Sonos please task one of your engineers with adding a password option to the Sonos system just like Apple has done with their Homepods!
Airplay2 is a game changer when it comes to an open system like Sonos because any device with Airplay2 capability can take control of a sonos system without intentionally installing the Sonos app. While this is convenient on some networks it is a royal pain in the arse for others.
Take my home network as an example. I have two wireless networks - one for the family and one for guests. The guest network has no access to Sonos which is great. But everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).
BTW, this wasn't much of a problem before the Airplay2 update because none of the kids had the Sonos app installed on their devices but now they connect without a 2nd thought.
Please give us the option to protect speakers and groups of speakers.
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.
Page 3 / 4
I didn't equate them, you did. I'm pointing out that our networks are not as secure as we think (the attack vector is irrelevant). Therefore unsecured devices on our networks are wide open targets for hackers and other mischief makers.
There are more ways than I can count and many more that I've never heard of. It is a constant game of cat and mouse for the security industry.
https://www.wired.com/story/elaborate-hack-shows-damage-iot-bugs-can-do/
I don't need "more ways than I can count", I asked for one.
Just one.
Surely you can give me one way that you can log into a Sonos device in order to deliver mayhem.
And then when (If?) you give me one, explain how passwords for certain functions/rooms/volume in the app would prevent it.
There are more ways than I can count and many more that I've never heard of. It is a constant game of cat and mouse for the security industry.
https://www.wired.com/story/elaborate-hack-shows-damage-iot-bugs-can-do/
Back to the OPs original question: lots of people with families or visitors would probably like to have some control preventing access to the speakers from anyone with the appropriate app. It’s a good suggestion on its own merits.
Addendum: Not every suggestion should be refuted nastily as an attack on Sonos.
I only attacked him because he was equating his lack of password protection for rooms/actions/volume within the Sonos app with a lack of security at the network level, which is nonsense. You can have all the passwords in the world at the app level, and still be insecure at the network level (and vice versa).
So tell me, how do you log into that network connected computer?
The brain of each Sonos device is a network connected computer. Not a good thing to leave unsecured because we can't be sure our networks are secure, in fact it is better to assume the network is not secure and therefore secure each device connected to the network.
Userlevel 6
+15
Wow. There are any number of things that could be done, but apparently you guys don’t want to think about them. The Mirai botnet in November 2016 was made up of internet of things devices. Machines on your internal network are exposed when another system is infected.
However, as I said before, the risk is probably low. There are likely just not enough Sonos devices out there for someone to take the effort to find, say, a buffer overflow error, write an exploit, and use that to target other devices or create a backdoor. Home users aren’t a valuable enough target for that level of effort. However, in a professional engagement, if my reconnaissance showed the use of those speakers, I’d sure as heck have someone on my team look at Sonos for vulnerabilities to allow control over the device. My most likely goal would be to launch a reverse direction VPN server on the Sonos device to allow someone to connect to me and gain access to the internal network at will.
Back to the OPs original question: lots of people with families or visitors would probably like to have some control preventing access to the speakers from anyone with the appropriate app. It’s a good suggestion on its own merits.
Addendum: Not every suggestion should be refuted nastily as an attack on Sonos.
However, as I said before, the risk is probably low. There are likely just not enough Sonos devices out there for someone to take the effort to find, say, a buffer overflow error, write an exploit, and use that to target other devices or create a backdoor. Home users aren’t a valuable enough target for that level of effort. However, in a professional engagement, if my reconnaissance showed the use of those speakers, I’d sure as heck have someone on my team look at Sonos for vulnerabilities to allow control over the device. My most likely goal would be to launch a reverse direction VPN server on the Sonos device to allow someone to connect to me and gain access to the internal network at will.
Back to the OPs original question: lots of people with families or visitors would probably like to have some control preventing access to the speakers from anyone with the appropriate app. It’s a good suggestion on its own merits.
Addendum: Not every suggestion should be refuted nastily as an attack on Sonos.
And what's the point of gaining access to a music system? Try and blackmail you because of your bad taste in music?
