SMB1 Security Issue - LACK OF RESPONSE FROM SONOS

  • 15 August 2021
  • 40 replies
  • 6566 views

Userlevel 4
Badge +6
  1. How many people are considering moving away from SONOS due to the lack of an official response from SONOS on the SMB 1 security issue?
  2. I have been a long time supporter of SONOS and am dismayed at their lack of response at the many threads on the SMB1 security issues.
  3.  I use a NAS to my music with SONOS and this was one of the primary reasons for my first purchase when they first introduced the product to the market.
  4. I had already stared upgrading my SONOS equipment to support S2 but have halted all purchases until I get an official response to the SMB1 issue.
  5. I have sent a E-Mail to the SONOS CEO requesting an official response and will update this thread when I get a response to my E-Mail.

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

40 replies

Userlevel 7
Badge +23

Maybe the Admins can lock this thread now? Bruce’s last reply is accurate, succinct and covers the issue entirely.

Note, however, that S1 devices do not have the capability to use anything higher than the version 1 of SMB, it does require S2 to use SMB v2 and SMB v3. 

I’m coming very late to this, as when I first stumbled upon the SMBv1 issue some time ago I just set my SAN to support SMBv1 and didn’t really worry about it, but the issue recurred after updating to Windows 11, and in resolving it the second time I came across this link from Synology, who manufacture my SAN, about how to enable SMB just for a specific IP address range (i.e. devices on your LAN) - in case any of the rest of you likewise have a Synology SAN thought I’d share the link, as seems to allow both SONOS S1 *and* reasonable security w/out the hassle of configuring a RPi or equivalent as a music server).  https://www.synology.com/en-us/security/advisory/Precaution_for_a_PotentialSMBVulnerability 

 

 

Sonos has supported SMB v2 and v3 for months.

I’m coming very late to this, as when I first stumbled upon the SMBv1 issue some time ago I just set my SAN to support SMBv1 and didn’t really worry about it, but the issue recurred after updating to Windows 11, and in resolving it the second time I came across this link from Synology, who manufacture my SAN, about how to enable SMB just for a specific IP address range (i.e. devices on your LAN) - in case any of the rest of you likewise have a Synology SAN thought I’d share the link, as seems to allow both SONOS S1 *and* reasonable security w/out the hassle of configuring a RPi or equivalent as a music server).  https://www.synology.com/en-us/security/advisory/Precaution_for_a_PotentialSMBVulnerability 

 

It’s almost reassuring that Sonos will tackle the SMB1 issue (finally!) - almost because we have no committed date yet.

Here’s a thought though….if Sonos have such little regard for the security of your home network, then what sort of regard do you think they have over your data that they hold?

They either haven’t grasped the issue and the risk they are imposing on their customers...or they just don’t care (I think its probably the latter…….)

no committed date but already works fine for me as stated here :grin:

 
Userlevel 5
Badge +3

One solution is to the change your router for one with a USB port. I have a BT router and I have a 2TB hard drive with nothing but my FLAC music library on it plugged into to it. I had to enable smbv1 on my PC to map the drive and then disabled it afterwards. If I want to add new FLAC files to my library, I just disconnect it from the router, transfer them across on my PC and then plug it backs and rescan the library.

I know this doesn't solve the OP's problem, I'm just offering an alternative solution. It's the best thing I've done Sonos wise. The noise from my NAS was annoying and the HDD which is powered by its USB connection runs silently, sleeps after 20 minutes of inaction and wakes up again within a couple of seconds when called into action again!

Userlevel 7
Badge +23

@Sotiris C. Are you looking at ending the 65k limit too?

The 64k limit is a tricky one. While the move to S2 means the devices now have the memory and storage for a much larger database, the way IDs and enumeration work is with a DWORD, ie a pair of WORDs. Those WORDs are the item index, and of course are limited to 64k. To fix this the DWORDs used on every single playable item would have to be widened to QWORDs throughout the code (so they can store a pair of DWORDs), and much of the Sonos hardware is 32-bit so the overhead in the compiled code is going to be notable. Its also a wire-protocol change for the UPnP API (something that hasn’t happened in a decade).

