SMB1 Security Issue - LACK OF RESPONSE FROM SONOS

  • 15 August 2021
  • 40 replies
  • 6392 views

Userlevel 4
Badge +5
  1. How many people are considering moving away from SONOS due to the lack of an official response from SONOS on the SMB 1 security issue?
  2. I have been a long time supporter of SONOS and am dismayed at their lack of response at the many threads on the SMB1 security issues.
  3.  I use a NAS to my music with SONOS and this was one of the primary reasons for my first purchase when they first introduced the product to the market.
  4. I had already stared upgrading my SONOS equipment to support S2 but have halted all purchases until I get an official response to the SMB1 issue.
  5. I have sent a E-Mail to the SONOS CEO requesting an official response and will update this thread when I get a response to my E-Mail.

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

40 replies

I’m not considering moving away from Sonos - I have a NAS that just has my modest music library stored on it and the fact it’s inside a (hopefully) secure monitored home network, I’m not too bothered by the SMB-1 vulnerability. My understanding is that the benefits of SMB-2, or higher, is that the music files transverse the network encrypted, rather than unencrypted, and so can presently be read and/or possibly diverted to a hacker that manages to breach my network in the first place. Seems like a lot of effort just to listen to a few songs?

I’m not going to lose sleep over that and I’m quite sure there are many vulnerabilities around us all, both known and perhaps unknown, that can likely be far worse. I do many things of course to keep the entire network perimeter secure and have things guarding the inside and monitoring the WAN traffic too, looking for intruders and trying to do my level best to keep things safe. This issue certainly isn't going to cause me to move away from my home sound system.

I’m quite sure there’s lots of other types of hacking to worry about, but I’m certainly not going to let the scaremongering around SMB change anything here. I’ve been using the music library for years and will no doubt continue to do so, as my now-old NAS will unlikely support the upgraded version of the protocol anyway.

Userlevel 7
Badge +17

I’m not moving away from Sonos because of this, but I would like te see it repaired - including a solution for the 64k limit. In this respect I expected more from the much hyped S2 software……

@Ken_Griffiths At this moment I do not have the time to investigate, but are you sure you represent the dangers of SMBv1 right? I seem to remember SMBv1 is also possibly opening up your system to viruses.

I’m not moving away from Sonos because of this, but I would like te see it repaired - including a solution for the 64k limit. In this respect I expected more from the much hyped S2 software……

@Ken_Griffiths At this moment I do not have the time to investigate, but are you sure you represent the dangers of SMBv1 right? I seem to remember SMBv1 is also possibly opening up your system to viruses.

If you can show me the evidence to the contrary I will happily stand corrected @106rallye, but my SMB traffic is restricted to transfer of my music inside my secure network - so to intercept it, someone has to first breach the perimeter anyway - my access to the internet is via a third party (paid) monitoring service - my emails are scanned separately before I receive them (paid service too) and like everyone I try to do my level best (within my own knowledge) to stay secure.

I guess anything, or everything, is hackable given time, but I try to apply a bit of common sense. I’m sure even ‘old’ hardware devices on anyone’s network are just as easily hackable too and by old, I mean anything perhaps over 12 months old, as that most probably provides enough time for its vulnerabilities to come to light.

The router Superhub-2 from the ISP provider VirginMedia in the U.K. was recently reported as being hacked, just as an example … but many folk are likely still using that device without addressing its recently identified vulnerability. So if that was my router (it isn’t by the way) I would rush to sort the issue ASAP, but the SMB vulnerability is not one I see as being that urgent… if the hacker can get into my secure network to begin to exploit it, then in my book my security will have already failed anyway.

The SMB issue is certainly not going to turn me away from Sonos, that’s for sure.

Userlevel 7
Badge +22

If you go back and look at past posts on SMB v1 you will see that if Sonos does move to fix it it will only be for S2 and the Sonos devices that have the internal memory needed to support the newer Linux kernel and the newer Samba software.

That is going to be a major project, lots of details are available in past posts too.

My bottom line is that the SMB v1 issue can be easily worked around and doesn’t require you to set your NAS to unsecure settings or expose your data to SMB v1 related security risks.

I’m just not dumping my house full of Sonos gear when a $35 Canakit Raspberry Pi Zero W kit will fix the problem with a few minutes of setup effort. Cheaper if you don’t need the full kit too.

Pi Setup guide: https://stan-miller.livejournal.com/357.html

Canakit Pi: https://www.amazon.com/CanaKit-Raspberry-Wireless-Complete-Starter/dp/B07CMVDHWB/ref=sr_1_8

 

You can also just make a dedicated Pi NAS for Sonos by adding an external drive:

https://stan-miller.livejournal.com/650.html

Userlevel 4
Badge +5

GOOD NEWS:

 

I just received a E-Mail response from SONOS from one that I sent to the CEO.

 

S2 supporting SMB 2 and 3 will definitely happen, so I don't think there's an issue with you letting the community know. It's just the time line that isn't set, so there's no set date.

 

He was hopeful that this might happen by the end of the year.

