Misconfigured Networks Vulnerable to PewDiePie Prank

  • 6 December 2018
  • 42 replies
  • 5208 views

Userlevel 7
Badge +26
  • Community Manager
  • 12081 replies
We've been investigating a small number of households with improperly configured networks, such that Sonos players and other devices become accessible from the Internet, and someone instigated a prank to play a message in support of YouTube star PewDiePie on those systems. 

This prank is not confined to Sonos, and if a network is set up wrong, household devices may be listed on the public internet, including printers, computers, or smart home devices.

For Sonos devices specifically, the prank allowed unauthorized playback of an audio track. In all cases we have investigated so far, customers experiencing this issue had their Sonos systems inadvertently exposed to the internet due to a router misconfiguration.

We encourage all Sonos users to make sure they are following best practices for securing their home networks and to turn on automatic updates. Best practices include securing their home networks with unique passwords on routers and wireless networks, turning on firewalls, and ensuring caution when making internal devices publicly available, such as through port forwarding or another protocol. 

We are supporting customers on an ongoing basis to help configure their home systems. Our customer care team is available to assist anyone who believes they may have been targeted by this prank.

42 replies

Userlevel 3
Badge +5
My two cents....

Also, when setting up a home network one should always make sure it broadcasts as Private behind your router. Here are the IP address sequences as private: https://www.lifewire.com/what-is-a-public-ip-address-2625974

As is explained in the link Public IP Address sequences are 1 to 191. If your devices show an IP Address as such you are open to the public and/or hacking! :@


Be careful, this is not quite true, the article is correct but the point about the IP Addresses starting 1 to 191 are all public is not correct.

Simply put if your network DHCP server is handing out addresses in the following range they are private

10.0.0.0 to 10.255.255.255.
172.16.0.0 to 172.31.255.255.
192.168.0.0 to 192.168.255.255

The vast majority of addresses outside of these ranges are public addresses.

So a 10.x.x.x address is private
172.27.x.x address is private

As a general rule of thumb, addresses that start:-
10
169
172
192

Are internal, there are exceptions but generally they are ok.

But then it still is not as simple as this as you can have port forwarding, DMZ or NAT configured.

Best to scan your home network from a respected security service eg shields up... others are available
Let me say it again, just in case you aren't understanding me, S-O-N-O-S has a vulnerability that has been exposed and it is in their API or UPnP and this exposure appears to be linked to crappy routers with weak UPnP protocols.

Where is this "Sonos vulnerability" of which you speak? 95% of its features are through UPnP APIs, as are many other devices. There is no vulnerability there. Any device API becomes vulnerable when users somehow configure their routers to expose their home networks to the internet at large. Its like leaving your front door open, then complaining when someone walks in that front door and runs off with your "vulnerable" TV.
I agree and there is no point anyone blaming things like a 'crappy router' etc. Network security is (and always will be) down to the network owner/administrator. There are plenty of things on the market to help keep a LAN secure. Sonos cannot be held to account for other people’s own failures. The Sonos devices are designed to run on a 'secure' network, not one which has vulnerabilities, nor one that is incorrectly configured by its owner.

I have still not seen any such report that a Sonos System is now vulnerable on a correctly secured network.
Userlevel 7
Badge +21
Let me say it again, just in case you aren't understanding me, S-O-N-O-S has a vulnerability that has been exposed and it is in their API or UPnP and this exposure appears to be linked to crappy routers with weak UPnP protocols.

Where is this "Sonos vulnerability" of which you speak? 95% of its features are through UPnP APIs, as are many other devices. There is no vulnerability there. Any device API becomes vulnerable when users somehow configure their routers to expose their home networks to the internet at large. Its like leaving your front door open, then complaining when someone walks in that front door and runs off with your "vulnerable" TV.
You're confused because you're not paying attention, I never said it was misconfigured, I said even if a "tech" set up a personal (Other than ISP) router the ports on routers (unless the routers themselves are P.O.S's, which can be the case) by default are all closed unless the "tech" opens them through CLI or GUI,UPnP systems are designed with "special" circumstances, Sonos has a backdoor into all of their players through their API, this has been exploited...Sonos is just as confused by this as you are.
I'm not surprised that @Airgetlam is confused. You seem to be saying -- in a very confusing manner -- that Sonos devices somehow configure routers to open up UPnP or API access to the open Internet. This is categorically not the case.