There is no point. The OP wants passwords to keep his kids from messing with the system. He piggybacked this request onto a "sky is falling" security scare, thinking it would lend more weight.
And what's the point of gaining access to a music system? Try and blackmail you because of your bad taste in music?
Too funny!
And what's the point of gaining access to a music system? Try and blackmail you because of your bad taste in music?
And just how is the nefarious hacker going to "access" your Sonos? He can't load the Sonos app, it is required to be on the same subnet. He could load his Spotify account and then control your Sonos via Spotify, except . . . Whoops! Sonos requires authentication for that. Well what if he decides to add his own Sonos device and then control through that, except . . . Whoops! Sonos requires authentication for that. Well, what if he gets into port 1400 from the outside and starts rebooting devices or anything else from the diagnostic menus except . . . Whoops! Sonos removed any nefarious items from the diagnostics.
So exactly what are they going to do, look at your Sonos devices? I imagine they could try to send UPnP messages to a unit to start it playing, but there isn't anything authentication at the app level is going to do about that.
So exactly what are they going to do, look at your Sonos devices? I imagine they could try to send UPnP messages to a unit to start it playing, but there isn't anything authentication at the app level is going to do about that.
Those exploits are absolutely related to IoT security. Once inside your network hackers will attempt to gain access to any device on your network. Preventing that access is the point of device level authentication on IoT devices.
Those exploits allow a hacker to gain access to your network. Once they are in your network they can gain access to any unprotected network resource such as Sonos devices.
Lol - yes it does. Anything installed on a modern network should be designed to protect itself against internal and external issues. That’s a basic standard of security today, and I agree with OP that Sonos should provide that capability to require authentication locally. Make it an option, so those who want it can turn it on, but leave it off for others.
So your reasoning is based on the principle of the matter instead of an actual way that scripting, phishing, etc could infect a Sonos device?
Lol - yes it does. Anything installed on a modern network should be designed to protect itself against internal and external issues. That’s a basic standard of security today, and I agree with OP that Sonos should provide that capability to require authentication locally. Make it an option, so those who want it can turn it on, but leave it off for others.
Sigh. These exploits have nothing whatsoever to do with any Sonos vulnerability. The bad guys are entering your network via other gateways, not via Sonos. You’ve missed the entire point.
Besides, what attacker, once inside your network, is going to go after your Sonos speakers? What would be the point? He’s going to go through your email, your banking and investing software, looking for ways to get to your online accounts. Sonos speakers are the very last thing of interest, lol.
Userlevel 6
+15
You keep on saying open port 1400 to the outside world, and are missing the fact that the bulk of exploitation nowadays doesn’t work that way. Cross site scripting, infected documents, phishing messages and other client side exploits are the rule rather than the exception these days. If a malicious actor infects a legitimate site you connect to, say this one, and your browser downloads JavaScript, it could be used to access internal systems. OP is presenting a legitimate, verified and documented real world attack, and you keep dismissing him with the port 1400 argument.
None of which has anything whatsoever to do with Sonos app or hardware, lol.
Lol - yes it does. Anything installed on a modern network should be designed to protect itself against internal and external issues. That’s a basic standard of security today, and I agree with OP that Sonos should provide that capability to require authentication locally. Make it an option, so those who want it can turn it on, but leave it off for others.
However, security is primarily about risk management, and the risk of some attacker randomly choosing you to attack and then choosing your Sonos speaker instead of a poorly configured windows, Mac or android device in your network is quite low. Sonos probably does not have high enough market penetration to make that a major risk for home users. I would not allow Sonos on my main network in a workplace - it would be on a protected vlan that required authentication to access, and limit control of the speakers to authorized parties. And would still have some concerns.
You keep on saying open port 1400 to the outside world, and are missing the fact that the bulk of exploitation nowadays doesn’t work that way. Cross site scripting, infected documents, phishing messages and other client side exploits are the rule rather than the exception these days. If a malicious actor infects a legitimate site you connect to, say this one, and your browser downloads JavaScript, it could be used to access internal systems. OP is presenting a legitimate, verified and documented real world attack, and you keep dismissing him with the port 1400 argument.
