Skip to main content
Today a read an article (https://www.ncsc.nl/actueel/nieuwsberichten/iot-botnets-veroorzakers-nieuwste-ddos-aanvallen.html for those able to read dutch) in which the dutch Nationaal Cyber Security Center (NCSC) is taken steps to track down security issue's of home used Internet of things devices.

So my question is wether Sonos will step up to the plate.



Far as I know the only counter-measure in getting access to any Sonos product is the locally used WiFi SSID-name / password.
Just wanted to note that while my earlier post indicated that I don't feel Sonos should be considered a "weak link" in a network's security at this time, I do share the same interest in knowing details about any accounts - root or otherwise - that may exist on our Sonos devices, and how they are protected.



Since Sonos devices are running some form of Linux OS, and usually have broad access to the internet available to them, they would be prime candidates for being used to launch DDoS attacks just as internet connected cameras and DVRs are. Yes, they may not be as easy to access as internet-accessible devices are, since they don't usually have port forwards and/or firewall rules allowing them to be accessed from the internet. But as Captain mentions, if malware finds its way onto your network through other means, it doesn't matter if it can be accessed from the internet as it can just be accessed from the local network!
MikeV,



I have PMed Ryan S. What you wrote was one of my statements too (and a bit more).

I will not go into details of what I wrote though. If additionel info is made available I will leave it up to him to state this.
I stil do not see any reply by Ryan S.



I do wonder: does the hidden reboot work on Sonos system I can find on the internet direct (aka I can window shop stuff like topology hidden page etc)?



If so one could have them reboot continously.

Would be like this article: http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter only now the user has a Sonos that keep rebooting itself.
I do wonder: does the hidden reboot work on Sonos system I can find on the internet direct (aka I can window shop stuff like topology hidden page etc)?



If so one could have them reboot continously.


http://IP:1400/reboot works but, again, one would require access to the local subnet. If you're sufficiently paranoid, put Sonos on its own subnet -- along with trusted control devices -- and your IoT toys in their own subnet sandbox.
I stil do not see any reply by Ryan S.



I do wonder: does the hidden reboot work on Sonos system I can find on the internet direct (aka I can window shop stuff like topology hidden page etc)?



If so one could have them reboot continously.

Would be like this article: http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter only now the user has a Sonos that keep rebooting itself.




Once again, if people have access to your local LAN, it is your fault, not Sonos'. It's pretty silly to worry about the lock on the broom closet if you are leaving your front door wide open.
With little effort I already found Sonos systems which willl most likely will reboot accessable on the internet. I therefore question the wisdom of having a webinterface available without a proper credential check In place.
With little effort I already found Sonos systems which willl most likely will reboot accessable on the internet.

Because someone was daft enough to forward public ports to a local SonosIP:1400? Enough said.
Believe me, there is a lot of questioning about wisdom going on.



CaptainLeonidas_Sonos, I'm going to be blunt because you don't seem to get the subtle message here: Ryan S suggested you take your tin-foil hat paranoia to PM for a reason, and it has nothing to do with the legitimacy of your concerns. Please take his suggestion to heart and spare the rest of us this nonsense.
jgatie,

I believe any man/woman can speak for themselves.

So unless you are a telepathic gifted person you might want keep your remarks of what another might think to yourself.



Ratty,

People are daft at times. Then again not all users read through forums to figure out something they could not find in the owners manual.

I may be mistaken but the fact certain webpages are active on an out-of-thebox Sonos product including one to reboot it without some kind of confirmation might be worth a second thought during setup/configuration.
One does not have to be telepathic to read the posts wishing you would take this to PM:



Thank you, Ryan :)



^^Oh look, there's one now.
One does not have to be telepathic to read the posts wishing you would take this to PM:



Thank you, Ryan :)



^^Oh look, there's one now.




Thank you for confirming you are not telepathic.
People are daft at times. Then again not all users read through forums to figure out something they could not find in the owners manual.

I may be mistaken but the fact certain webpages are active on an out-of-thebox Sonos product including one to reboot it without some kind of confirmation might be worth a second thought during setup/configuration.


This is ridiculous. No-one is going to 'accidentally' create a forwarding rule in a home router to port 1400 on a specific IP, especially not for an arcane function that only the technically literate would know how to find on forum pages.



As for 'certain webpages [being] active on an out-of-the-box Sonos product' it might perhaps be an idea to get at least a passing understanding of how UPnP AV works.
I did get an answer btw. Again I leave it to Ryan S to elaborate.



I will continue to monitor progress made in this regard.
Hello, I am concerned by security too, because is seems at this moment more than 3000 are opened to the internet (port 1400, cf. shodan.io).

It seems to me that is is a really huge number to have been manually configured to do so (with port translation on routers / DMZ).



And regardless of what can be found with this: phone names (like "John Doe's iPhone"), wifi access point name, even emails used for music services accounts..., it is a serious flaw it term of personal data security.



And also, we can do some mess by playing unwanted music at unwanted times, rebooting, changing parameters, participate in some kind of DDoS...



And it may also have some vulnerabilities in the differents components (API calls, mp3 decoder, ...) that may be used to turn sonos components into some botnet, so reducing the attack surface will improve this.





So in my opinion it is up to sonos to add some security layers (like at least authentication to their equipments), because most of their customers don't understand how networks works and even don't know anything about securing it.

Or maybe you can contact the customers to tell them to secure their installation (if you can use the customer ID to find their email).



