For security reasons I want to move all my Internet of Things (IoT) devices, including my Sonos speakers and Arc soundbar, off my main wifi network and onto a guest (vlan) network. Sonos documentation states that Sonos speakers must be on the same network as the device that runs the Sonos controller app. That’s a problem for me, since I want my iPad to be on my main wifi network, not on my IoT network. Is there any way to adjust my router settings so that the Sonos controller app on my iPad can see the Sonos speakers on the IoT network? All my other IoT devices work this way by default. So I’m hoping it is possible for my Sonos speakers too.
Answered
Putting Sonos speakers on different wifi network than the Sonos controller app
Best answer by Mr. T
You could try using the web app instead for basic control of the system.
Not that I’m aware of, no. Sonos requires the speakers, and the controllers to be on the same subnet, and have access to the Internet, not only to check for updates, but to access streams.
To my knowledge, most ‘guest’ networks are set up by the router to offer client isolation, with only a connection between a device, and the Internet, but not additional things on the network, like your Sonos devices, so the controller won’t connect to anything.
Unfortunately, I don’t see an easy answer to your desire. Sonos has chosen this setup, there aren’t easy, if any, ways to get around it. If this is a ‘must’ for you, I’d encourage you to seek elsewhere to acheive this kind of setup, although I don’t know of any that allow this oddity.
Bruce
What security problem with your Sonos are you trying to deal with?
You could add a second conventional, not guest, wifi on a second LAN then put your Sonos and Controllers on it, NAS too if you have a music library. Then isolate that wifi/LAN from the rest of your network. You do not want to daisy-chain routers a d have a double-NAT situation though.
You could switch your controller device between WiFi’s as necessary or add a cheap phone dedicated to the SONOS WIFi. For Volume Up/Down and other simple commands you could add one or more 3rd party micro controller(s).
Thanks all for your thoughts. Smart devices don't get many if any security updates and so are considered good targets for hackers. So it's good practice not to let them have access to the traffic on your main network, where sensitive info might be transmitted in the clear. I would also like to have all my smart devices on the same subnet, so they can all be controlled via a Home Assistant installation already running on that subnet. What you are all telling me is that this isn't possible with Sonos devices. Design flaw in my estimation. My Ecobee thermostat is very happy running on my IoT subnet, but can still be controlled from the Ecobee app on my iPad, which runs on a different subnet. Same for several other smart devices.
I’m curious, what do you base your statement regarding the number of security updates? And if they’re hacked, are you concerned about someone else playing your music?
Could be a ‘design flaw’ as you say, the basic design of the system was developed back in the early 2000s, and to my knowledge hasn’t been re-done, due, I’d assume to the fact that there just isn’t any risk, but I’m not a security expert. There was a time when folks were setting them up exposed to the outside world, on the incorrect side of the DMZ, but to my knowledge, Sonos closed that hole.
I hope you find a system that fits your use case.
The only basis for my statement re security updates is having read claims to this effect across a fair number of security-related web sites. I have no idea whether the problem extends to Sonos devices (I was actually hoping someone might tell me that their devices get regular updates). But, really, ask yourself how many times you’ve been asked to approve a firmware update for your Blink camera, smart-lighting controller or remote-operable oven? And then compare that with the number of updates you’ve had to approve for your tablet or computer (if you haven’t set them to update automatically).
If any device on the network is hacked, it could be used to inspect all traffic travelling across that network. So hackers could potentially read any unencrypted traffic, like email or texts. In this way they might get enough info to impersonate me with, say, my bank, or to pull off some 2FA codes for an attempted purchase on my VISA card.
Yes, Sonos developed its systems early enough that problems like this surely never occurred to them. I have no idea how deeply-embedded this particular design choice is in their software and hardware. Could be an easy fix at their end, or maybe not.
Updates come out every two weeks, give or take. You can see some data here for the controller, and here for firmware. Note that the dates in these links are US (month/day/year). I’ve never seen Sonos as having access to those things you mention, just music, but as I say, I’m no security expert. Would seem odd that a device that has access only to music streams would allow access to all those other things. I’d have thought that restriction was fairly well embedded from the beginning, so that ‘hacked’ devices wouldn’t expose all the data on your network…plus the simple fact that music speakers don’t need or even want that level of access. But there are others who likely can carry that further, as I say, I’m no network expert.
I think you’re taking things way beyond the point it makes sense, but that’s up to you. As I say, I hope you find what you’re looking for.
Have some good Sonos security reading:
Overview: https://www.cvedetails.com/vendor/19031/Sonos.html
Specific: https://www.cvedetails.com/vulnerability-list/vendor_id-19031/Sonos.html
As you read these you may notice that having your Sonos on a dedicated LAN won't impact some vulnerabilities. It will impact others, so if you are worried enough about them the second LAN makes sense, but then all vulnerable devices should be on it, including phones, tablets and desk and laptop computers.
The ideal situation is every device on a different LAN, blocked from access to all other LANs and Internet access granted only through a completely locked down firewall. Communications between devices would be by removable media that is scanned for possible compromise before any access to it is allowed. (Been there, done that, it sucked)
Personally, my Sonos are behind a reasonably configured firewall which prevents access from outside sources. My personal wifi is private and guests use a guest wifi so I need not worry about their compromising my systems. That also prevents them from doing a drunken drive-by at 2 AM and messing with my Sonos. I have no Ethernet ports accessible outside my home so with the wifi setup the way it is I'm not concerned about same-LAN attacks. I was quite vocal in the bunch of us users that wanted no mike or a hardware switch disabled microphone. I normally have mine switched off.
You could try using the web app instead for basic control of the system.
Probably routed via cloud in that case...
+24
Probably routed via cloud in that case...
Exactly. Sonos uses device-to-device networking, so VLANs will break that if the app is on a different subnet to the devices. Using the web controller is really the only solution for this use-case.
Author of the leading independent Sonos apps for Android, MacOS, iOS, Windows and Xbox.
Thanks all for the input and ideas and
I didn’t realize that Sonos had a web app; said app quickly solved my problem. Now I find myself hoping for a redesign of the iOS app to give it the same functionality (though I’m aware beggars can’t be choosers).
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.