Today a read an article (https://www.ncsc.nl/actueel/nieuwsberichten/iot-botnets-veroorzakers-nieuwste-ddos-aanvallen.html for those able to read dutch) in which the dutch Nationaal Cyber Security Center (NCSC) is taken steps to track down security issue's of home used Internet of things devices.
So my question is wether Sonos will step up to the plate.
Far as I know the only counter-measure in getting access to any Sonos product is the locally used WiFi SSID-name / password.
When will Sonos put additional security measures in place?
+1
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.
Page 1 / 4
Userlevel 7
+21
Good job, Sonos.
That article is mistaking a tiny number of Sonos users (around 5,000 worldwide, out of millions of Sonos customers) who have horribly misconfigured networks for a security issue of the device manufacturer. These are people that are either forwarding a port on their router to one or more of their Sonos devices, or have firewall rules that are allowing traffic from the internet directly into their network, with the result being that the Sonos device is able to be accessed from the internet.
Sonos' resulting software update has removed lots of technical and otherwise useful information that advanced Sonos users relied on for information about their systems because a small fraction of users screwed up and left their devices accessible to the internet.
Maybe there's something Sonos could do to prevent devices that aren't connected to the local network from being able to control the speakers... but now you're making changes that are affecting legitimate users who maintain multiple networks and want to be able to control their Sonos devices on one network from their phone or computer on another network.
Dear Captain,
You don’t have a clue. Please go away now.
Thank you,
The clued in
You don’t have a clue. Please go away now.
Thank you,
The clued in
One does not have to be telepathic to read the posts wishing you would take this to PM:
Thank you, Ryan :)
^^Oh look, there's one now.
^^Oh look, there's one now.
Ouch no wonder database administrator just hate masks....
The resident expert blames you and your post for losing access to the diagnostic pages. LOL dude it's totally your fault thanks a lot those 5k+ other Sonos customers be damned.
Userlevel 7
+22
Someone getting access to my speakers is the least of my worries when it comes to cyber security.
Thank you, Ryan 🙂
Userlevel 7
+21
Just wanted to note that while my earlier post indicated that I don't feel Sonos should be considered a "weak link" in a network's security at this time, I do share the same interest in knowing details about any accounts - root or otherwise - that may exist on our Sonos devices, and how they are protected.
Since Sonos devices are running some form of Linux OS, and usually have broad access to the internet available to them, they would be prime candidates for being used to launch DDoS attacks just as internet connected cameras and DVRs are. Yes, they may not be as easy to access as internet-accessible devices are, since they don't usually have port forwards and/or firewall rules allowing them to be accessed from the internet. But as Captain mentions, if malware finds its way onto your network through other means, it doesn't matter if it can be accessed from the internet as it can just be accessed from the local network!
Since Sonos devices are running some form of Linux OS, and usually have broad access to the internet available to them, they would be prime candidates for being used to launch DDoS attacks just as internet connected cameras and DVRs are. Yes, they may not be as easy to access as internet-accessible devices are, since they don't usually have port forwards and/or firewall rules allowing them to be accessed from the internet. But as Captain mentions, if malware finds its way onto your network through other means, it doesn't matter if it can be accessed from the internet as it can just be accessed from the local network!
+1
MikeV,
I have PMed Ryan S. What you wrote was one of my statements too (and a bit more).
I will not go into details of what I wrote though. If additionel info is made available I will leave it up to him to state this.
I have PMed Ryan S. What you wrote was one of my statements too (and a bit more).
I will not go into details of what I wrote though. If additionel info is made available I will leave it up to him to state this.
+1
I stil do not see any reply by Ryan S.
I do wonder: does the hidden reboot work on Sonos system I can find on the internet direct (aka I can window shop stuff like topology hidden page etc)?
If so one could have them reboot continously.
Would be like this article: http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter only now the user has a Sonos that keep rebooting itself.
I do wonder: does the hidden reboot work on Sonos system I can find on the internet direct (aka I can window shop stuff like topology hidden page etc)?
