Sonos please task one of your engineers with adding a password option to the Sonos system just like Apple has done with their Homepods!
Airplay2 is a game changer when it comes to an open system like Sonos because any device with Airplay2 capability can take control of a sonos system without intentionally installing the Sonos app. While this is convenient on some networks it is a royal pain in the arse for others.
Take my home network as an example. I have two wireless networks - one for the family and one for guests. The guest network has no access to Sonos which is great. But everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).
BTW, this wasn't much of a problem before the Airplay2 update because none of the kids had the Sonos app installed on their devices but now they connect without a 2nd thought.
Please give us the option to protect speakers and groups of speakers.
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.
Page 2 / 4
I agree with the user chicks, that this is firstly a discipline issue. There is some slight paranoia also creeping into the thread about breaching the 'trusted private network' and it now being a threat from hackers. If the latter was the case, then I’m certainly not going to worry too much about password protecting my speakers, or echo devices, as neither of those things are going to harm me too much, comparitively speaking.
Even a passerby to my home, can shout commonly known Alexa instructions through a letter box, here in the UK, and I do try to cater for that type of scenario already, well as best I can, by switching off the microphones at the front of the home when we’re out and about. I switch the devices off altogether when we go on holiday. The external cameras would alert me anyway to anyone upto no good in this way (I hope). Kids shouting to Alexa through a letterbox though can be a pain, I guess, but it’s usually no worse than them knocking the front door and running away.
I think for the reasons stated, I would firstly look to discipline my kids and the next is, I would try to remember to switch off my mic or the accessible devices when away from home and if the network is hacked via the internet etc, then perhaps worry moreso about other things the hacker could get hold of, rather than just controlling the Sonos or Alexa system. If a user were at home, they would of course hear these things (Alexa commands) being used anyway.
Security of my music system and echo devices is probably the least of my worries, but I do try to think sensibly about all the potential issues.
The case of any kids in the house blasting out music and perhaps not doing as they are told, is easily solved, surely?
Even a passerby to my home, can shout commonly known Alexa instructions through a letter box, here in the UK, and I do try to cater for that type of scenario already, well as best I can, by switching off the microphones at the front of the home when we’re out and about. I switch the devices off altogether when we go on holiday. The external cameras would alert me anyway to anyone upto no good in this way (I hope). Kids shouting to Alexa through a letterbox though can be a pain, I guess, but it’s usually no worse than them knocking the front door and running away.
I think for the reasons stated, I would firstly look to discipline my kids and the next is, I would try to remember to switch off my mic or the accessible devices when away from home and if the network is hacked via the internet etc, then perhaps worry moreso about other things the hacker could get hold of, rather than just controlling the Sonos or Alexa system. If a user were at home, they would of course hear these things (Alexa commands) being used anyway.
Security of my music system and echo devices is probably the least of my worries, but I do try to think sensibly about all the potential issues.
The case of any kids in the house blasting out music and perhaps not doing as they are told, is easily solved, surely?
Internet connected devices have the capability to cause a great deal of harm if they are controlled by hackers. That is not paranoia, it is a fact that troubles those of us that work on security as part of our jobs.
The INTERNET OF THINGS (IOT) SECURITY BEST PRACTICES paper might be educational for you and others that believe it is OK to have unsecured devices on your networks.
https://internetinitiative.ieee.org/images/files/resources/white_papers/internet_of_things_may_2017.pdf
"5. Use strong authentication
IoT devices should not use easy-to-guess username/password credentials,
such as admin/admin. Devices should not use default credentials that are
invariant across multiple devices and should not include back doors and
debug-mode settings (secret credentials established by the device's
programmer) because, once guessed, they can be used to hack many
devices.
Each device should have a unique default username/password, perhaps
printed on its casing, and preferably resettable by the user. Passwords
should be sophisticated enough to resist educated guessing and so-called
brute force methods.
