Sonos please task one of your engineers with adding a password option to the Sonos system just like Apple has done with their Homepods!
Airplay2 is a game changer when it comes to an open system like Sonos because any device with Airplay2 capability can take control of a sonos system without intentionally installing the Sonos app. While this is convenient on some networks it is a royal pain in the arse for others.
Take my home network as an example. I have two wireless networks - one for the family and one for guests. The guest network has no access to Sonos which is great. But everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).
BTW, this wasn't much of a problem before the Airplay2 update because none of the kids had the Sonos app installed on their devices but now they connect without a 2nd thought.
Please give us the option to protect speakers and groups of speakers.
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.
Page 2 / 4
Gosh the paranoia is still growing here for one or two.
My home is well protected and locked, but I will never see the point in putting a padlock on my bedroom door that I would then have to open/close everytime I entered/exited that part of the premises. There’s nothing in the bedroom anyway, the good stuff is all in the secure safe downstairs.
I don’t see the point in padlocking the bedroom door at all, as that does absolutely nothing to help keep my safe secure, even if the thief can get into the house in the first place.
And there is the analogy for me.
My home is well protected and locked, but I will never see the point in putting a padlock on my bedroom door that I would then have to open/close everytime I entered/exited that part of the premises. There’s nothing in the bedroom anyway, the good stuff is all in the secure safe downstairs.
I don’t see the point in padlocking the bedroom door at all, as that does absolutely nothing to help keep my safe secure, even if the thief can get into the house in the first place.
And there is the analogy for me.
Hacking those apps/services would be several orders of magnitude more difficult then gaining access through the common attack vectors mentioned in this thread.
Nonsense. All you would need to do is gain access to your network and sign on your app and you would have almost full control over the Sonos devices. Which is why Sonos requires you to link with your Sonos account, using a password.
Still snipping I see. I don't know why you keep trying to take the focus off your original request. It's ok, I'll play along.
Hacking those apps/services would be several orders of magnitude more difficult then gaining access through the common attack vectors mentioned in this thread.
Too bad, control from those apps is actually a way someone could gain access to Sonos from the outside, unlike your absurd scenarios. Then again, that is why Sonos has secured them.
Oh by the way, your insistence on defending this security tangent has taken all the focus off your original request. Not sure that was your intent. Perhaps if you drop the tangent, we can get back on topic.
Oh by the way, your insistence on defending this security tangent has taken all the focus off your original request. Not sure that was your intent. Perhaps if you drop the tangent, we can get back on topic.
IMO it should be mandatory but others here feel differently so make it optional. I would definitely have it enabled just like I do for every other device on my net.
I have not mentioned any of those services and they are not part of this discussion as far as I'm concerned. I'm talking about controlling Sonos devices.
Make it optional and when in place give the user the option to save the password in the app they use to control Sonos.
I am talking about controlling sonos from any app. No authentication is required, at least not as far I can see.
If something were so important for security, you'd think it would be mandatory? Which brings me back to the point that this security topic is a charade. And saving it in the app would not prevent someone taking over your device and messing with Sonos, the very scenario you present above.
To the controlling from another app thing, you cannot control via Spotify, Pandora, Alexa, etc. until you link the account with your Sonos account, which requires authentication. No authentication, no control from another subnet, no security risk. Which is the very reason they require it (as opposed to making it optional).
Make it optional and when in place give the user the option to save the password in the app they use to control Sonos.
I am talking about controlling sonos from any app. No authentication is required, at least not as far I can see.
If you have gained access to the network it is but a small step to gain access to a device on that net. Once that happens all bets are off.
Not sure what you mean. The sonos device does not require user authentication to control the device from non-sonos apps.
So you are claiming they are using a controller on your system. Which would mean you need a password every time you use the app? Not many are fans of that.
And it most certainly requires you to authenticate when you initially link your service app to the Sonos app. Not to use the app to control Sonos, because that would be annoyingly stupid for 99% of users (see above).
If you have gained access to the network it is but a small step to gain access to a device on that net. Once that happens all bets are off.
Not sure what you mean. The sonos device does not require user authentication to control the device from non-sonos apps.
If they have gained access to the network where the Sonos devices reside then they can poke, prod, control and attempt to hack those devices. That is an indisputable fact. How they gained access to the net and what devices they are using to attack the Sonos devices is not important.
Gaining access to your network and being on the same subnet are 2 different things. And it is important if you are claiming an app based password will protect against a lack of network security. That is why they require authentication when linking services and not when loading the Sonos app, because apps from services like Spotify don't need to be on the same subnet.