You guys seem to have comprehension issues, here we go: What I said was the UPnP or API of Sonos has a vulnerability that is being exploited, where did you ever see that I said Sonos configured anything???? Let me say it again, just in case you aren't understanding me, S-O-N-O-S has a vulnerability that has been exposed and it is in their API or UPnP and this exposure appears to be linked to crappy routers with weak UPnP protocols.
Userlevel 7
Badge +20
You're confused because you're not paying attention, I never said it was misconfigured, I said even if a "tech" set up a personal (Other than ISP) router the ports on routers (unless the routers themselves are P.O.S's, which can be the case) by default are all closed unless the "tech" opens them through CLI or GUI,UPnP systems are designed with "special" circumstances, Sonos has a backdoor into all of their players through their API, this has been exploited...Sonos is just as confused by this as you are.
I'm not surprised that @Airgetlam is confused. You seem to be saying -- in a very confusing manner -- that Sonos devices somehow configure routers to open up UPnP or API access to the open Internet. This is categorically not the case.
I'm confused. You say the router is misconfigured by someone, and yet you are blaming Sonos, who doesn't do any router configuration.

You're confused because you're not paying attention, I never said it was misconfigured, I said even if a "tech" set up a personal (Other than ISP) router the ports on routers (unless the routers themselves are P.O.S's, which can be the case) by default are all closed unless the "tech" opens them through CLI or GUI,UPnP systems are designed with "special" circumstances, Sonos has a backdoor into all of their players through their API, this has been exploited...Sonos is just as confused by this as you are.
I'm confused. You say the router is misconfigured by someone, and yet you are blaming Sonos, who doesn't do any router configuration.
Or technically, Sonos. I think it's incredibly kind of them to take on the onus of helping you fix your system, as was offered in the post by Ryan S above.




When a person states that they have a router in use other than the one issued by the ISP this "usually" means that the router in use set up by a "tech" person and in general most routers no matter the brand come out of the box with no "open" ports until they are set up to be open through CLI or GUI, so Sonos is NOT doing anything to help by blaming other products. It is the backbone of the API of Sonos that is causing this.
I'd try turning it off and see if your Sonos still works, if it does leave it off. If it doesn't submit a diagnostic and contact Sonos support for assistance in getting things working properly.
Thanks, Stanley, but I have no problems with the Sonos system and I don't mind leaving UPnP turned on. I try to keep everything up-to-date and I believe that that is a dependable precautionary measure.
Userlevel 7
Badge +21
As I said, Sonos didn't work properly until I've enabled UPnP in the router; that was back in 2013. So what to do in such case? On the other hand I am neither a gamer nor do I own a CCTV system.

I'd try turning it off and see if your Sonos still works, if it does leave it off. If it doesn't submit a diagnostic and contact Sonos support for assistance in getting things working properly.
Userlevel 7
Badge +21
Comcast leverages all their comcast modems to provide XFINITY wifi. In other words, if you have comcast then you are subsidizing their XFINITY wifi network by providing free bandwidth through your wifi. Of course they make more money off of XFINITY which is a separate and distinct service from the regular comcast package. How they covertly enable XFINITY through the modem/router/wap is unclear . I wonder how many of these hacked sonoses were on comcast's ISP
Which is why I use a modem and separate router on my Xfinity connection, rather than a combination device. I don't want to subsidize their hotspot network (enough of my neighbors do already) and I want full control of my router/firewall.

The XFINITY hotspot network has nothing to do with this Sonos issue. Sonos devices can't even use it because of the username/password login that is required. But for more info, that network is completely separate from your own network. It uses a separate service code over Comcast's network, separate bandwidth from your own service, and a separate IP address range too.
Userlevel 7
Badge +20
Comcast leverages all their comcast modems to provide XFINITY wifi. In other words, if you have comcast then you are subsidizing their XFINITY wifi network by providing free bandwidth through your wifi. Of course they make more money off of XFINITY which is a separate and distinct service from the regular comcast package. How they covertly enable XFINITY through the modem/router/wap is unclear . I wonder how many of these hacked sonoses were on comcast's ISP
Virgin Media in the UK does something similar with its cable network. In Virgin's case, the bandwidth does not come out of the subscriber's bandwidth allowance (they reserve an extra 20Mb/s), and the network access provided is entirely separate from the internal domestic network -- as it should be. It's also optional.