Where possible we recommend two-factor authentication (2FA), which
requires a user to employ both a password and another authentication form
that does not rely on user knowledge, such as a random code generated via
SMS text messaging. For IoT applications, we especially encourage the use
of context-aware authentication (CAA), also known as adaptive
authentication, which use contextual information and machine-learning
algorithms to continuously evaluate risk of malice without bother to the user
by demanding authentication. If risk is high, then the subscriber (or hacker)
would be asked for a multi-factor token to continue having access."
I agree, all Sonos has to do is follow Apple's lead with the HomePod and give us the option to enable authentication. That addresses the many requests that Sonos has received for this feature.
They already have strong authentication when accessing Sonos from the outside. You cannot add a new unit and/or link a service account without authentication. So you can drop the "security" risk nonsense, it has already been plugged.
Of course this has nothing to do with adding permissions/passwords for features within the app itself.
Of course this has nothing to do with adding permissions/passwords for features within the app itself.
Because Sonos devices lack authentication they are exposed to intruders using methods that no one outside of the hacker community is aware of!
But authentication isn't any guarantee that hackers won't find a way into your system, since we are talking in the realm of possible, not probable. Your very example illustrates that point since any hacker would first have to get past the wifi authentication before your hypothetical Sonos level authentication would be a factor. So you have a wall around your system that potentially has an unknown flaw in it, and you want to fix that potential problem bad adding a second that most likely would have the same unknown flaw?
@airforceteacher, I'm not following how that impacts Sonos. So you have a PC/mac/phone that's infected through the method you described. Can those then things then exploit your Sonos firmware in anyway? What is it about those exploits would be blocked by authentication on Sonos?
I'm not a security expert, honest question.
I'm not a security expert, honest question.
You keep on saying open port 1400 to the outside world, and are missing the fact that the bulk of exploitation nowadays doesn’t work that way. Cross site scripting, infected documents, phishing messages and other client side exploits are the rule rather than the exception these days. If a malicious actor infects a legitimate site you connect to, say this one, and your browser downloads JavaScript, it could be used to access internal systems. OP is presenting a legitimate, verified and documented real world attack, and you keep dismissing him with the port 1400 argument.
None of which has anything whatsoever to do with Sonos app or hardware, lol.
Lol - yes it does. Anything installed on a modern network should be designed to protect itself against internal and external issues. That’s a basic standard of security today, and I agree with OP that Sonos should provide that capability to require authentication locally. Make it an option, so those who want it can turn it on, but leave it off for others.
Sigh. These exploits have nothing whatsoever to do with any Sonos vulnerability. The bad guys are entering your network via other gateways, not via Sonos. You’ve missed the entire point.
Besides, what attacker, once inside your network, is going to go after your Sonos speakers? What would be the point? He’s going to go through your email, your banking and investing software, looking for ways to get to your online accounts. Sonos speakers are the very last thing of interest, lol.
Lol - yes it does. Anything installed on a modern network should be designed to protect itself against internal and external issues. That’s a basic standard of security today, and I agree with OP that Sonos should provide that capability to require authentication locally. Make it an option, so those who want it can turn it on, but leave it off for others.
So your reasoning is based on the principle of the matter instead of an actual way that scripting, phishing, etc could infect a Sonos device?
Those exploits are absolutely related to IoT security. Once inside your network hackers will attempt to gain access to any device on your network. Preventing that access is the point of device level authentication on IoT devices.
Those exploits allow a hacker to gain access to your network. Once they are in your network they can gain access to any unprotected network resource such as Sonos devices.
And just how is the nefarious hacker going to "access" your Sonos? He can't load the Sonos app, it is required to be on the same subnet. He could load his Spotify account and then control your Sonos via Spotify, except . . . Whoops! Sonos requires authentication for that. Well what if he decides to add his own Sonos device and then control through that, except . . . Whoops! Sonos requires authentication for that. Well, what if he gets into port 1400 from the outside and starts rebooting devices or anything else from the diagnostic menus except . . . Whoops! Sonos removed any nefarious items from the diagnostics.
So exactly what are they going to do, look at your Sonos devices? I imagine they could try to send UPnP messages to a unit to start it playing, but there isn't anything authentication at the app level is going to do about that.