If so one could have them reboot continously.
Would be like this article: http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter only now the user has a Sonos that keep rebooting itself.
If so one could have them reboot continously.
http://IP:1400/reboot works but, again, one would require access to the local subnet. If you're sufficiently paranoid, put Sonos on its own subnet -- along with trusted control devices -- and your IoT toys in their own subnet sandbox.
I do wonder: does the hidden reboot work on Sonos system I can find on the internet direct (aka I can window shop stuff like topology hidden page etc)?
If so one could have them reboot continously.
Would be like this article: http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter only now the user has a Sonos that keep rebooting itself.
Once again, if people have access to your local LAN, it is your fault, not Sonos'. It's pretty silly to worry about the lock on the broom closet if you are leaving your front door wide open.
+1
With little effort I already found Sonos systems which willl most likely will reboot accessable on the internet. I therefore question the wisdom of having a webinterface available without a proper credential check In place.
Because someone was daft enough to forward public ports to a local SonosIP:1400? Enough said.
Believe me, there is a lot of questioning about wisdom going on.
CaptainLeonidas_Sonos, I'm going to be blunt because you don't seem to get the subtle message here: Ryan S suggested you take your tin-foil hat paranoia to PM for a reason, and it has nothing to do with the legitimacy of your concerns. Please take his suggestion to heart and spare the rest of us this nonsense.
CaptainLeonidas_Sonos, I'm going to be blunt because you don't seem to get the subtle message here: Ryan S suggested you take your tin-foil hat paranoia to PM for a reason, and it has nothing to do with the legitimacy of your concerns. Please take his suggestion to heart and spare the rest of us this nonsense.
+1
jgatie,
I believe any man/woman can speak for themselves.
So unless you are a telepathic gifted person you might want keep your remarks of what another might think to yourself.
Ratty,
People are daft at times. Then again not all users read through forums to figure out something they could not find in the owners manual.
I may be mistaken but the fact certain webpages are active on an out-of-thebox Sonos product including one to reboot it without some kind of confirmation might be worth a second thought during setup/configuration.
I believe any man/woman can speak for themselves.
So unless you are a telepathic gifted person you might want keep your remarks of what another might think to yourself.
Ratty,
People are daft at times. Then again not all users read through forums to figure out something they could not find in the owners manual.
I may be mistaken but the fact certain webpages are active on an out-of-thebox Sonos product including one to reboot it without some kind of confirmation might be worth a second thought during setup/configuration.
+1
^^Oh look, there's one now.
Thank you for confirming you are not telepathic.
I may be mistaken but the fact certain webpages are active on an out-of-thebox Sonos product including one to reboot it without some kind of confirmation might be worth a second thought during setup/configuration.
This is ridiculous. No-one is going to 'accidentally' create a forwarding rule in a home router to port 1400 on a specific IP, especially not for an arcane function that only the technically literate would know how to find on forum pages.
As for 'certain webpages [being] active on an out-of-the-box Sonos product' it might perhaps be an idea to get at least a passing understanding of how UPnP AV works.
+1
I did get an answer btw. Again I leave it to Ryan S to elaborate.
I will continue to monitor progress made in this regard.
I will continue to monitor progress made in this regard.
Hello, I am concerned by security too, because is seems at this moment more than 3000 are opened to the internet (port 1400, cf. shodan.io).
It seems to me that is is a really huge number to have been manually configured to do so (with port translation on routers / DMZ).
And regardless of what can be found with this: phone names (like "John Doe's iPhone"), wifi access point name, even emails used for music services accounts..., it is a serious flaw it term of personal data security.
And also, we can do some mess by playing unwanted music at unwanted times, rebooting, changing parameters, participate in some kind of DDoS...
And it may also have some vulnerabilities in the differents components (API calls, mp3 decoder, ...) that may be used to turn sonos components into some botnet, so reducing the attack surface will improve this.