I think it's highly unlikely that the XFINITY service has been exploited for these attacks.
Userlevel 1
Badge +3
Comcast leverages all their comcast modems to provide XFINITY wifi. In other words, if you have comcast then you are subsidizing their XFINITY wifi network by providing free bandwidth through your wifi. Of course they make more money off of XFINITY which is a separate and distinct service from the regular comcast package. How they covertly enable XFINITY through the modem/router/wap is unclear . I wonder how many of these hacked sonoses were on comcast's ISP
UPnP is used for two things here: the first is the way Sonos devices communicate with each other. It is absolutely required. The "dangerous" UPnP is when routers allow their configurations to be changed via UPnP, to open ports in particular. Devices such as Xbox like to do this in order to produce "open nats" for better multi-player, and security NVR systems use it to allow you to view your videos from the internet at large. However allowing any device on your local network to control your router is hazardous, and I would recommend everyone disable that UPnP feature.
As I said, Sonos didn't work properly until I've enabled UPnP in the router; that was back in 2013. So what to do in such case? On the other hand I am neither a gamer nor do I own a CCTV system.
Userlevel 7
Badge +21
UPnP is used for two things here: the first is the way Sonos devices communicate with each other. It is absolutely required. The "dangerous" UPnP is when routers allow their configurations to be changed via UPnP, to open ports in particular. Devices such as Xbox like to do this in order to produce "open nats" for better multi-player, and security NVR systems use it to allow you to view your videos from the internet at large. However allowing any device on your local network to control your router is hazardous, and I would recommend everyone disable that UPnP feature.
Yet.
With SMBv1 enabled at that time, I wasn't even exposed to the 'Wannacry' attacks back then. I suppose that's due to the router's built-in firewall doing its job.
Yet.
[...] Also, never ever turn on upnp unless you absolutely know what you are doing.
Sonos didn't work properly until I've turned UPnP on. I've never been hacked.
Userlevel 7
Networking is so very complex that your average user has no idea how to secure a network. Many will blindly open ports because "that's what they were told to do"
If you really need ports open you need to educate yourself as to what you are doing.
Sonos is not to blame here. This is nothing to do with them.
So if you have been hacked the first thing you should do is unplug your router, not the speakers. Your network is open.
I suggest as standard practice you need to do a factory reset on your router that is your firewall...you do have a firewall? Surprising how many don't. Then upgrade to the latest firmware. If your router is 5+ years old it maybe time to invest in a new one.
Also, never ever turn on upnp unless you absolutely know what you are doing.


Hi Tigertron

You are either new to the community or have never had a reason to join in the conversations until now. Whatever the "why" I just want to say "Welcome". Also I'd like to add that in addition to disabling UPnP there's one more that is easily overlooked but used quite often by the novice for connivence_that being Wi-Fi Protected Setup (WPS). I always recommend disabling WPS and encourage users to learn how to connect their devices manually to their network.
Networking is so very complex that your average user has no idea how to secure a network. Many will blindly open ports because "that's what they were told to do"
If you really need ports open you need to educate yourself as to what you are doing.
Sonos is not to blame here. This is nothing to do with them.
So if you have been hacked the first thing you should do is unplug your router, not the speakers. Your network is open.
I suggest as standard practice you need to do a factory reset on your router that is your firewall...you do have a firewall? Surprising how many don't. Then upgrade to the latest firmware. If your router is 5+ years old it maybe time to invest in a new one.
Also, never ever turn on upnp unless you absolutely know what you are doing.
Userlevel 7
Badge +26
Great to hear you're all set!
RyanS thank you for your help. ISP router came with Passthrough turned on. Public IP issue fixed. Should have come here first instead of spending way too much time with ISP help line.

Hopefully this is the end of it. Thanks again.
I have 5 Sonos. 4 get a private IP from my DHCP being enabled. One keeps giving itself a public IP. It is the only device doing this. My router is not in bridgemode. Thoughts?
Check that the router has enough DHCP addresses being distributed total for all devices, and check in the router settings if it has something called DMZ (which is another name for port forwarding), which can individually select devices to assign them public addresses. In the past, I've seen some routers assign DMZ to a device when they shouldn't.


Thank you. Buried in my router this one device was set to DMZ plus. I couldn’t hit port 1400 from the outside so I’m not entirely sure how they got in. It would be nice if that was secured with some mutualTLS or user pass. I turned off the DMZ plus and rebooted the Sonos and it went back to a private IP. I am wondering how this happened. I’m aware these are sometimes Opt out on some routers but I regularly check to make sure these are shut off. I didn’t physically open them up and I’m at a loss for how it did happen. I hope that all this attack can do is play a song and not run code on my network. Thanks RyanS.
Userlevel 7
My two cents....

In my experience ISP's that supply a modem/router combo unit will allow you to use your own router; but will always place it in bridge mode. Therein lies a major problem for public exposure. I have always opted to demand they allow me to turn off the Wi-Fi portion in their modem/router combo unit which allows me to set my router in router mode. The router IP Configraton Address (not to be confused with the Wi-Fi SSID/Password) is password protected as well.

Also, when setting up a home network one should always make sure it broadcasts as Private behind your router. Here are the IP address sequences as private: https://www.lifewire.com/what-is-a-public-ip-address-2625974

As is explained in the link Public IP Address sequences are 1 to 191. If your devices show an IP Address as such you are open to the public and/or hacking! 😠
Userlevel 7
Badge +26
I have 5 Sonos. 4 get a private IP from my DHCP being enabled. One keeps giving itself a public IP. It is the only device doing this. My router is not in bridgemode. Thoughts?
Check that the router has enough DHCP addresses being distributed total for all devices, and check in the router settings if it has something called DMZ (which is another name for port forwarding), which can individually select devices to assign them public addresses. In the past, I've seen some routers assign DMZ to a device when they shouldn't.

Reply