So exactly what are they going to do, look at your Sonos devices? I imagine they could try to send UPnP messages to a unit to start it playing, but there isn't anything authentication at the app level is going to do about that.
And what's the point of gaining access to a music system? Try and blackmail you because of your bad taste in music?
Too funny!
And what's the point of gaining access to a music system? Try and blackmail you because of your bad taste in music?
There is no point. The OP wants passwords to keep his kids from messing with the system. He piggybacked this request onto a "sky is falling" security scare, thinking it would lend more weight.
The brain of each Sonos device is a network connected computer. Not a good thing to leave unsecured because we can't be sure our networks are secure, in fact it is better to assume the network is not secure and therefore secure each device connected to the network.
So tell me, how do you log into that network connected computer?
Back to the OPs original question: lots of people with families or visitors would probably like to have some control preventing access to the speakers from anyone with the appropriate app. It’s a good suggestion on its own merits.
Addendum: Not every suggestion should be refuted nastily as an attack on Sonos.
I only attacked him because he was equating his lack of password protection for rooms/actions/volume within the Sonos app with a lack of security at the network level, which is nonsense. You can have all the passwords in the world at the app level, and still be insecure at the network level (and vice versa).
There are more ways than I can count and many more that I've never heard of. It is a constant game of cat and mouse for the security industry.
https://www.wired.com/story/elaborate-hack-shows-damage-iot-bugs-can-do/
I didn't equate them, you did. I'm pointing out that our networks are not as secure as we think (the attack vector is irrelevant). Therefore unsecured devices on our networks are wide open targets for hackers and other mischief makers.
I didn't equate them, you did. I'm pointing out that our networks are not as secure as we think (the attack vector is irrelevant). Therefore unsecured devices on our networks are wide open targets for hackers and other mischief makers.
So what does that have to do with a thread asking for passwords to prevent your kids from operating certain parts of Sonos? If you were not equating them, why mention it? And what is it about passwords for your kids at the Sonos app level that will "secure" those "unsecured" devices?
You didn't answer the question. Please name just ONE instance where a hacker has successfully obtained the root login for a Sonos device, logged in, and used it to do anything at all. I'll wait...
Exactly. I worked on a Unix based POS system installed in hundreds of commercial properties once. We had dial-up support, and the system was protected by a randomized root password that changed at a variable time interval. Unless you had the PGP protected password generator installed on your support system and the private key, there was no way to log in, and no way to crack the root password before it switched.
I would be surprised if Sonos has anything less, considering that was 20+ years ago.
Userlevel 6
+15
And oh, btw,
And?
There are always other methods to gain access to a system. Just because we aren't aware of them doesn't mean they don't exist. Although a dial up attack could be significantly more challenging than an attack on an internet connected device.
There are many different ways to poke a device for information. IMO, this article is just the tip of the iceberg.
https://securelist.com/iot-hack-how-to-break-a-smart-home-again/84092/
There are always other methods to gain access to a system. Just because we aren't aware of them doesn't mean they don't exist. Although a dial up attack could be significantly more challenging than an attack on an internet connected device.
There are many different ways to poke a device for information. IMO, this article is just the tip of the iceberg.
https://securelist.com/iot-hack-how-to-break-a-smart-home-again/84092/
So that would be a "No" on my request for you to tell me exactly one way to log into a Sonos device?
Gotcha.
And the dial-up mention was superfluous. My main point is gaining root access to a device is not easy.
Also, still waiting on how passwords at the app level have anything to do with this security tangent, or how they will help secure the terribly unsecured Sonos devices.
Depends on the device. Some are easy, some are challenging, none are bullet proof.
You are making the assumption that app level access is safe. It is not. Exploiting a bug or security weakness in an app to gain root access is a common attack vector. Because the Sonos device is unprotected at the API level that common attack vector readily available.
Userlevel 6
+15
I’m in agreement on this. Give the option, but make it something I can turn on and off depending upon my environment. Best bet would be that it requires authentication the first time an instance of the app connects, then remembers that, similar to the way Airplay works.
Page 2 / 4
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.