Sonos Devices Connecting to unsecure IP addresses

Question

I monitor my network traffic and recently received a notification that my Sonos Play 3 was accessing a phishing site at 1:03 AM (a time when the system was not being used). As part of the monitoring I have noticed over time that all my Sonos devices connect to random IP addresses once per hour via port 123 (UDP). It’s my understand this is network time protocol used for synchronization. However after months of monitoring I received the following notification for the first time.

”Device Sonos Play 3 is accessing phishing site 104.236.116.147.“

After further investigation it seems like this IP address (104.236.116.147) has been identified as an unsecured phishing site. I did a Whois search and the domain owner is digital ocean which seems normal for the UDP sync. When navigating to the site via web browser it appears to be a default message saying nginx has been successfully installed.

Has anyone else seen an issue like this or ran into issues with the IP address block 104.236.0.0/16?

icon

Best answer by ratty 20 March 2021, 14:33

View original

ratty · Accepted Answer

The address is a hosting provider, but for some reason has apparently made it onto blacklists. Google blocks it as potentially “deceptive” owing to phishing reports.

There are references to north-america.pool.ntp.org in conjunction with that IP, which seems logical for UDP 123 traffic.

controlav · Answer

What was the Play:3 playing at the time? Sounds like it is probably streaming a url from that address. Do you have the full url it was accessing, or the UDP port number?

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded