SONOSNet Security

  • 23 February 2017
  • 7 replies

When using the Boost to generate the dedicated SONOSNet can you apply standard network security to this network? I am specifically looking for a MAC address based acces control mechanism to ensure only my authorized devices are able to gain access to my home network.

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

7 replies

MAC address filtering is a waste of time as a security measure, as any internet search would reveal. Legitimate MACs can be sniffed off the air and used to spoof the address for a potential intruder.

SonosNet relies on AES encryption.
I agree that a determined individual could bypass the MAC filtering; however, to keep a less capable person from attempting to jump on an open network, it is effective. I also subscribe to a layered or defense in depth strategy.

So does SonosNet solely rely on AES encryption or can it also provide MAC access control?


In another related thread (trojan horse) you wrote:

There are things you could do to police the situation if you want. Check your Sonos account profile for registered devices which you don't recognise. Run a network monitor of some kind to look for unrecognised MAC addresses. (It should be next to impossible to spoof a Sonos unit's MAC.)

So what changed your mind on MAC address spoofing from last month? Not necessarily question the statement on ability to spoof the address as I understand it and have seen it done in a lab environment, but have you seen it happen the wild?

I work from home as well as have my thesis research and paper on this network; therefore, I am always looking to ensure my personal network is well protected. I just got my first Sonos device and looking to expand, but first I am doing my homework on how to effectively and securely grow the network.

For steering devices, sure, MAC filtering has a place. But as I say, anyone with a will could break it.

At the wireless link level, SonosNet security is via AES (basically WPA2). The SSID is hidden, and the passkey inaccessible to the user. There's no MAC control to my knowledge. However at a higher level two devices must share the same Sonos Household ID to be able to communicate. This prevents different systems from bridging together.

There are doubtless other factors involved. I suggest that if you want to pursue this further you make private enquiries with Sonos by opening a support request ticket. For obvious reasons their staff have been reluctant to discuss the technicalities in public.
So what changed your mind on MAC address spoofing from last month?
As I recall, that related to a theoretical scenario where someone might break in and secretly associate a rogue Sonos device with the system. In theory such a device, having cloned the security details, could be set up within range and bridged into the network. But to do so the intruder would first have had to gain access to the property, in which case the door's wide open anyway.
Userlevel 7
Badge +26
Some more details that might help too, even when players are setup in a BOOST configuration, the router is still the device assigning IPs and controlling network traffic. If you have MAC address filtering enabled on the router you can be using its settings for controlling what devices are able to connect to your network.

The SonosNet configuration has your BOOST operating much like a wireless access point that you'd have set up at home. With the correct credentials, you can connect a device to the wireless but then it gets sent to the router for final connection. If the router rejects the device, it's not going to get connected.
True, an IP request could obviously be refused by a DHCP server. However any WiFi MAC filtering is traditionally a layer 2 function.