Misconfigured Networks Vulnerable to PewDiePie Prank

  • 6 December 2018
  • 42 replies
  • 5185 views

Userlevel 7
Badge +26
  • Community Manager
  • 12073 replies
We've been investigating a small number of households with improperly configured networks, such that Sonos players and other devices become accessible from the Internet, and someone instigated a prank to play a message in support of YouTube star PewDiePie on those systems. 

This prank is not confined to Sonos, and if a network is set up wrong, household devices may be listed on the public internet, including printers, computers, or smart home devices.

For Sonos devices specifically, the prank allowed unauthorized playback of an audio track. In all cases we have investigated so far, customers experiencing this issue had their Sonos systems inadvertently exposed to the internet due to a router misconfiguration.

We encourage all Sonos users to make sure they are following best practices for securing their home networks and to turn on automatic updates. Best practices include securing their home networks with unique passwords on routers and wireless networks, turning on firewalls, and ensuring caution when making internal devices publicly available, such as through port forwarding or another protocol. 

We are supporting customers on an ongoing basis to help configure their home systems. Our customer care team is available to assist anyone who believes they may have been targeted by this prank.

42 replies

Userlevel 7
Badge +20
You're confused because you're not paying attention, I never said it was misconfigured, I said even if a "tech" set up a personal (Other than ISP) router the ports on routers (unless the routers themselves are P.O.S's, which can be the case) by default are all closed unless the "tech" opens them through CLI or GUI,UPnP systems are designed with "special" circumstances, Sonos has a backdoor into all of their players through their API, this has been exploited...Sonos is just as confused by this as you are.
I'm not surprised that @Airgetlam is confused. You seem to be saying -- in a very confusing manner -- that Sonos devices somehow configure routers to open up UPnP or API access to the open Internet. This is categorically not the case.
Or technically, Sonos. I think it's incredibly kind of them to take on the onus of helping you fix your system, as was offered in the post by Ryan S above.
Userlevel 7
Badge +26
Hi @Tetriscodes and @bd1, the solution is to make sure that your Sonos players are behind your router and not being put online on the public internet. In every case I've seen so far, it's because the main router of the house was set up as a bridge or had DHCP disabled. This places your Sonos and all other network devices on the wide-open web. If you're not comfortable with checking your network, you're welcome to give us a call and a technician can give you some advice, or you can give your Internet Service Provider a call and they can assist you with making sure your network is protected.
Userlevel 7
Badge +21
Comcast leverages all their comcast modems to provide XFINITY wifi. In other words, if you have comcast then you are subsidizing their XFINITY wifi network by providing free bandwidth through your wifi. Of course they make more money off of XFINITY which is a separate and distinct service from the regular comcast package. How they covertly enable XFINITY through the modem/router/wap is unclear . I wonder how many of these hacked sonoses were on comcast's ISP
Which is why I use a modem and separate router on my Xfinity connection, rather than a combination device. I don't want to subsidize their hotspot network (enough of my neighbors do already) and I want full control of my router/firewall.

The XFINITY hotspot network has nothing to do with this Sonos issue. Sonos devices can't even use it because of the username/password login that is required. But for more info, that network is completely separate from your own network. It uses a separate service code over Comcast's network, separate bandwidth from your own service, and a separate IP address range too.
I've always been an advocate for Sonos until yesterday when both my Sonos Ones got hacked via 'Subscribe to PewDiePie' at FOUR AM. My network is password protected already. This is a huge, huge disappointment and makes me wonder if I should continue to purchase your products.
I have been a professional programmer for 15 year for what it’s worth. I don’t have any ports open. I also also accept solicited traffic. I had the hack happen to me. I currently have all 5 of my sonos unplugged. Idk how this happened. I have an Ecobee and a not webcams exposed outside (cctv).
I have 5 Sonos. 4 get a private IP from my DHCP being enabled. One keeps giving itself a public IP. It is the only device doing this. My router is not in bridgemode. Thoughts?
Check that the router has enough DHCP addresses being distributed total for all devices, and check in the router settings if it has something called DMZ (which is another name for port forwarding), which can individually select devices to assign them public addresses. In the past, I've seen some routers assign DMZ to a device when they shouldn't.


Thank you. Buried in my router this one device was set to DMZ plus. I couldn’t hit port 1400 from the outside so I’m not entirely sure how they got in. It would be nice if that was secured with some mutualTLS or user pass. I turned off the DMZ plus and rebooted the Sonos and it went back to a private IP. I am wondering how this happened. I’m aware these are sometimes Opt out on some routers but I regularly check to make sure these are shut off. I didn’t physically open them up and I’m at a loss for how it did happen. I hope that all this attack can do is play a song and not run code on my network. Thanks RyanS.
RyanS thank you for your help. ISP router came with Passthrough turned on. Public IP issue fixed. Should have come here first instead of spending way too much time with ISP help line.

Hopefully this is the end of it. Thanks again.
Userlevel 7
Badge +21
As I said, Sonos didn't work properly until I've enabled UPnP in the router; that was back in 2013. So what to do in such case? On the other hand I am neither a gamer nor do I own a CCTV system.

I'd try turning it off and see if your Sonos still works, if it does leave it off. If it doesn't submit a diagnostic and contact Sonos support for assistance in getting things working properly.
I'm confused. You say the router is misconfigured by someone, and yet you are blaming Sonos, who doesn't do any router configuration.

