Speaker password feature needed ASAP!

  • 12 August 2018
  • 86 replies
  • 2698 views

Userlevel 2
Badge +3
Sonos please task one of your engineers with adding a password option to the Sonos system just like Apple has done with their Homepods!

Airplay2 is a game changer when it comes to an open system like Sonos because any device with Airplay2 capability can take control of a sonos system without intentionally installing the Sonos app. While this is convenient on some networks it is a royal pain in the arse for others.

Take my home network as an example. I have two wireless networks - one for the family and one for guests. The guest network has no access to Sonos which is great. But everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).

BTW, this wasn't much of a problem before the Airplay2 update because none of the kids had the Sonos app installed on their devices but now they connect without a 2nd thought.

Please give us the option to protect speakers and groups of speakers.

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

86 replies

Userlevel 7
Badge +20
Sonos please task one of your engineers with adding a password option to the Sonos system just like Apple has done with their Homepods!

Airplay2 is a game changer when it comes to an open system like Sonos because any device with Airplay2 capability can take control of a sonos system without intentionally installing the Sonos app. While this is convenient on some networks it is a royal pain in the arse for others.

Take my home network as an example. I have two wireless networks - one for the family and one for guests. The guest network has no access to Sonos which is great. But everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).

BTW, this wasn't much of a problem before the Airplay2 update because none of the kids had the Sonos app installed on their devices but now they connect without a 2nd thought.

Please give us the option to protect speakers and groups of speakers.


Hi there,

Thanks for the suggestion. I'll send along a feature request to add password protection to the Sonos system. For right now, the best way to limit access to the system is to use a guest network for internet access, but keep your Sonos system and music library shares on the private, password protected network.

everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).


Sounds like a discipline issue to me, not a Sonos issue... 😛
Userlevel 2
Badge +3
For right now, the best way to limit access to the system is to use a guest network for internet access, but keep your Sonos system and music library shares on the private, password protected network.

Unfortunately that solution doesn't work if you already have a guest network for "guests" while there are other network resources that are shared with family members that you wouldn't share with guests.
Userlevel 2
Badge +3
Sounds like a discipline issue to me, not a Sonos issue... :P

Maybe some of both. IMO having unsecured devices on our networks is very risky and it is only a matter of time before we see malware that infects PCs with the goal of gaining access to the unsecured Sonos devices.

https://www.wired.com/story/hackers-can-rickroll-sonos-bose-speakers-over-internet/

""The unfortunate reality is that these devices assume the network they're sitting on is trusted, and we all should know better than that at this point," says Mark Nunnikhoven, a Trend Micro research director. "Anyone can go in and start controlling your speaker sounds," if you have a compromised devices, or even just a carelessly configured network."

"The researchers note that audio attack could even be used to speak commands from someone's Sonos or Bose speaker to their nearby Amazon Echo or Google Home. They went so far as to test out the attack on the Sonos One, which has Amazon's Alexa voice assistant integrated into its software. By triggering the speaker to speak commands, they could actually manipulate it into talking to itself, and then executing the commands it had spoken.

Given that those voice assistant devices often control smart home features from lighting to door locks, Trend Micro's Nunnikhoven argues that they could be exploited for attacks that go beyond mere pranks. "Now I can start to run through more devious scenarios and really start to access the smart devices in your home," he says"
From your link above:

Instead, if you own one of a few models of internet-connected speaker and you've been careless with your network settings, you might be one of thousands of people whose Sonos or Bose devices have been left wide open to audio hijacking by hackers around the world.


