SMB1 Security Issue - LACK OF RESPONSE FROM SONOS

  • 15 August 2021
  • 40 replies
  • 4049 views

Userlevel 3
Badge +5
  1. How many people are considering moving away from SONOS due to the lack of an official response from SONOS on the SMB 1 security issue?
  2. I have been a long time supporter of SONOS and am dismayed at their lack of response at the many threads on the SMB1 security issues.
  3.  I use a NAS to my music with SONOS and this was one of the primary reasons for my first purchase when they first introduced the product to the market.
  4. I had already stared upgrading my SONOS equipment to support S2 but have halted all purchases until I get an official response to the SMB1 issue.
  5. I have sent a E-Mail to the SONOS CEO requesting an official response and will update this thread when I get a response to my E-Mail.

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

40 replies

Userlevel 7
Badge +17

And, just to clarify, if you do not use let Sonos connect to your NAS to play your music (a function that is for many also hampered by the 65k limit), but use a computer or Plex, there is no security risk.

Userlevel 7
Badge +22

And, just to clarify, if you do not use let Sonos connect to your NAS to play your music (a function that is for many also hampered by the 65k limit), but use a computer or Plex, there is no security risk.


Or use a PC or a Mac.

 

Enabling smbv1 on a NAS is  a security risk. smbv2 came out in 2006. It’s a drop in protocol, you don’t have to write it yourself. S2 was no improvement on S1 and in fact the UI of v1 is friendlier. I would like to go back but my s/o updated and no I can’t. wtfbbq, there is no real excuse for having to enable an insecure protocol 15 years after a secure on was released.

It may be a drop in protocol, but that assumes that you have space in the memory of the device to increase the size of the kernel. One presumes that Sonos did not have the available memory to update the kernel. They have, however, indicated that it is being worked on for S2, which does run on devices that have larger memory footprints. 

Userlevel 3
Badge +5

Hey everyone, I’m happy to announce that thanks to the introduction of our S2 platform, we've now added support for SMBv3. Sonos S2 devices will use the highest version of SMB supported by your NAS device. To access this update, you may need to manually change the configuration of your NAS device.

Userlevel 7
Badge +17

@Sotiris C. Are you looking at ending the 65k limit too?

Userlevel 3
Badge +5

Hey @106rallye,

Sotiris C. Are you looking at ending the 65k limit too?

I will forward this as a feature request to our development team.

Userlevel 6
Badge +17

Hey @106rallye,

Sotiris C. Are you looking at ending the 65k limit too?

I will forward this as a feature request to our development team.

For the 82nd time in many years…

:rolling_eyes:

Userlevel 7
Badge +22

@Sotiris C. Are you looking at ending the 65k limit too?

The 64k limit is a tricky one. While the move to S2 means the devices now have the memory and storage for a much larger database, the way IDs and enumeration work is with a DWORD, ie a pair of WORDs. Those WORDs are the item index, and of course are limited to 64k. To fix this the DWORDs used on every single playable item would have to be widened to QWORDs throughout the code (so they can store a pair of DWORDs), and much of the Sonos hardware is 32-bit so the overhead in the compiled code is going to be notable. Its also a wire-protocol change for the UPnP API (something that hasn’t happened in a decade).

It should be trivial to increase the overall size limitations of the music database (thanks to the increase in storage), but breaking the actual 64k track limit is a notable engineering task. I’m not going to hold my breath.

One solution is to the change your router for one with a USB port. I have a BT router and I have a 2TB hard drive with nothing but my FLAC music library on it plugged into to it. I had to enable smbv1 on my PC to map the drive and then disabled it afterwards. If I want to add new FLAC files to my library, I just disconnect it from the router, transfer them across on my PC and then plug it backs and rescan the library.

I know this doesn't solve the OP's problem, I'm just offering an alternative solution. It's the best thing I've done Sonos wise. The noise from my NAS was annoying and the HDD which is powered by its USB connection runs silently, sleeps after 20 minutes of inaction and wakes up again within a couple of seconds when called into action again!

It’s almost reassuring that Sonos will tackle the SMB1 issue (finally!) - almost because we have no committed date yet.

Here’s a thought though….if Sonos have such little regard for the security of your home network, then what sort of regard do you think they have over your data that they hold?

They either haven’t grasped the issue and the risk they are imposing on their customers...or they just don’t care (I think its probably the latter…….)

no committed date but already works fine for me as stated here :grin:

 

I’m coming very late to this, as when I first stumbled upon the SMBv1 issue some time ago I just set my SAN to support SMBv1 and didn’t really worry about it, but the issue recurred after updating to Windows 11, and in resolving it the second time I came across this link from Synology, who manufacture my SAN, about how to enable SMB just for a specific IP address range (i.e. devices on your LAN) - in case any of the rest of you likewise have a Synology SAN thought I’d share the link, as seems to allow both SONOS S1 *and* reasonable security w/out the hassle of configuring a RPi or equivalent as a music server).  https://www.synology.com/en-us/security/advisory/Precaution_for_a_PotentialSMBVulnerability 

 

I’m coming very late to this, as when I first stumbled upon the SMBv1 issue some time ago I just set my SAN to support SMBv1 and didn’t really worry about it, but the issue recurred after updating to Windows 11, and in resolving it the second time I came across this link from Synology, who manufacture my SAN, about how to enable SMB just for a specific IP address range (i.e. devices on your LAN) - in case any of the rest of you likewise have a Synology SAN thought I’d share the link, as seems to allow both SONOS S1 *and* reasonable security w/out the hassle of configuring a RPi or equivalent as a music server).  https://www.synology.com/en-us/security/advisory/Precaution_for_a_PotentialSMBVulnerability 

 

 

Sonos has supported SMB v2 and v3 for months.

Note, however, that S1 devices do not have the capability to use anything higher than the version 1 of SMB, it does require S2 to use SMB v2 and SMB v3. 

Userlevel 7
Badge +22

Maybe the Admins can lock this thread now? Bruce’s last reply is accurate, succinct and covers the issue entirely.