Sonos please task one of your engineers with adding a password option to the Sonos system just like Apple has done with their Homepods!
Airplay2 is a game changer when it comes to an open system like Sonos because any device with Airplay2 capability can take control of a sonos system without intentionally installing the Sonos app. While this is convenient on some networks it is a royal pain in the arse for others.
Take my home network as an example. I have two wireless networks - one for the family and one for guests. The guest network has no access to Sonos which is great. But everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).
BTW, this wasn't much of a problem before the Airplay2 update because none of the kids had the Sonos app installed on their devices but now they connect without a 2nd thought.
Please give us the option to protect speakers and groups of speakers.
Page 2 / 4
And what's the point of gaining access to a music system? Try and blackmail you because of your bad taste in music?
And what's the point of gaining access to a music system? Try and blackmail you because of your bad taste in music?
Too funny!
And what's the point of gaining access to a music system? Try and blackmail you because of your bad taste in music?
There is no point. The OP wants passwords to keep his kids from messing with the system. He piggybacked this request onto a "sky is falling" security scare, thinking it would lend more weight.
Wow. There are any number of things that could be done, but apparently you guys don’t want to think about them. The Mirai botnet in November 2016 was made up of internet of things devices. Machines on your internal network are exposed when another system is infected.
However, as I said before, the risk is probably low. There are likely just not enough Sonos devices out there for someone to take the effort to find, say, a buffer overflow error, write an exploit, and use that to target other devices or create a backdoor. Home users aren’t a valuable enough target for that level of effort. However, in a professional engagement, if my reconnaissance showed the use of those speakers, I’d sure as heck have someone on my team look at Sonos for vulnerabilities to allow control over the device. My most likely goal would be to launch a reverse direction VPN server on the Sonos device to allow someone to connect to me and gain access to the internal network at will.
Back to the OPs original question: lots of people with families or visitors would probably like to have some control preventing access to the speakers from anyone with the appropriate app. It’s a good suggestion on its own merits.
Addendum: Not every suggestion should be refuted nastily as an attack on Sonos.
However, as I said before, the risk is probably low. There are likely just not enough Sonos devices out there for someone to take the effort to find, say, a buffer overflow error, write an exploit, and use that to target other devices or create a backdoor. Home users aren’t a valuable enough target for that level of effort. However, in a professional engagement, if my reconnaissance showed the use of those speakers, I’d sure as heck have someone on my team look at Sonos for vulnerabilities to allow control over the device. My most likely goal would be to launch a reverse direction VPN server on the Sonos device to allow someone to connect to me and gain access to the internal network at will.
Back to the OPs original question: lots of people with families or visitors would probably like to have some control preventing access to the speakers from anyone with the appropriate app. It’s a good suggestion on its own merits.
Addendum: Not every suggestion should be refuted nastily as an attack on Sonos.
The brain of each Sonos device is a network connected computer. Not a good thing to leave unsecured because we can't be sure our networks are secure, in fact it is better to assume the network is not secure and therefore secure each device connected to the network.
So tell me, how do you log into that network connected computer?
Back to the OPs original question: lots of people with families or visitors would probably like to have some control preventing access to the speakers from anyone with the appropriate app. It’s a good suggestion on its own merits.
Addendum: Not every suggestion should be refuted nastily as an attack on Sonos.
I only attacked him because he was equating his lack of password protection for rooms/actions/volume within the Sonos app with a lack of security at the network level, which is nonsense. You can have all the passwords in the world at the app level, and still be insecure at the network level (and vice versa).
There are more ways than I can count and many more that I've never heard of. It is a constant game of cat and mouse for the security industry.
https://www.wired.com/story/elaborate-hack-shows-damage-iot-bugs-can-do/
There are more ways than I can count and many more that I've never heard of. It is a constant game of cat and mouse for the security industry.
https://www.wired.com/story/elaborate-hack-shows-damage-iot-bugs-can-do/
I don't need "more ways than I can count", I asked for one.
Just one.
Surely you can give me one way that you can log into a Sonos device in order to deliver mayhem.
And then when (If?) you give me one, explain how passwords for certain functions/rooms/volume in the app would prevent it.
I didn't equate them, you did. I'm pointing out that our networks are not as secure as we think (the attack vector is irrelevant). Therefore unsecured devices on our networks are wide open targets for hackers and other mischief makers.
