When will Sonos put additional security measures in place?

  • 1 November 2016
  • 78 replies
  • 3597 views

Badge +1
Today a read an article (https://www.ncsc.nl/actueel/nieuwsberichten/iot-botnets-veroorzakers-nieuwste-ddos-aanvallen.html for those able to read dutch) in which the dutch Nationaal Cyber Security Center (NCSC) is taken steps to track down security issue's of home used Internet of things devices.
So my question is wether Sonos will step up to the plate.

Far as I know the only counter-measure in getting access to any Sonos product is the locally used WiFi SSID-name / password.

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

78 replies

Userlevel 7
Badge +22
Someone getting access to my speakers is the least of my worries when it comes to cyber security.
Badge +1
Someone getting access to my speakers is the least of my worries when it comes to cyber security.

Are you a Sonos employee?
If no -> Thank for your response but I am asking Sonos.
If yes -> Good to know the stance of Sonos in this. Handy to report this to those that do care.
Userlevel 7
Badge +21
Sonos Staff are indicated as such under their username.

So Chris isn't and nor am I.

Your question isn't particularly clear. You say "are Sonos going to step up to the plate". What do you mean? What is it that you believe Sonos do or don't do that you want them to do/not do in the future?
Sonos employees are noted as such. This is a site where postings by Sonos users and employees alike are encouraged. Put a question out there in public and you will get responses from both, regardless of intent.

My 2 cents:

Your analysis that "the only counter-measure in getting access to any Sonos product is the locally used WiFi SSID-name / password" is incorrect. They also have the local to each machine embedded OS and firmware, which is protected by hidden security measures and by the very fact it is embedded firmware that is designed for purpose. Given this, a hacker would have dozens of easier targets if looking to infiltrate your network, and would most definitely choose those over one which, without some pretty sophisticated hacking, would only give them the ability to remotely play music in your home. On the oft chance they did target Sonos, even with the sophisticated hacking, it wouldn't give them much more than this. In short; It is truly the case of worrying about doubling the locks on the 2nd story windows when the front door is wide open.
Userlevel 7
Badge +22
He doesn't want any of our cents .... .so I'd just let him hunker down in his shelter on his own.
He doesn't want any of our cents .... .so I'd just let him hunker down in his shelter on his own.

He may not want it, but he will get it when his assumptions are incorrect. Besides, I love the embarrassed silence that often (but not always, alas) happens when a Sonos rep eventually confirms our posts. 😃
Badge +1
If anyone can already point me to additional info available I am more then happy to see it. So sure any 2 cents is welcome.
If I am too concerned on this matter I rather be told that to have to find out I had an IoT bot running havoc on the internet.

Like the DDos Dyn had to endure and thus having website like spotify, netflix being harder to find/access.

If anyone of Sonos would set me straight: all the better. I am then atleast told I have a secured device running.

https://www.shodan.io/ is a site where you dont have to look for certain devices yourself.
Note: have not taken the time to query that site att.
Userlevel 7
Badge +17
What about getting access to the play5 microphones as well?
If anyone can already point me to additional info available I am more then happy to see it. So sure any 2 cents is welcome.
If I am too converned in this matter I rather be told that to have to find out I had an IoT bot running havoc on the internet.

Like the DDos Dyn had to endure and thpus having website like spotify, netflix being harder to find/access.

If anyone of Sonos would set me thread: all the better. I am thn atleast told I have a secured device running.


I'm not sure what you are asking. Are you doubting the fact that Sonos uses embedded OS and firmware? If so, then I really don't know what answer is going to satisfy you.

In any case, here is a recent reply from a Sonos rep in regards to the Dyn DDOS incident (not that it is going to satisfy you):

https://en.community.sonos.com/ask-a-question-228987/how-secure-our-registration-information-mirai-a-possibility-for-sonos-speakers-6751742
Badge +1
Thanks jgatie.

Not a link that tells me more about the current state of Sonos stance on IoT security but informative.
However still good to know about anyway.
Userlevel 7
Badge +26
Hi everyone, this is always an interesting topic to have come up, and though I can't provide a lot of specifics, for security reasons, I can assure you that making sure Sonos isn't "the weak link" in your home network is extremely important to us. We have teams dedicated to player security and maintaining that going forward. In fact, the latest public beta added an additional layer of Sonos account security on the household.

If you have any specific concerns let us know and we'll be happy to provide what details we can. Feel free to PM me if you'd like to chat in private too.
What about getting access to the play5 microphones as well?

You would have to duplicate the entire functionality of the Sonos firmware, add in your own mic monitoring functions, break into the individual Sonos units in the home (or substitute your firmware for the version at the Sonos servers, highly unlikely), somehow initiate an update of your own firmware, then you would be able to access the microphones. Compare this with simply breaking into laptop via telnet/ftp and loading a background app and you see why a hacker is going to pick an easier target.
Badge +1
Thank you Ryan S for responding.

Looking forward towards this "added layer". When home I am hoping I can figure out what this layer may be (release notes I assume are provided).
Userlevel 7
Badge +21
Thank you Ryan S for responding.

Looking forward towards this "added layer". When home I am hoping I can figure out what this layer may be (release notes I assume are provided).

If you install the Sonos beta that became public - Android and computer-based controllers only are available in public beta tests; iOS devices will have limited settings/functionality - it'll be pretty clear the additional level of security added. Just note that it's a layer of security between your Sonos devices and Sonos' servers with regards to your Sonos account.