 

The E-Mail came from Matthew G “SONOS Supervisor Customer Care”


 

Userlevel 7
Badge +23

GOOD NEWS:

 

I just received a E-Mail response from SONOS from one that I sent to the CEO.

 

S2 supporting SMB 2 and 3 will definitely happen, so I don't think there's an issue with you letting the community know. It's just the time line that isn't set, so there's no set date.

Well finally some positive news on this. We know the One SL already has the updated SMB stack, but sadly it is buggy right now. Has anyone tried SMBv2 with a One SL? Maybe that works already. (For an accurate test you would need to power down everything that isn’t a One SL and do a Library Scan).

Userlevel 7
Badge +22

Might be fun to run some network probes against the newest Sonos gear too, see if they can return any OS info that points to changes from older gear.

Userlevel 7
Badge +22

Well I just lost 45 minutes of a long post with the version details from the nmap program, most of the time spent sanitizing personal info from the scans. <word the admins would have to remove!>

What I can recover:

Play 1:

Running: Linux 3.X

OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16

 

Arc and One SL

Running: Linux 3.X|4.X

OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9

Be interesting to see these lines from other Sonos kit, particularly Legacy / S1 stuff.

 

Command:  sudo nmap -A -v -O -sV 172.16.1.122
 

Since I made a backup of this post it is sure to go with no problems. :-(

Userlevel 7
Badge +21

For me this is great news, not because I need the SMB upgrade, like Ken I have a sacrificial raspberry Pi.

However that fact that Sonos is going to resolve this issue means they are still committed to supporting local Music libraries, which is a relief.  And who knows but maybe they will be voice assistant, which maybe could select music from local libraries?

Userlevel 7
Badge +17

Great news. Would this also mean an end to the 65k limit? Or are these two things not connected?

Userlevel 7
Badge +23

Great news. Would this also mean an end to the 65k limit? Or are these two things not connected?


Not directly connected, no, but if they are going to crack open local library support anyway then that would be the time to update the file database code as well. We know that S2 devices have a ton more flash and memory, which was one of the problems with fixing it in S1.

It would give more incentive for folks to move to S2 as well.

Userlevel 4
Badge +5

I will try to run NMAP on some of my SONOS equipment to provide some additional details. I still have three Generation 1 Play 5’s that cannot be updated to S2.

Userlevel 7
Badge +22

A lot of the limits on Sonos internal data/storage could be relaxed in S2, much of it wouldn’t even require a newer kernel.

It would take programmer time and testing which are expensive so Sonos is only likely to do stuff that are popular requests.

GOOD NEWS:

 

I just received a E-Mail response from SONOS from one that I sent to the CEO.

 

S2 supporting SMB 2 and 3 will definitely happen, so I don't think there's an issue with you letting the community know. It's just the time line that isn't set, so there's no set date.

 

He was hopeful that this might happen by the end of the year.

 

The E-Mail came from Matthew G “SONOS Supervisor Customer Care”


 


+1

I am the happy owner of an old setup still running S1 (I have a Sonos Connect to feed my HiFi system) and I am using both streaming from online services and my local library (on a NAS).

Recently my girlfirend had an issue with her new MacBook that required to update the minimum SMB version on the NAS to SMB2. Then I realized that the Sonos products couldn't access my local library anymore (stored on the same NAS).

So far I have resisted the incentive to move to S2 since my setup was working perfectly (and I was several times upset about the pushy behavior of the app, but that's another story...) Nonetheless, I understand that 10+ years old products may not be upgradable to run “new” protocols  and would consider upgrading my Connect to run S2 if it would allow me to use SMB2/3.

If not, I am not sure what I would do… The RPi solution seems doable, but honestly, given the price tag of Sonos products, I think it shouldn't be required to fiddle with that kind of stuff. I haven’t looked into competition solutions yet, but I probably would.

I’m looking forward to further news from Sonos on this topic.

Userlevel 7
Badge +21

Just buy a cheap nas for storing your Sonos library only.  If you have an old hard drive you could use that.  Will work out far cheaper.

Have a look at the competition too, it may suit you, but don’t expect many of them to be working in 10 years time.

Userlevel 7
Badge +22

Cheap NAS is a solution BUT don’t get screwed like I did by WD, they sold me a MyBook Live and quickly stopped offering security updates making it risky to keep on-line. Then there were the RF noise issues, placing within a couple feet of a WiFi device would knock it off line.

The Pi SMB v1 gateway is the cheap solution if you have your music on a NAS already. Very low maintenance, just a few security updates needed if you pick the bare-bones Pi OS.

A  Pi SMB v1 server isn’t much more expensive and can use a salvaged hard drive and $10 USB-SATA cable.

Either one of these can be hosted on any SMB v1 capable machine, the same instructions apply.

Many folks are finding switching to the Mac or Windows non-SMB server option is their best option.

 

What Sonos did that made this mess is what almost every other embedded computer manufacturer did, cheaped out on RAM and ROM, limiting expansion. What Sonos has done differently that any other manufacturer I own gear from is to keep as much old gear usable as possible. Then they throw in the upgrade and trade options that nobody else I use has ever offered.