There are more ways than I can count and many more that I've never heard of. It is a constant game of cat and mouse for the security industry.
https://www.wired.com/story/elaborate-hack-shows-damage-iot-bugs-can-do/
You didn't answer the question. Please name just ONE instance where a hacker has successfully obtained the root login for a Sonos device, logged in, and used it to do anything at all. I'll wait...
I didn't equate them, you did. I'm pointing out that our networks are not as secure as we think (the attack vector is irrelevant). Therefore unsecured devices on our networks are wide open targets for hackers and other mischief makers.
So what does that have to do with a thread asking for passwords to prevent your kids from operating certain parts of Sonos? If you were not equating them, why mention it? And what is it about passwords for your kids at the Sonos app level that will "secure" those "unsecured" devices?
You didn't answer the question. Please name just ONE instance where a hacker has successfully obtained the root login for a Sonos device, logged in, and used it to do anything at all. I'll wait...
Exactly. I worked on a Unix based POS system installed in hundreds of commercial properties once. We had dial-up support, and the system was protected by a randomized root password that changed at a variable time interval. Unless you had the PGP protected password generator installed on your support system and the private key, there was no way to log in, and no way to crack the root password before it switched.
I would be surprised if Sonos has anything less, considering that was 20+ years ago.
And oh, btw,
And?
There are always other methods to gain access to a system. Just because we aren't aware of them doesn't mean they don't exist. Although a dial up attack could be significantly more challenging than an attack on an internet connected device.
There are many different ways to poke a device for information. IMO, this article is just the tip of the iceberg.
https://securelist.com/iot-hack-how-to-break-a-smart-home-again/84092/
There are always other methods to gain access to a system. Just because we aren't aware of them doesn't mean they don't exist. Although a dial up attack could be significantly more challenging than an attack on an internet connected device.
There are many different ways to poke a device for information. IMO, this article is just the tip of the iceberg.
https://securelist.com/iot-hack-how-to-break-a-smart-home-again/84092/
So that would be a "No" on my request for you to tell me exactly one way to log into a Sonos device?
Gotcha.
And the dial-up mention was superfluous. My main point is gaining root access to a device is not easy.
Also, still waiting on how passwords at the app level have anything to do with this security tangent, or how they will help secure the terribly unsecured Sonos devices.
Depends on the device. Some are easy, some are challenging, none are bullet proof.
You are making the assumption that app level access is safe. It is not. Exploiting a bug or security weakness in an app to gain root access is a common attack vector. Because the Sonos device is unprotected at the API level that common attack vector readily available.
I’m a natural worrier about all sorts of things but to be honest I don’t see any to worry about with the security of the Sonos system 🙂 I personally would hate if I had to enter a password to use the system so if it ever come to fruition I’d hope it would be an option rather than compulsory.
I’m in agreement on this. Give the option, but make it something I can turn on and off depending upon my environment. Best bet would be that it requires authentication the first time an instance of the app connects, then remembers that, similar to the way Airplay works.
You are making the assumption that app level access is safe. It is not. Exploiting a bug or security weakness in an app to gain root access is a common attack vector. Because the Sonos device is unprotected at the API level that common attack vector readily available.
How? The app cannot be used unless you are on the same subnet. And how are passwords in the app supposed to secure the API, assuming it is unsecure?
As implemented on the Sonos Airplay doesn't require a password and I haven't found a way to give it a password.
In the scenario presented above the hacker has gained asses to the network via one of the many exploits out there, therefore they have access to all unprotected devices on that network.
In the scenario presented above the hacker has gained asses to the network via one of the many exploits out there, therefore they have access to all unprotected devices on that network.
But the hacker is still not on the same subnet. Unless you are saying they have gained access to your device's controller app on your network? In that case, you are entering a password every time you enter the controller, an annoying scenario at best.
Look, you painted yourself in a corner here. You tried to piggy back on security, and are now talking silly scenarios to justify it. You want passwords for your kids, a legitimate request, but one which has nothing to do with network security. End it there.
If they have gained access to the network where the Sonos devices reside then they can poke, prod, control and attempt to hack those devices. That is an indisputable fact. How they gained access to the net and what devices they are using to attack the Sonos devices is not important.
Perhaps this article will help: https://blog.sucuri.net/2014/11/most-common-attacks-affecting-todays-websites.html
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.