So in my opinion it is up to sonos to add some security layers (like at least authentication to their equipments), because most of their customers don't understand how networks works and even don't know anything about securing it.
Or maybe you can contact the customers to tell them to secure their installation (if you can use the customer ID to find their email).
I know that security it a real cost in term of effort/time/customer in-satisfaction (when they are too restricted)... but please don't ignore it.
It seems to me that is is a really huge number to have been manually configured to do so (with port translation on routers / DMZ).
And regardless of what can be found with this: phone names (like "John Doe's iPhone"), wifi access point name, even emails used for music services accounts..., it is a serious flaw it term of personal data security.
And also, we can do some mess by playing unwanted music at unwanted times, rebooting, changing parameters, participate in some kind of DDoS...
And it may also have some vulnerabilities in the differents components (API calls, mp3 decoder, ...) that may be used to turn sonos components into some botnet, so reducing the attack surface will improve this.
So in my opinion it is up to sonos to add some security layers (like at least authentication to their equipments), because most of their customers don't understand how networks works and even don't know anything about securing it.
Or maybe you can contact the customers to tell them to secure their installation (if you can use the customer ID to find their email).
I know that security it a real cost in term of effort/time/customer in-satisfaction (when they are too restricted)... but please don't ignore it.
Yet we're to believe that, despite that ignorance, customers will deliberately configure port forwarding to 1400 on one or more of their Sonos devices, or even put a Sonos unit into their DMZ?
+1
Well, Sonos Controller version 7 is out and still the Play:1 Linux v2.6.35 driven Sonos is not updated.
Still able to read out info I should not have to know, open and clearly readable if you know how to find it.
(Why should I be able to readout all WiFi networks near the device with name and security-protocol used. Same for devices used on the Sonos device like phones, tables etc.)
Still not sure why this Sonos needs to have unsecured SMTP, NNTP, POP3 and IMAP ports open, A simple portscan on the device seems to point that out.
The additional feature of Spotify is not even so much impressive.
Would have been more impressed if indeed some additional security had been added.
I also have not seen Sonos on the Z-Wave listing of IoT's with "higher" standards. Is Sonos even considering this?
Still able to read out info I should not have to know, open and clearly readable if you know how to find it.
(Why should I be able to readout all WiFi networks near the device with name and security-protocol used. Same for devices used on the Sonos device like phones, tables etc.)
Still not sure why this Sonos needs to have unsecured SMTP, NNTP, POP3 and IMAP ports open, A simple portscan on the device seems to point that out.
The additional feature of Spotify is not even so much impressive.
Would have been more impressed if indeed some additional security had been added.
I also have not seen Sonos on the Z-Wave listing of IoT's with "higher" standards. Is Sonos even considering this?
+1
Questions one might want to ask Sonos (like the ones posted by the Internet Storm Center, see URL below) .
https://isc.sans.edu/forums/diary/5+Questions+to+Ask+your+IoT+Vendors+But+Do+Not+Expect+an+Answer/21807/
What can or should we expect?
https://isc.sans.edu/forums/diary/5+Questions+to+Ask+your+IoT+Vendors+But+Do+Not+Expect+an+Answer/21807/
What can or should we expect?
Userlevel 7
+22
https://isc.sans.edu/forums/diary/5+Questions+to+Ask+your+IoT+Vendors+But+Do+Not+Expect+an+Answer/21807/
What can or should we expect?
I think we can expect no public response from Sonos beyond what we already have and frankly I don't see why we should expect a response. As has been mentioned in this thread there is only a concern if somebody has access to your LAN and if they have that then access to your Sonos devices would surely be very low on your priority list.
What I want to know is why, after repeated requests by Sonos and others to discuss this matter via PM, there are still continuous public posts from the very person who was asked to take it to PM?
They're not especially accurate either. The ports mentioned are not open, for TCP at least. And UDP port scans are notorious for yielding false positives.
Besides, why are we even discussing it? These are ports on a private network.
Besides, why are we even discussing it? These are ports on a private network.
Page 1 / 4
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.