Read the bold. Also, Sonos has already patched this security risk for those that are stupid enough to open port 1400 to the entire world.
Userlevel 2
Badge +3
IMO, a design where anything with access to my home network can also connect to any Sonos device on my network without authentication is rife for abuse and exploits. I can lock down our network settings to prevent hackers from getting in the front door but there have been router exploits in the past and we are likely to see more in the future. Another example of an attack vector would be Malware that is spread via email and websites that users on the network access. IMO, as long as Sonos devices lack authentication they are an easy target because there is no such thing as a 100% secure home network if that network is also connected to the internet.
IMO, a design where anything with access to my home network can also connect to any Sonos device on my network without authentication is rife for abuse and exploits. I can lock down our network settings to prevent hackers from getting in the front door but there have been router exploits in the past and we are likely to see more in the future. Another example of an attack vector would be Malware that is spread via email and websites that users on the network access. IMO, as long as Sonos devices lack authentication they are an easy target because there is no such thing as a 100% secure home network if that network is also connected to the internet.

Then every smart device you own is "rife for exploit" if you are opening up your router to full access to the outside.

And that article said nothing about those other attacks, it was strictly about people who stupidly opened their routers up and basically yelled "C'mon in y'all!"

Look, you have a good case for wanting a PIN or password on your system. Allying yourself with the numb skulls who purposefully opened up their systems because they know nothing about networking does nothing but hurt that case.
Userlevel 2
Badge +3
Then every smart device you own is "rife for exploit" if you are opening up your router to full access to the outside.

Sonos devices (and any other network connected device that lacks secure authentication) are rife for exploit on any network that is connected to the the internet because the idea that your network is secure just because you sit behind a firewall is a myth.

https://www.securitymagazine.com/articles/89098-is-the-internet-of-things-impossible-to-secure

The KRACK attack is another example showing that our networks are not as secure as we think: https://www.krackattacks.com/. Luckily this was shared by the researchers allowing for a backward compatible patch but hackers don't share their exploits so there is no telling what exploits are out there that haven't been patched.

Because Sonos devices lack authentication they are exposed to intruders using methods that no one outside of the hacker community is aware of!
As I stated, linking yourself with these types of articles is bad for your cause. I for one would hesitate before supporting any passwords on the system when this type of paranoia is the basis of the argument.
Userlevel 2
Badge +3
As I stated, linking yourself with these types of articles is bad for your cause. I for one would hesitate before supporting any passwords on the system when this type of paranoia is the basis of the argument.

So be it. IMO, having an understanding of the weaknesses inherent in network security is a good thing if you are going to deploy network connected devices that lack authentication because nets are constantly under attack.

http://map.norsecorp.com/
This thread originally had nothing to do with security issues, and people dumb enough to open port 1400 already lost us very valuable diagnostic tools. I'd hate to see what we lose next due to you attempting to cash in on security fears to get your personal wish for passwords to keep your kids from screwing up your volume and groupings.
Userlevel 2
Badge +3
Optional authentication, similar to what we see in Apple's HomePod, shouldn't cause you to lose anything you already have. Instead it provides security to those customers that need it.
I agree with the user chicks, that this is firstly a discipline issue. There is some slight paranoia also creeping into the thread about breaching the 'trusted private network' and it now being a threat from hackers. If the latter was the case, then I’m certainly not going to worry too much about password protecting my speakers, or echo devices, as neither of those things are going to harm me too much, comparitively speaking.

Even a passerby to my home, can shout commonly known Alexa instructions through a letter box, here in the UK, and I do try to cater for that type of scenario already, well as best I can, by switching off the microphones at the front of the home when we’re out and about. I switch the devices off altogether when we go on holiday. The external cameras would alert me anyway to anyone upto no good in this way (I hope). Kids shouting to Alexa through a letterbox though can be a pain, I guess, but it’s usually no worse than them knocking the front door and running away.

I think for the reasons stated, I would firstly look to discipline my kids and the next is, I would try to remember to switch off my mic or the accessible devices when away from home and if the network is hacked via the internet etc, then perhaps worry moreso about other things the hacker could get hold of, rather than just controlling the Sonos or Alexa system. If a user were at home, they would of course hear these things (Alexa commands) being used anyway.

Security of my music system and echo devices is probably the least of my worries, but I do try to think sensibly about all the potential issues.

