When will Sonos put additional security measures in place?

What I want to know is why, after repeated requests by Sonos and others to discuss this matter via PM, there are still continuous public posts from the very person who was asked to take it to PM?

I will not elaborate on the PM's I was given but I will say this. I was disappointing at best.
The PM's I got had a high amount of words but little in the form of answers or insurances Sonos is indeed willing to improve itself on what I commited to this forum once again.

Forums are by far the best place to make suggestions as these will most likely not make an impact on the button line and profit of any commercial company. Same for getting quick answers to common user solvable issue's.

Anything else needs to have a certain "demand"-like ring to it. Improving acts like solving security related issue's or concerns are profit-consuming and hence unwanted.
Any good moderator will first act upon this by suggesting PM's. Another is have the issue bleed out and die silently by not responding to inquires.

Only when people become aware of issue's (via a forum like this one) and act upon it with greater numbers a company becomes aware it might need to change policy to keep the costumer happy.

So let me ask this then as I am a reasonable person:
1 - For how long, after I purchase a device, should I expect security updates? Aka the Sonos Play:1 device OS (not referring to the controller software) has till when support? I have not found an answer to that so please feel free to point me in the right direction.

2 - How will I learn about security updates? Sonos Controller itself will give us a notification so no issue there. Also I was informed of the update to version v7 via mail. However I lacked the mail about improved actions of the Sonos device OS itself.

3 - Can you share a pentest report for your device? I have not seen any and I am fairy certain I will never get one. Also I have not seen any indicators where Sonos is willing to join Z-Wave or any other IoT security aware organisation.

4 - How can I report vulnerabilities? I was suggested via PM's. Guess this will have to do.

5 - If you use encryption, then disclose what algorithms you use and how it is implemented? I have yet to find out if indeed this will be disclosed or mentioned anywhere.

34.7-35162-1-8.upd is the latest upd-file available for the device I have.
I would love to know what was improved via this upd file.

Well then I guess you just keep asking the questions here then and get no response from Sonos.
That's up to Sonos.

As I thought, he's posting here to be a complete pain in the butt. Time for an ignore feature, for both users and threads. Too bad InSided is so bad.

As I thought, he's posting here to be a complete pain in the butt. Time for an ignore feature, for both users and threads. Too bad InSider is so bad.

I would love a feature for ignoring certain posters. It would be a good suggestion and you have my vote for having it added to the forum as an added feature as soon as possible.

Frankly though IF I were Sonos I would not implement it unless it is an already free feature which was part of the forumpackage but one that had not been tagged yet for functionality. Remember anything not free is an impact on profits made.
A commercial company will most likely only support services when they do not come at a negative cost in general.

I again IF I were Sonos would just advice posters in general to ignore unwanted threads and just not post in those threads. Even more so if you would want to ignore the poster in question. I also would ask the moderators to step in if threads go south.

Up till now I have made concerns I have public which I believe should be improved.
I also asked about their future plans on supporting their hardware/firmware/software.

They're not especially accurate either. The ports mentioned are not open, for TCP at least. And UDP port scans are notorious for yielding false positives.

Besides, why are we even discussing it? These are ports on a private network.

Speaking as a security professional, private networks are not a security failsafe, they are merely a layer. There's a reason why most successful attacks nowadays are against clients - because we've spent many years hammering at firewalls, routers, IDSs and WAFs, and consequently most of the easy attacks from the outside have been found and accounted for. Attackers have moved to the softer, weaker, client machines, especially residential and consumer systems, because these are often less protected.

If your browser is susceptible to cross-site scripting, it's entirely possible for you to browse a site, download a script that runs in your browser to attack internal systems from a trusted internal network. This attack is not a theory or PoC, it's been effectively used in the real world already to modify routers to allow remote WAN access to the management pages, so it could certainly be used to access SONOS devices' internally accessible ports.

So, say it works - I shoot you a script, you view it your browser and it connects to your player's reboot URL and reboots your speaker. Hmm, cool, DoS! But just getting access to the page means I can try sending other things - buffer overflows, format string attacks, etc. Maybe right now all I've got is an annoying DoS - can I create something else?

Now, OTOH, also speaking as a security professional: security for anything, cyber, personnel, physical, is a risk management exercise. What could happen, what is the likelihood, what is the potential impact? Am I a target of opportunity (commodity) or a specific person of value? If I'm just a normal home user (or device commonly used at home), there are likely many, many, many more devices that are less secure and easier to craft an exploit for than SONOS. In that case, SONOS doesn't have to outrun the bear, just every other IoT device. If I'm a specific entity of value to a certain attacker, then I have to up my game, so to speak. So, for the average SONOS users, how high is their risk - pretty low in my estimation. But SONOS in a corporate environment? I wouldn't connect it to the same LAN as my database server or credit card readers, KWIM?

/ now feel like going home today and experimenting with the various pages and ports and XSS

[quote=jgatie]You would have to duplicate the entire functionality of the Sonos firmware, add in your own mic monitoring functions, break into the individual Sonos units in the home (or substitute your firmware for the version at the Sonos servers, highly unlikely), somehow initiate an update of your own firmware, then you would be able to access the microphones. Compare this with simply breaking into laptop via telnet/ftp and loading a background app and you see why a hacker is going to pick an easier target.

This is a typical head-in-the-sand fallacy. "I can't imagine how it would be easy, so it must be hard and/or unlikely". Guess what though, all hackers love a challenge.

But they wouldn't even have to reimplement the firmware, just hijack it, and then package the hijack as a product for sale to security agencies and/or hacking teams. There are clusters of firms specialising in this stuff, it's a big industry.

Bear in mind, Sonos use off-the-shelf integrated circuits for many components; the underlying OS is clearly a Linux derivative and they won't be reinventing the kernel drivers except possibly for special-sauce elements like their DSPs.

This isn't rocket science, it's just computer programming, and there are hundreds of thousands of people already capable of what you described. For some of them, developing and selling pre-packaged hacking tools is simply the day job.

Making a personal Sonos clone might be a fun project and I can see several ways to go there.

Making a commercial Sonos clone, I believe is not just an engineering issue but also a patent law problem.

Just get it done Sonos and update like I suggested you should have in the first place. Btw the Internet has lots of stuff cached. So good luck with that. Shame really...

I do still use a Play:1 but i made provisions to avoid the leaks mentioned.

Blane the Messenger, sure sure.

Frankly I was surprised TrendMicro did come out with the results like I saw coming.
Anyway, make no mistake I will not back down on obvious security flaws if I see them or when they might be of revelenace.

I would look to Sonos instead for more secure ways to get access to diagnotics and what not.
IoT security issues are becoming more of a hotitem like it or not.

Not going anywhere unless I get ld by one of the known.You are not one of them.

Thank you
The Captain.....

Sigh....

Anywhy,

@Chicks you have the option to enlighten me with your pearls of wisedom. The "Reply"-field is all yours.

And Sonos can PM me with relevent info or debunk me on this forum (frankly I would like that as it would restore my faith in them all together).
Yet I have not seen one PM or a post by a Sonos representative.

This DNS rebinding "attack" (it's not really an attack, it's taking advantage of common device hostnames and using cross-site scripting methods to access local network devices) was just recently found a couple of weeks ago... oh, and it also affects Chromecast and other devices as well, so Sonos definitely isn't alone in having the issue. But they've acknowledged it and have plans to fix it.

Once again, the most an attacker would have been able to gather is data about your Sonos system... your other Sonos speakers and their IP addresses on your network. They still don't have a way in to turn your Sonos speakers into bots or other attacking devices.