It should be trivial to increase the overall size limitations of the music database (thanks to the increase in storage), but breaking the actual 64k track limit is a notable engineering task. I’m not going to hold my breath.

Userlevel 7
Badge +18

Hey @106rallye,

Sotiris C. Are you looking at ending the 65k limit too?

I will forward this as a feature request to our development team.

For the 82nd time in many years…

:rolling_eyes:

Userlevel 7
Badge +14

Hey @106rallye,

Sotiris C. Are you looking at ending the 65k limit too?

I will forward this as a feature request to our development team.

Userlevel 7
Badge +17

@Sotiris C. Are you looking at ending the 65k limit too?

Userlevel 7
Badge +14

Hey everyone, I’m happy to announce that thanks to the introduction of our S2 platform, we've now added support for SMBv3. Sonos S2 devices will use the highest version of SMB supported by your NAS device. To access this update, you may need to manually change the configuration of your NAS device.

It may be a drop in protocol, but that assumes that you have space in the memory of the device to increase the size of the kernel. One presumes that Sonos did not have the available memory to update the kernel. They have, however, indicated that it is being worked on for S2, which does run on devices that have larger memory footprints. 

Enabling smbv1 on a NAS is  a security risk. smbv2 came out in 2006. It’s a drop in protocol, you don’t have to write it yourself. S2 was no improvement on S1 and in fact the UI of v1 is friendlier. I would like to go back but my s/o updated and no I can’t. wtfbbq, there is no real excuse for having to enable an insecure protocol 15 years after a secure on was released.

Userlevel 7
Badge +23

And, just to clarify, if you do not use let Sonos connect to your NAS to play your music (a function that is for many also hampered by the 65k limit), but use a computer or Plex, there is no security risk.


Or use a PC or a Mac.

 

Userlevel 7
Badge +17

And, just to clarify, if you do not use let Sonos connect to your NAS to play your music (a function that is for many also hampered by the 65k limit), but use a computer or Plex, there is no security risk.

Userlevel 7
Badge +22

No problem with ax grinding, just sucks a bit when you completely fail to understand the issue, even when given (admittedly somewhat minimal) assistance in finding the details.

At this point your posts are basically ranting about things you have failed to understand.

[quote]Haven’t they had plenty of time to add this to a release train?[/quote]

Seriously how in the world should Sonos add memory to the old players with a software update?

I guess they could re-write the Linux kernel and the Samba code trimming non-essentials bits but that is kinda a big job and then they must maintain both forks on their own. Not practical but at least it is not impossible as the “add memory” option.

[quote]I don’t get what your final comment about the “S1 / S2 split is as good as it ever is going to get”  are you saying S2 supports SMB 2/3?  Have I missed an important setting here?[/quote]

Yes. The S1 / S2 split is all about keeping the old S1 gear working as is, while splitting off the more capable S2 gear into a new branch that has the memory space to allow enhancements.

I’m saying the S2 level gear has the memory to support the newer Linux kernel and Samba code needed to enable newer versions of SMB. Not that it is coming soon though.

You could go back either here or in other embedded systems discussions and look at the difficulties, costs and time needed to move an existing hardware platform running a forked and privately patched kernel to a current kernel that includes any of the patches required by the platform.

[quote]You might be happy to sacrifice your home security to support your aging systems….I however would prefer not to.[/quote]

Why in the world would I do something like that when it only takes a few minutes and under $50 to install a NAS to SMB v1 gateway eliminating the security issue?

Sonos are more than capable of reaching out to me, if they choose to do so….

Yes I do have an axe to grind here, and a responsibility too.  I’m both a customer and a cyber security expert.  They should be making products and providing services that protect their customers, not ignoring gaping security holes.  It begs the question that if they’re ignoring this then what else are they ignoring?

Look I see you’re a big Sonos fanboi, so I don’t expect you to be bothered by this, although I recommend you should be.

Userlevel 7
Badge +21

You’ve clearly got an axe to grind. If you know exactly what needs to be done and how, why don’t you offer Sonos your technical services?