And stop with the judicious snipping. Answer the whole post or don't answer at all.
If they have gained access to the network where the Sonos devices reside then they can poke, prod, control and attempt to hack those devices. That is an indisputable fact. How they gained access to the net and what devices they are using to attack the Sonos devices is not important.
Perhaps this article will help: https://blog.sucuri.net/2014/11/most-common-attacks-affecting-todays-websites.html
In the scenario presented above the hacker has gained asses to the network via one of the many exploits out there, therefore they have access to all unprotected devices on that network.
But the hacker is still not on the same subnet. Unless you are saying they have gained access to your device's controller app on your network? In that case, you are entering a password every time you enter the controller, an annoying scenario at best.
Look, you painted yourself in a corner here. You tried to piggy back on security, and are now talking silly scenarios to justify it. You want passwords for your kids, a legitimate request, but one which has nothing to do with network security. End it there.
In the scenario presented above the hacker has gained asses to the network via one of the many exploits out there, therefore they have access to all unprotected devices on that network.
As implemented on the Sonos Airplay doesn't require a password and I haven't found a way to give it a password.
You are making the assumption that app level access is safe. It is not. Exploiting a bug or security weakness in an app to gain root access is a common attack vector. Because the Sonos device is unprotected at the API level that common attack vector readily available.
How? The app cannot be used unless you are on the same subnet. And how are passwords in the app supposed to secure the API, assuming it is unsecure?
Userlevel 6
+15
I’m in agreement on this. Give the option, but make it something I can turn on and off depending upon my environment. Best bet would be that it requires authentication the first time an instance of the app connects, then remembers that, similar to the way Airplay works.
I’m a natural worrier about all sorts of things but to be honest I don’t see any to worry about with the security of the Sonos system 🙂 I personally would hate if I had to enter a password to use the system so if it ever come to fruition I’d hope it would be an option rather than compulsory.
Depends on the device. Some are easy, some are challenging, none are bullet proof.
You are making the assumption that app level access is safe. It is not. Exploiting a bug or security weakness in an app to gain root access is a common attack vector. Because the Sonos device is unprotected at the API level that common attack vector readily available.
There are always other methods to gain access to a system. Just because we aren't aware of them doesn't mean they don't exist. Although a dial up attack could be significantly more challenging than an attack on an internet connected device.
There are many different ways to poke a device for information. IMO, this article is just the tip of the iceberg.
https://securelist.com/iot-hack-how-to-break-a-smart-home-again/84092/
So that would be a "No" on my request for you to tell me exactly one way to log into a Sonos device?
Gotcha.
And the dial-up mention was superfluous. My main point is gaining root access to a device is not easy.
Also, still waiting on how passwords at the app level have anything to do with this security tangent, or how they will help secure the terribly unsecured Sonos devices.
There are always other methods to gain access to a system. Just because we aren't aware of them doesn't mean they don't exist. Although a dial up attack could be significantly more challenging than an attack on an internet connected device.
There are many different ways to poke a device for information. IMO, this article is just the tip of the iceberg.
https://securelist.com/iot-hack-how-to-break-a-smart-home-again/84092/
And?
Userlevel 6
+15
And oh, btw,
You didn't answer the question. Please name just ONE instance where a hacker has successfully obtained the root login for a Sonos device, logged in, and used it to do anything at all. I'll wait...
Exactly. I worked on a Unix based POS system installed in hundreds of commercial properties once. We had dial-up support, and the system was protected by a randomized root password that changed at a variable time interval. Unless you had the PGP protected password generator installed on your support system and the private key, there was no way to log in, and no way to crack the root password before it switched.
I would be surprised if Sonos has anything less, considering that was 20+ years ago.
I didn't equate them, you did. I'm pointing out that our networks are not as secure as we think (the attack vector is irrelevant). Therefore unsecured devices on our networks are wide open targets for hackers and other mischief makers.
So what does that have to do with a thread asking for passwords to prevent your kids from operating certain parts of Sonos? If you were not equating them, why mention it? And what is it about passwords for your kids at the Sonos app level that will "secure" those "unsecured" devices?
There are more ways than I can count and many more that I've never heard of. It is a constant game of cat and mouse for the security industry.
https://www.wired.com/story/elaborate-hack-shows-damage-iot-bugs-can-do/
You didn't answer the question. Please name just ONE instance where a hacker has successfully obtained the root login for a Sonos device, logged in, and used it to do anything at all. I'll wait...
Page 2 / 4
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.