. Then I realized that the Sonos products couldn't access my local library anymore (stored on the same NAS).

So far I have resisted the incentive to move to S2 since my setup was working perfectly (and I was several times upset about the pushy behavior of the app, but that's another story...) Nonetheless, I understand that 10+ years old products may not be upgradable to run “new” protocols  and would consider upgrading my Connect to run S2 if it would allow me to use SMB2/3.

If not, I am not sure what I would do… The RPi solution seems doable, but honestly, given the price tag of Sonos products, I think it shouldn't be required to fiddle with that kind of stuff. I haven’t looked into competition solutions yet, but I probably would.

I’m looking forward to further news from Sonos on this topic.

Userlevel 7
Badge +20

Just buy a cheap nas for storing your Sonos library only.  If you have an old hard drive you could use that.  Will work out far cheaper.

Have a look at the competition too, it may suit you, but don’t expect many of them to be working in 10 years time.

Userlevel 7
Badge +21

Cheap NAS is a solution BUT don’t get screwed like I did by WD, they sold me a MyBook Live and quickly stopped offering security updates making it risky to keep on-line. Then there were the RF noise issues, placing within a couple feet of a WiFi device would knock it off line.

The Pi SMB v1 gateway is the cheap solution if you have your music on a NAS already. Very low maintenance, just a few security updates needed if you pick the bare-bones Pi OS.

A  Pi SMB v1 server isn’t much more expensive and can use a salvaged hard drive and $10 USB-SATA cable.

Either one of these can be hosted on any SMB v1 capable machine, the same instructions apply.

Many folks are finding switching to the Mac or Windows non-SMB server option is their best option.

 

What Sonos did that made this mess is what almost every other embedded computer manufacturer did, cheaped out on RAM and ROM, limiting expansion. What Sonos has done differently that any other manufacturer I own gear from is to keep as much old gear usable as possible. Then they throw in the upgrade and trade options that nobody else I use has ever offered.

Many thanks for the answers. Indeed a cheap NAS would be an option, but I live in a small flat and try to avoid piling unnecessary devices. The Pi SMG gateway would work too especially that I already own one… So I will probably go for that.

> Many folks are finding switching to the Mac or Windows non-SMB server option is their best option.

Could you be more specific? What alternatives do you suggest?

Userlevel 7
Badge +21

Only ones I’m aware of are the Sonos software packages for the Mac or Windows.

https://support.sonos.com/s/downloads?language=en_US

Only ones I’m aware of are the Sonos software packages for the Mac or Windows.

https://support.sonos.com/s/downloads?language=en_US


I see, thanks.

By the way, I was able to setup my Raspberry Pi to serve the NAS files using SMBv1 thanks to your tutorial, so thanks for that too!

Reply