You're confused because you're not paying attention, I never said it was misconfigured, I said even if a "tech" set up a personal (Other than ISP) router the ports on routers (unless the routers themselves are P.O.S's, which can be the case) by default are all closed unless the "tech" opens them through CLI or GUI,UPnP systems are designed with "special" circumstances, Sonos has a backdoor into all of their players through their API, this has been exploited...Sonos is just as confused by this as you are.
Userlevel 7
Badge +21
Let me say it again, just in case you aren't understanding me, S-O-N-O-S has a vulnerability that has been exposed and it is in their API or UPnP and this exposure appears to be linked to crappy routers with weak UPnP protocols.

Where is this "Sonos vulnerability" of which you speak? 95% of its features are through UPnP APIs, as are many other devices. There is no vulnerability there. Any device API becomes vulnerable when users somehow configure their routers to expose their home networks to the internet at large. Its like leaving your front door open, then complaining when someone walks in that front door and runs off with your "vulnerable" TV.
Userlevel 7
Badge +21
Any hope this will motivate the developers to give us a username/password for access to our Sonos gear?

And maybe then access to the data that was blocked to protect the stupid users that left their gear open to the world?
Userlevel 7
Badge +21
The joy of making networking easy is that people not knowledgeable in networking can easily make mistakes jeopardizing the security of their devices. You don't need to create a port forward or inbound firewall rule for your Sonos speaker(s). It's not necessary. They need to be able to communicate out to the internet, but the internet doesn't need to communicate in to them.
I had to just unplug all my Sonos speakers, the prank was waking me up all night. I got so frustrated I almost broke one of my speakers! I don’t know how to stop it. Feels like someone keeps breaking in my house! I really don’t know what to do, so I’m using Alexa for my speakers now. The prank is also getting louder.
Userlevel 7
Badge +26
Hi rockhasmoney, I just sent you a private message to follow up.
I've always been an advocate for Sonos until yesterday when both my Sonos Ones got hacked via 'Subscribe to PewDiePie' at FOUR AM. My network is password protected already. This is a huge, huge disappointment and makes me wonder if I should continue to purchase your products.

The only way you got hacked is if you opened up your network to outside entry. This has nothing to do with your WiFi password.
Userlevel 7
Badge +21
I'm curious what drives people to do such foolish things with their networks? There is certainly nothing in the Sonos documentation or manuals to suggest anyone do this.

jsk16 can you give us any information on what inspired you to open your home network (not your WiFi access point) to the world? Did you just do it for your Sonos gear or did you open everything up to outside attack?
I did not do anything to open up my home network. All I did was follow Sonos' instructions to install Sonos Ones...
I did not do anything to open up my home network. All I did was follow Sonos' instructions to install Sonos Ones...

No router comes standard with the ports wide open to the outside world. You have to manually open it up. Are you running some sort of peer-to-peer bit torrent service ?
I was not contacted today after being told last night via phone help that I would be. My speakers are all sitting unplugged as I await a solution. Although this may not be a Sonos initiated issue, has there been a successful solution presented at this point?
For my own sanity, I’ve seen it mentioned about port forwarding. I have a port forwarded from my router to RDP on my desktop computer. The port isn’t the default RDP port, and my desktop is password protected. It is the only port opened. Is this going to be a problem? My 25 years of computer and networking experience says no, but my thinking is more old school these days.
For my own sanity, I’ve seen it mentioned about port forwarding. I have a port forwarded from my router to RDP on my desktop computer. The port isn’t the default RDP port, and my desktop is password protected. It is the only port opened. Is this going to be a problem?
Not to Sonos, assuming the desktop address is fixed, as it should be for forwarding to work. In any case Ryan's remarked that all the cases seen thus far have been where Sonos devices have been placed outside the router/firewall, on the public internet. TBH it's surprising they worked at all.
Hi @Tetriscodes and @bd1, the solution is to make sure that your Sonos players are behind your router and not being put online on the public internet. In every case I've seen so far, it's because the main router of the house was set up as a bridge or had DHCP disabled. This places your Sonos and all other network devices on the wide-open web. If you're not comfortable with checking your network, you're welcome to give us a call and a technician can give you some advice, or you can give your Internet Service Provider a call and they can assist you with making sure your network is protected.

I have 5 Sonos. 4 get a private IP from my DHCP being enabled. One keeps giving itself a public IP. It is the only device doing this. My router is not in bridgemode. Thoughts?
Userlevel 7
Badge +21
Has anyone got a technical explanation of how this was done? I found a few articles on it, talking about printers being susceptible as well as Sonos, but I have yet to find a proper breakdown of how the networks were breached. i am guessing that someone managed to use UPnP against routers to open port 1400 to the internet.
Userlevel 7
Badge +26
I have 5 Sonos. 4 get a private IP from my DHCP being enabled. One keeps giving itself a public IP. It is the only device doing this. My router is not in bridgemode. Thoughts?
Check that the router has enough DHCP addresses being distributed total for all devices, and check in the router settings if it has something called DMZ (which is another name for port forwarding), which can individually select devices to assign them public addresses. In the past, I've seen some routers assign DMZ to a device when they shouldn't.

Reply