  • You might be happy to sacrifice your home security to support your aging systems….I however would prefer not to.  I’m more than happy to see obsolete systems bricked if it means having a more secure system, 

Yes of course you are :joy:

I don’t think YOU’VE grasped the issue here……

  • It’s now 2021, not 2006 - they’ve had 15 years to consider this
  • Redo the ENTIRE software stack?  Really? Haven’t they had plenty of time to add this to a release train?  Maybe at the time of developing S2?  After all the community have been asking for this for a very long time….
  • In 2006 Sonos was pretty much the only show, now there is far more competition.  I put it to you that they, like most companies, probably didn’t care about security of their systems back then (maybe they’re waking up to it now...).  Perhaps they still don’t care (I believe they don't) - remember the “Recycle Mode” fiasco?  They only started to care when it backfired on them.
  • You might be happy to sacrifice your home security to support your aging systems….I however would prefer not to.  I’m more than happy to see obsolete systems bricked if it means having a more secure system, 
  • I don’t get what your final comment about the “S1 / S2 split is as good as it ever is going to get”  are you saying S2 supports SMB 2/3?  Have I missed an important setting here?
Userlevel 7
Badge +22

I’d say it is more likely you haven’t grasped the complexity of the SMB version upgrade issue. It is not a simple swap but requires a massive re-do of the entire Sonos software stack as well as lots of hardware that would need to be replaced.

Go back to 2006 or so and look at some of the older discussions on what would be needed on the hardware and software sides of the issue.

Sonos has been taking hits on this since back then, if it was possible they’d have done this long ago to silence the critics.

Do I want SMB 3 or better yet NFS? Yes.

Am I willing to see all my older Sonos gear become worthless paperweights to get it? No.

The S1 / S2 split is as good as it ever is going to get, the S1 gear is just too limited in memory.

It’s almost reassuring that Sonos will tackle the SMB1 issue (finally!) - almost because we have no committed date yet.

Here’s a thought though….if Sonos have such little regard for the security of your home network, then what sort of regard do you think they have over your data that they hold?

They either haven’t grasped the issue and the risk they are imposing on their customers...or they just don’t care (I think its probably the latter…….)

Only ones I’m aware of are the Sonos software packages for the Mac or Windows.

https://support.sonos.com/s/downloads?language=en_US


I see, thanks.

By the way, I was able to setup my Raspberry Pi to serve the NAS files using SMBv1 thanks to your tutorial, so thanks for that too!

Userlevel 7
Badge +22

Only ones I’m aware of are the Sonos software packages for the Mac or Windows.

https://support.sonos.com/s/downloads?language=en_US

Many thanks for the answers. Indeed a cheap NAS would be an option, but I live in a small flat and try to avoid piling unnecessary devices. The Pi SMG gateway would work too especially that I already own one… So I will probably go for that.

> Many folks are finding switching to the Mac or Windows non-SMB server option is their best option.

Could you be more specific? What alternatives do you suggest?

Userlevel 7
Badge +22

Cheap NAS is a solution BUT don’t get screwed like I did by WD, they sold me a MyBook Live and quickly stopped offering security updates making it risky to keep on-line. Then there were the RF noise issues, placing within a couple feet of a WiFi device would knock it off line.

The Pi SMB v1 gateway is the cheap solution if you have your music on a NAS already. Very low maintenance, just a few security updates needed if you pick the bare-bones Pi OS.

A  Pi SMB v1 server isn’t much more expensive and can use a salvaged hard drive and $10 USB-SATA cable.

Either one of these can be hosted on any SMB v1 capable machine, the same instructions apply.

Many folks are finding switching to the Mac or Windows non-SMB server option is their best option.

 

What Sonos did that made this mess is what almost every other embedded computer manufacturer did, cheaped out on RAM and ROM, limiting expansion. What Sonos has done differently that any other manufacturer I own gear from is to keep as much old gear usable as possible. Then they throw in the upgrade and trade options that nobody else I use has ever offered.