The case of any kids in the house blasting out music and perhaps not doing as they are told, is easily solved, surely?
Userlevel 2
Badge +3
There is some slight paranoia also creeping into the thread about breaching the 'trusted private network' and it now being a threat from hackers. If the latter was the case, then I’m certainly not going to worry too much about password protecting my speakers, or echo devices, as neither of those things are going to harm me too much, comparitively speaking.
Internet connected devices have the capability to cause a great deal of harm if they are controlled by hackers. That is not paranoia, it is a fact that troubles those of us that work on security as part of our jobs.

The INTERNET OF THINGS (IOT) SECURITY BEST PRACTICES paper might be educational for you and others that believe it is OK to have unsecured devices on your networks.

https://internetinitiative.ieee.org/images/files/resources/white_papers/internet_of_things_may_2017.pdf

"5. Use strong authentication

IoT devices should not use easy-to-guess username/password credentials,
such as admin/admin. Devices should not use default credentials that are
invariant across multiple devices and should not include back doors and
debug-mode settings (secret credentials established by the device's
programmer) because, once guessed, they can be used to hack many
devices.

Each device should have a unique default username/password, perhaps
printed on its casing, and preferably resettable by the user. Passwords
should be sophisticated enough to resist educated guessing and so-called
brute force methods.

Where possible we recommend two-factor authentication (2FA), which
requires a user to employ both a password and another authentication form
that does not rely on user knowledge, such as a random code generated via
SMS text messaging. For IoT applications, we especially encourage the use
of context-aware authentication (CAA), also known as adaptive
authentication, which use contextual information and machine-learning
algorithms to continuously evaluate risk of malice without bother to the user
by demanding authentication. If risk is high, then the subscriber (or hacker)
would be asked for a multi-factor token to continue having access
."

The case of any kids in the house blasting out music and perhaps not doing as they are told, is easily solved, surely?
I agree, all Sonos has to do is follow Apple's lead with the HomePod and give us the option to enable authentication. That addresses the many requests that Sonos has received for this feature.
They already have strong authentication when accessing Sonos from the outside. You cannot add a new unit and/or link a service account without authentication. So you can drop the "security" risk nonsense, it has already been plugged.

Of course this has nothing to do with adding permissions/passwords for features within the app itself.

Because Sonos devices lack authentication they are exposed to intruders using methods that no one outside of the hacker community is aware of!


But authentication isn't any guarantee that hackers won't find a way into your system, since we are talking in the realm of possible, not probable. Your very example illustrates that point since any hacker would first have to get past the wifi authentication before your hypothetical Sonos level authentication would be a factor. So you have a wall around your system that potentially has an unknown flaw in it, and you want to fix that potential problem bad adding a second that most likely would have the same unknown flaw?
Userlevel 2
Badge +3
They already have strict authentication when accessing Sonos from the outside. You cannot add a new unit and/or link a service account without authentication.

That protects a different part of the system. It doesn't do anything to keep someone with access to the network from gaining control of the hardware.

You and others are making the assumption that your network is secure and impenetrable. It is not, no network is, that is why it is very important to have device level authentication.
Userlevel 6
Badge +15
This thread originally had nothing to do with security issues, and people dumb enough to open port 1400 already lost us very valuable diagnostic tools. I'd hate to see what we lose next due to you attempting to cash in on security fears to get your personal wish for passwords to keep your kids from screwing up your volume and groupings.

You keep on saying open port 1400 to the outside world, and are missing the fact that the bulk of exploitation nowadays doesn’t work that way. Cross site scripting, infected documents, phishing messages and other client side exploits are the rule rather than the exception these days. If a malicious actor infects a legitimate site you connect to, say this one, and your browser downloads JavaScript, it could be used to access internal systems. OP is presenting a legitimate, verified and documented real world attack, and you keep dismissing him with the port 1400 argument.
@airforceteacher, I'm not following how that impacts Sonos. So you have a PC/mac/phone that's infected through the method you described. Can those then things then exploit your Sonos firmware in anyway? What is it about those exploits would be blocked by authentication on Sonos?

I'm not a security expert, honest question.