I know that security it a real cost in term of effort/time/customer in-satisfaction (when they are too restricted)... but please don't ignore it.
most of their customers don't understand how networks works and even don't know anything about securing it.

Yet we're to believe that, despite that ignorance, customers will deliberately configure port forwarding to 1400 on one or more of their Sonos devices, or even put a Sonos unit into their DMZ?
Well, Sonos Controller version 7 is out and still the Play:1 Linux v2.6.35 driven Sonos is not updated.



Still able to read out info I should not have to know, open and clearly readable if you know how to find it.

(Why should I be able to readout all WiFi networks near the device with name and security-protocol used. Same for devices used on the Sonos device like phones, tables etc.)

Still not sure why this Sonos needs to have unsecured SMTP, NNTP, POP3 and IMAP ports open, A simple portscan on the device seems to point that out.



The additional feature of Spotify is not even so much impressive.

Would have been more impressed if indeed some additional security had been added.



I also have not seen Sonos on the Z-Wave listing of IoT's with "higher" standards. Is Sonos even considering this?
Questions one might want to ask Sonos (like the ones posted by the Internet Storm Center, see URL below) .

https://isc.sans.edu/forums/diary/5+Questions+to+Ask+your+IoT+Vendors+But+Do+Not+Expect+an+Answer/21807/



What can or should we expect?
Questions one might want to ask Sonos (like the ones posted by the Internet Storm Center, see URL below) .

https://isc.sans.edu/forums/diary/5+Questions+to+Ask+your+IoT+Vendors+But+Do+Not+Expect+an+Answer/21807/



What can or should we expect?




I think we can expect no public response from Sonos beyond what we already have and frankly I don't see why we should expect a response. As has been mentioned in this thread there is only a concern if somebody has access to your LAN and if they have that then access to your Sonos devices would surely be very low on your priority list.
What I want to know is why, after repeated requests by Sonos and others to discuss this matter via PM, there are still continuous public posts from the very person who was asked to take it to PM?
They're not especially accurate either. The ports mentioned are not open, for TCP at least. And UDP port scans are notorious for yielding false positives.



Besides, why are we even discussing it? These are ports on a private network.
The issue they're mentioning is that there are (apparently) thousands of Sonos devices that are visible to the world, rather than being behind a properly configured router/firewall. What would be good for Sonos would be to use Shodan to find those devices, then proactively contact the owners of them and get them properly secured behind a router/firewall, with no port forwards to the Sonos device(s).



On a different note... the fact that Sonos can be rebooted via an unauthenticated URL could be seen as a DoS in some ways. Arris recently ran into the same issue with some of their modems earlier this year (actually it was known about for a while, and had even been raised as an issue in the past; it just got more press this time which caused them to react), which allowed a website to have an image reference to the modem's reboot URL, thus disconnecting the user from their internet service while the modem reboots.



Obviously that IS a DoS, since you're being disconnected from your ISP as a result. Sonos may not be key to your home's internet access, but nonetheless it would be annoying if I were listening to music or watching TV and my Sonos device rebooted for no reason while browsing the web. Arris' fix was to remove the ability to reboot via the modem's web interface once the modem is up and running, though many say they should've added some security to their web interface instead.
What I want to know is why, after repeated requests by Sonos and others to discuss this matter via PM, there are still continuous public posts from the very person who was asked to take it to PM?



I will not elaborate on the PM's I was given but I will say this. I was disappointing at best.

The PM's I got had a high amount of words but little in the form of answers or insurances Sonos is indeed willing to improve itself on what I commited to this forum once again.



Forums are by far the best place to make suggestions as these will most likely not make an impact on the button line and profit of any commercial company. Same for getting quick answers to common user solvable issue's.



Anything else needs to have a certain "demand"-like ring to it. Improving acts like solving security related issue's or concerns are profit-consuming and hence unwanted.

Any good moderator will first act upon this by suggesting PM's. Another is have the issue bleed out and die silently by not responding to inquires.



Only when people become aware of issue's (via a forum like this one) and act upon it with greater numbers a company becomes aware it might need to change policy to keep the costumer happy.



So let me ask this then as I am a reasonable person:

1 - For how long, after I purchase a device, should I expect security updates? Aka the Sonos Play:1 device OS (not referring to the controller software) has till when support? I have not found an answer to that so please feel free to point me in the right direction.



2 - How will I learn about security updates? Sonos Controller itself will give us a notification so no issue there. Also I was informed of the update to version v7 via mail. However I lacked the mail about improved actions of the Sonos device OS itself.



3 - Can you share a pentest report for your device? I have not seen any and I am fairy certain I will never get one. Also I have not seen any indicators where Sonos is willing to join Z-Wave or any other IoT security aware organisation.



4 - How can I report vulnerabilities? I was suggested via PM's. Guess this will have to do.



5 - If you use encryption, then disclose what algorithms you use and how it is implemented? I have yet to find out if indeed this will be disclosed or mentioned anywhere.



34.7-35162-1-8.upd is the latest upd-file available for the device I have.

I would love to know what was improved via this upd file.
Well then I guess you just keep asking the questions here then and get no response from Sonos.
Well then I guess you just keep asking the questions here then and get no response from Sonos.

That's up to Sonos.
34.7-35162-1-8.upd is the latest upd-file available for the device I have.

I would love to know what was improved via this upd file.


http://www.sonos.com/software/release/7-0