Hi @KiwiShawn, I get your privacy and security concerns. For better or worse, the new app uses what I call a “split architecture” common to many smart home devices: both the mobile app and your Sonos devices communicate with Sonos servers in the cloud. There is no way to “turn this off” … indeed, restricting connectivity (via firewall rules or DNS filtering) currently disables functionality like alarms.
Consider changing to a strong Sonos password: visit https://www.sonos.com/en-us/myaccount/user/profile and click the “Reset password” link. At present, Sonos does not support 2FA.
I understand the playback of audio and control of Sonos products has always been possible remotely over the internet using the Sonos API - An example of that is Spotify ‘direct control’ - that’s been possible for as long as I can remember. Now Sonos have just simply provided the user with a web interface to go with what’s always been available.
I don’t think there is a way to opt out because the streaming music services seen in the App, ie. Sonos Radio, Amazon Music etc. would likely have no access to stream to your products too.
Anyhow, to maybe discuss it further, you are probably best to speak with Sonos customer support via this link:
https://support.sonos.com/s/contact
In my own case, I access a good many things on my home network ‘remotely’ these days, including Hue Lights, Louvolite Blinds, Hive Heating, Ring Doorbell, Smart Plugs, Security Cameras, Room sensors, aswell as my Sonos products and a good many other things besides, but if it now bothers you, then perhaps speak with Sonos Staff about the issue.
I understand the playback of audio and control of Sonos products has always been possible remotely over the internet using the Sonos API - an example of that is Spotify ‘direct control’ - that’s been possible for as long as I can remember. Now Sonos have just simply provided the user with a web interface to go with what’s always been available.
A bit apples and oranges, Ken. Spotify direct control enables the Spotify App to play music on your Sonos devices. Technically, Sonos devices “reach out” and play music directly from Spotify’s servers; ditto for Sonos Radio, Amazon Music, and other streaming services.
As I mentioned in my earlier post above, you highlight a number of smart home (aka IoT) devices that feature a “split architecture”: your rHue, Louvolite, Hive, Ring] mobile apps and the hardware devices communicate with vendor-specific servers in the cloud. I should clarify that both sides of the equation—the mobile apps and the hardware devices—initiate communication with the servers in the cloud.
Prior to last month Sonos was not using a split architecture. Now that Sonos servers are “in the loop” for both the new mobile apps and the new web app, it is entirely reasonable to expect a commensurate level of security. One very concrete step that Sonos should take (and I’ve already submitted this) is implementing two-factor authentication (2FA).
. One very concrete step that Sonos should take (and I’ve already submitted this) is implementing two-factor authentication (2FA).
Yeah 2fa is a must asap. At min They should respond to the security concerns and let us know the plans.
I understand the playback of audio and control of Sonos products has always been possible remotely over the internet using the Sonos API - an example of that is Spotify ‘direct control’ - that’s been possible for as long as I can remember. Now Sonos have just simply provided the user with a web interface to go with what’s always been available.
A bit apples and oranges, Ken. Spotify direct control enables the Spotify App to play music on your Sonos devices. Technically, Sonos devices “reach out” and play music directly from Spotify’s servers; ditto for Sonos Radio, Amazon Music, and other streaming services.
As I mentioned in my earlier post above, you highlight a number of smart home (aka IoT) devices that feature a “split architecture”: your rHue, Louvolite, Hive, Ring] mobile apps and the hardware devices communicate with vendor-specific servers in the cloud. I should clarify that both sides of the equation—the mobile apps and the hardware devices—initiate communication with the servers in the cloud.
Prior to last month Sonos was not using a split architecture. Now that Sonos servers are “in the loop” for both the new mobile apps and the new web app, it is entirely reasonable to expect a commensurate level of security. One very concrete step that Sonos should take (and I’ve already submitted this) is implementing two-factor authentication (2FA).
I will probably be in/out of the Sonos Web App a lot, when sat at my PC, or laptop, particularly once the old Desktop controller App has perhaps been obsoleted, so I will likely not use 2FA on a regular basis, that’s if it hinders daily access, but if people want that, and Sonos are agreeable, then I’m not objecting to it, as long as I can choose to not implement it on some days and perhaps enable it when not using the Web App. I can’t think of using 2FA for my other smart-home products, but I probably will never use those as much as the Sonos Web App in any event. Personally I’m fine with using a username and password as that type of similar security is what also protects my local WiFi network (and local router) too.
Hi @Ken_Griffiths, 2FA is opt-in by definition so you’re good! FWIW, I don’t have to log into the web app every time I use it … so even those of us who desire stronger security wound not be inconvenienced by the addition of 2FA.
Please accept the following suggestion in the sincerely constructive manner it is sent: consider enabling 2FA on your Ring account. Cameras are a prime target of ne’er do wells and we’ve seen attacks exploit vulnerabilities in these smart home products. You’ll only need to perform 2FA when you login to the Ring app, not every time you open it, and it will increase your security quite a bit.
I will probably be in/out of the Sonos Web App a lot, when sat at my PC, or laptop, particularly once the old Desktop controller App has perhaps been obsoleted, so I will likely not use 2FA on a regular basis, that’s if it hinders daily access, but if people want that, and Sonos are agreeable, then I’m not objecting to it, as long as I can choose to not implement it on some days and perhaps enable it when not using the Web App. I can’t think of using 2FA for my other smart-home products, but I probably will never use those as much as the Sonos Web App in any event. Personally I’m fine with using a username and password as that type of similar security is what also protects my local WiFi network (and local router) too.
The way 2fa typically works is it won’t ask for authentication on known devices, or at least often. But if you attempt to log in from a new location you will need to authenticate. So it will not be bother on a day-to-day basis. Also, I would imagine that Sonos if they decided to do this, would make it optional.
Hi @Ken_Griffiths, 2FA is opt-in by definition so you’re good! FWIW, I don’t have to log into the web app every time I use it … so even those of us who desire stronger security wound not be inconvenienced by the addition of 2FA.
Please take the following suggestion in the sincerely constructive manner it is sent: consider enabling 2FA on your Ring account. Cameras are a prime target of ne’er do wells and we’ve seen attacks exploit vulnerabilities in these smart home products. You’ll only need to perform 2FA when you login to the Ring app, not every time you open it, and it will increase your security quite a bit.
Ah thanks.
In my head 2FA should only be required with logging on via the web - I’m less concerned about 2FA when accessing from my home network. I also think that if you’re changing your architecture and exposing passwords that have typically only been used on your local network is a very different risk profile to making those the same passwords used on the internet - my standard for passwords on the internet is 30+ characters but for at home I typically use fewer characters and less complexity as they are more likely to be manually typed rather than form filled by password manager.
I get I have no ability to change this but it sucks and highlights just how little Sonos seems to care about customers (and security)