You keep on saying open port 1400 to the outside world, and are missing the fact that the bulk of exploitation nowadays doesn’t work that way. Cross site scripting, infected documents, phishing messages and other client side exploits are the rule rather than the exception these days. If a malicious actor infects a legitimate site you connect to, say this one, and your browser downloads JavaScript, it could be used to access internal systems. OP is presenting a legitimate, verified and documented real world attack, and you keep dismissing him with the port 1400 argument.


None of which has anything whatsoever to do with Sonos app or hardware, lol.
Userlevel 6
Badge +15

You keep on saying open port 1400 to the outside world, and are missing the fact that the bulk of exploitation nowadays doesn’t work that way. Cross site scripting, infected documents, phishing messages and other client side exploits are the rule rather than the exception these days. If a malicious actor infects a legitimate site you connect to, say this one, and your browser downloads JavaScript, it could be used to access internal systems. OP is presenting a legitimate, verified and documented real world attack, and you keep dismissing him with the port 1400 argument.


None of which has anything whatsoever to do with Sonos app or hardware, lol.


Lol - yes it does. Anything installed on a modern network should be designed to protect itself against internal and external issues. That’s a basic standard of security today, and I agree with OP that Sonos should provide that capability to require authentication locally. Make it an option, so those who want it can turn it on, but leave it off for others.

However, security is primarily about risk management, and the risk of some attacker randomly choosing you to attack and then choosing your Sonos speaker instead of a poorly configured windows, Mac or android device in your network is quite low. Sonos probably does not have high enough market penetration to make that a major risk for home users. I would not allow Sonos on my main network in a workplace - it would be on a protected vlan that required authentication to access, and limit control of the speakers to authorized parties. And would still have some concerns.


Lol - yes it does. Anything installed on a modern network should be designed to protect itself against internal and external issues. That’s a basic standard of security today, and I agree with OP that Sonos should provide that capability to require authentication locally. Make it an option, so those who want it can turn it on, but leave it off for others.


Sigh. These exploits have nothing whatsoever to do with any Sonos vulnerability. The bad guys are entering your network via other gateways, not via Sonos. You’ve missed the entire point.

Besides, what attacker, once inside your network, is going to go after your Sonos speakers? What would be the point? He’s going to go through your email, your banking and investing software, looking for ways to get to your online accounts. Sonos speakers are the very last thing of interest, lol.

Lol - yes it does. Anything installed on a modern network should be designed to protect itself against internal and external issues. That’s a basic standard of security today, and I agree with OP that Sonos should provide that capability to require authentication locally. Make it an option, so those who want it can turn it on, but leave it off for others.


So your reasoning is based on the principle of the matter instead of an actual way that scripting, phishing, etc could infect a Sonos device?
Userlevel 2
Badge +3
Sigh. These exploits have nothing whatsoever to do with any Sonos vulnerability. The bad guys are entering your network via other gateways, not via Sonos. You’ve missed the entire point.
Those exploits are absolutely related to IoT security. Once inside your network hackers will attempt to gain access to any device on your network. Preventing that access is the point of device level authentication on IoT devices.

So your reasoning is based on the principle of the matter instead of an actual way that scripting, phishing, etc could infect a Sonos device?
Those exploits allow a hacker to gain access to your network. Once they are in your network they can gain access to any unprotected network resource such as Sonos devices.
And just how is the nefarious hacker going to "access" your Sonos? He can't load the Sonos app, it is required to be on the same subnet. He could load his Spotify account and then control your Sonos via Spotify, except . . . Whoops! Sonos requires authentication for that. Well what if he decides to add his own Sonos device and then control through that, except . . . Whoops! Sonos requires authentication for that. Well, what if he gets into port 1400 from the outside and starts rebooting devices or anything else from the diagnostic menus except . . . Whoops! Sonos removed any nefarious items from the diagnostics.

So exactly what are they going to do, look at your Sonos devices? I imagine they could try to send UPnP messages to a unit to start it playing, but there isn't anything authentication at the app level is going to do about that.