Many thanks for the answers. Indeed a cheap NAS would be an option, but I live in a small flat and try to avoid piling unnecessary devices. The Pi SMG gateway would work too especially that I already own one… So I will probably go for that.

> Many folks are finding switching to the Mac or Windows non-SMB server option is their best option.

Could you be more specific? What alternatives do you suggest?

Userlevel 7
Badge +22

Only ones I’m aware of are the Sonos software packages for the Mac or Windows.

https://support.sonos.com/s/downloads?language=en_US

Only ones I’m aware of are the Sonos software packages for the Mac or Windows.

https://support.sonos.com/s/downloads?language=en_US


I see, thanks.

By the way, I was able to setup my Raspberry Pi to serve the NAS files using SMBv1 thanks to your tutorial, so thanks for that too!

It’s almost reassuring that Sonos will tackle the SMB1 issue (finally!) - almost because we have no committed date yet.

Here’s a thought though….if Sonos have such little regard for the security of your home network, then what sort of regard do you think they have over your data that they hold?

They either haven’t grasped the issue and the risk they are imposing on their customers...or they just don’t care (I think its probably the latter…….)

Userlevel 7
Badge +22

I’d say it is more likely you haven’t grasped the complexity of the SMB version upgrade issue. It is not a simple swap but requires a massive re-do of the entire Sonos software stack as well as lots of hardware that would need to be replaced.

Go back to 2006 or so and look at some of the older discussions on what would be needed on the hardware and software sides of the issue.

Sonos has been taking hits on this since back then, if it was possible they’d have done this long ago to silence the critics.

Do I want SMB 3 or better yet NFS? Yes.

Am I willing to see all my older Sonos gear become worthless paperweights to get it? No.

The S1 / S2 split is as good as it ever is going to get, the S1 gear is just too limited in memory.

I don’t think YOU’VE grasped the issue here……

  • It’s now 2021, not 2006 - they’ve had 15 years to consider this
  • Redo the ENTIRE software stack?  Really? Haven’t they had plenty of time to add this to a release train?  Maybe at the time of developing S2?  After all the community have been asking for this for a very long time….
  • In 2006 Sonos was pretty much the only show, now there is far more competition.  I put it to you that they, like most companies, probably didn’t care about security of their systems back then (maybe they’re waking up to it now...).  Perhaps they still don’t care (I believe they don't) - remember the “Recycle Mode” fiasco?  They only started to care when it backfired on them.
  • You might be happy to sacrifice your home security to support your aging systems….I however would prefer not to.  I’m more than happy to see obsolete systems bricked if it means having a more secure system, 
  • I don’t get what your final comment about the “S1 / S2 split is as good as it ever is going to get”  are you saying S2 supports SMB 2/3?  Have I missed an important setting here?
Userlevel 7
Badge +21

You’ve clearly got an axe to grind. If you know exactly what needs to be done and how, why don’t you offer Sonos your technical services?

  • You might be happy to sacrifice your home security to support your aging systems….I however would prefer not to.  I’m more than happy to see obsolete systems bricked if it means having a more secure system, 

Yes of course you are :joy:

Sonos are more than capable of reaching out to me, if they choose to do so….

Yes I do have an axe to grind here, and a responsibility too.  I’m both a customer and a cyber security expert.  They should be making products and providing services that protect their customers, not ignoring gaping security holes.  It begs the question that if they’re ignoring this then what else are they ignoring?

Look I see you’re a big Sonos fanboi, so I don’t expect you to be bothered by this, although I recommend you should be.

Userlevel 7
Badge +22

No problem with ax grinding, just sucks a bit when you completely fail to understand the issue, even when given (admittedly somewhat minimal) assistance in finding the details.

At this point your posts are basically ranting about things you have failed to understand.

[quote]Haven’t they had plenty of time to add this to a release train?[/quote]

Seriously how in the world should Sonos add memory to the old players with a software update?

I guess they could re-write the Linux kernel and the Samba code trimming non-essentials bits but that is kinda a big job and then they must maintain both forks on their own. Not practical but at least it is not impossible as the “add memory” option.

[quote]I don’t get what your final comment about the “S1 / S2 split is as good as it ever is going to get”  are you saying S2 supports SMB 2/3?  Have I missed an important setting here?[/quote]

Yes. The S1 / S2 split is all about keeping the old S1 gear working as is, while splitting off the more capable S2 gear into a new branch that has the memory space to allow enhancements.

I’m saying the S2 level gear has the memory to support the newer Linux kernel and Samba code needed to enable newer versions of SMB. Not that it is coming soon though.

You could go back either here or in other embedded systems discussions and look at the difficulties, costs and time needed to move an existing hardware platform running a forked and privately patched kernel to a current kernel that includes any of the patches required by the platform.

[quote]You might be happy to sacrifice your home security to support your aging systems….I however would prefer not to.[/quote]

Why in the world would I do something like that when it only takes a few minutes and under $50 to install a NAS to SMB v1 gateway eliminating the security issue?