Like others have mentioned, though, Sonos isn't likely to be a weak spot as far as the security of devices connected to your network. Most of the devices that have been compromised and involved in many of the attacks are internet-connected cameras, security camera DVRs, and routers, all of which have their passwords still set to the default, or have passwords that can't be changed. Open access to the device - like through Telnet or SSH - is often required for infection to be possible. Also, cameras and DVRs usually have port forwarding active to allow access to them from the internet, something which doesn't affect Sonos either.

In short, your Sonos devices are pretty secure on your home network, and aren't likely to be participating in any such attacks on the internet.
Badge +1
MikeV,

The fact that the Hidden Sonos page tells me more then I should need to know at first glance troubles me.
Granted security through obsurtity is neighter preffered. Still the Sonos status info pages of the device itself can be put behind a username/password enabled webpage (https preffered).
Also a personal mailaddress of whom I presume is an employee of Sonos within these pages.... It equals "Not done" in my book.

I still have not figued out how to change the root password of this Linux 2.6.35 kernel which seems to run on the device and I am not even sure if this kernel is still being maintenanced. If anything can be written/said about Linux and it's app/drivers etc it's that Linux is the most frequenly patched OS I have seen to date (macOS Sierra/Windows are not even close in numbers of times some patch/tweak is release for linux).

What I understood from the beta-notes so far is that an additional layer is put into place server-site to protect the data gathered and stored there. I have not looked at the client site implementations of the firmware itself. I lack a test Sonos system and I am not about to get an additional test Play:1 just to see what beta's will add.

Perhaps I expect too much from Sonos documentation concerning IoT's aka the release notes of the system(s) used. I am the kind of person who reads Microsoft patch-notes from the top to bottom. Same for macOS Sierra patch-notes for that matter.
Badge +1
Ryan S,

Perhaps I will try that chat you suggested.
However not sure when (you are USA based when I have a look at your profile info and I am an EU-citizen) or how to start a chat.

Nevermind.. the chat is a PM.
Misread your comment.
You're worried about security but you want users to be able to change the root password on the Sonos devices?
Badge +1
You're worried about security but you want users to be able to change the root password on the Sonos devices?
I want to change the password as the owner of the device so that I and I alone know it.
I will at this time assume all Play:1 devices have a standard/firmware embedded password

If this password is hardcoded into the device I see it even as worse.

Aka the device comes with a known but temporairy password in the owners manual. Upon configuration you are mandatory notified to change the password with certain best-practice guidelines of how a password/passphrase should look like.

(I was under the impression I wrote that earlier so I hope this clarifies it.)

Futhermore I have no idea if it is even possible to flush the devices of Sonos like you can WIndows Phone/iOS or Andriod devices.
I think it should.
The majority of people don't even change their router password and you're expecting them to provide a 16 digit password (current admin password length requirement at my place of work) for their Sonos system? And renew it every 90 days presumably? And then remember it when Sonos support require it in order to fix an issue? Good luck with that. How are hackers gaining access to your Sonos anyway, isn't your router secure?
Badge +1
The majority of people don't even change their router password and you're expecting them to provide a 16 digit password (current admin password length requirement at my place of work) for their Sonos system? And renew it every 90 days presumably? And then remember it when Sonos support require it in order to fix an issue? Good luck with that. How are hackers gaining access to your Sonos anyway, isn't your router secure?

When a phishing mail with malicent content is opened within the LAN your router security is already a non-issue.
That is the pet-peeve why i started this thread.

Again if you can reflush a Sonos device like you could a mobile Phone fixing is a non-issue. If a reflush would fail I would sent it to the manufacture for repair
I for one would never like the idea that they Sonos can directly access my device unless I and I alone granted them access.

Btw the fact that people still use default passwords on their routers is again all the more a reason to force manufactures to up their game. Router manufactures should make it a mandatory configuration action though.

Question though for you LHR:
Would you like it if you owned a TP-Link router that TP-Link support could directly access it?
Would it matter to me? Hell yes.
I for one would not like the idea of external people accessing my sonos like they can with certain cars (the kind of car with "convenient motormanagment software").

My router is a non-physical one running in cyberspace if you will. It is not directly accessable from the outside and I will make sure it never will be acessable.
No offense, but much of this seems like tin-foil hat territory. Why would anyone want to break into your Sonos system? What exactly is there to gain that couldn't be gained by breaking into hundreds of other less secure devices? Do you really think a hacker is interested in blasting you with rap music at 5AM?

And by the way, if your network allows a Sonos rep to access your device without your permission, your problem is with your network, not the Sonos device. Nobody should be able to access anything on your network from the outside without your permission, and if it were possible, accessing my Sonos devices would be the very least of my worries. Once again, it seems you are worrying about deadbolts and time locks on your broom closet, while leaving the front door wide open and the jewelry box in plain sight.

By the way, in case you haven't noticed, this is the only thread voicing these concerns. Sonos is used by many, many folks in the tech industry, and you are the only one to voice such grave concerns about security. Now that may serve to give you a hint as to how fringe your concerns are, or it may drive you to think you know something everyone else does not. Either way, this is really fringe stuff to many of us who would be all on board if the concerns you post were actually, you know, concerning.
Badge +1
Still awaits a formal response of Sonos itself. However it seems at this time they are being forum-spammed.
Userlevel 7
Badge +26
Hey Captain, I just replied back to your private message, so we can continue there if you'd like. I'm not going to go into specific details here in the public eye on player security, but it is something we're always looking at and will continue to improve in the future.
Thank you, Ryan 🙂
Badge +1
Removed this entry.