None of which has anything whatsoever to do with Sonos app or hardware, lol.
@airforceteacher, I'm not following how that impacts Sonos. So you have a PC/mac/phone that's infected through the method you described. Can those then things then exploit your Sonos firmware in anyway? What is it about those exploits would be blocked by authentication on Sonos?
I'm not a security expert, honest question.
I'm not a security expert, honest question.
Userlevel 6
+15
You keep on saying open port 1400 to the outside world, and are missing the fact that the bulk of exploitation nowadays doesn’t work that way. Cross site scripting, infected documents, phishing messages and other client side exploits are the rule rather than the exception these days. If a malicious actor infects a legitimate site you connect to, say this one, and your browser downloads JavaScript, it could be used to access internal systems. OP is presenting a legitimate, verified and documented real world attack, and you keep dismissing him with the port 1400 argument.
That protects a different part of the system. It doesn't do anything to keep someone with access to the network from gaining control of the hardware.
You and others are making the assumption that your network is secure and impenetrable. It is not, no network is, that is why it is very important to have device level authentication.
Because Sonos devices lack authentication they are exposed to intruders using methods that no one outside of the hacker community is aware of!
But authentication isn't any guarantee that hackers won't find a way into your system, since we are talking in the realm of possible, not probable. Your very example illustrates that point since any hacker would first have to get past the wifi authentication before your hypothetical Sonos level authentication would be a factor. So you have a wall around your system that potentially has an unknown flaw in it, and you want to fix that potential problem bad adding a second that most likely would have the same unknown flaw?
They already have strong authentication when accessing Sonos from the outside. You cannot add a new unit and/or link a service account without authentication. So you can drop the "security" risk nonsense, it has already been plugged.
Of course this has nothing to do with adding permissions/passwords for features within the app itself.
Of course this has nothing to do with adding permissions/passwords for features within the app itself.
Internet connected devices have the capability to cause a great deal of harm if they are controlled by hackers. That is not paranoia, it is a fact that troubles those of us that work on security as part of our jobs.
The INTERNET OF THINGS (IOT) SECURITY BEST PRACTICES paper might be educational for you and others that believe it is OK to have unsecured devices on your networks.
https://internetinitiative.ieee.org/images/files/resources/white_papers/internet_of_things_may_2017.pdf
"5. Use strong authentication
IoT devices should not use easy-to-guess username/password credentials,
such as admin/admin. Devices should not use default credentials that are
invariant across multiple devices and should not include back doors and
debug-mode settings (secret credentials established by the device's
programmer) because, once guessed, they can be used to hack many
devices.
Each device should have a unique default username/password, perhaps
printed on its casing, and preferably resettable by the user. Passwords
should be sophisticated enough to resist educated guessing and so-called
brute force methods.
Where possible we recommend two-factor authentication (2FA), which
requires a user to employ both a password and another authentication form
that does not rely on user knowledge, such as a random code generated via
SMS text messaging. For IoT applications, we especially encourage the use
of context-aware authentication (CAA), also known as adaptive
authentication, which use contextual information and machine-learning
algorithms to continuously evaluate risk of malice without bother to the user
by demanding authentication. If risk is high, then the subscriber (or hacker)
would be asked for a multi-factor token to continue having access."
I agree, all Sonos has to do is follow Apple's lead with the HomePod and give us the option to enable authentication. That addresses the many requests that Sonos has received for this feature.
I agree with the user chicks, that this is firstly a discipline issue. There is some slight paranoia also creeping into the thread about breaching the 'trusted private network' and it now being a threat from hackers. If the latter was the case, then I’m certainly not going to worry too much about password protecting my speakers, or echo devices, as neither of those things are going to harm me too much, comparitively speaking.
Even a passerby to my home, can shout commonly known Alexa instructions through a letter box, here in the UK, and I do try to cater for that type of scenario already, well as best I can, by switching off the microphones at the front of the home when we’re out and about. I switch the devices off altogether when we go on holiday. The external cameras would alert me anyway to anyone upto no good in this way (I hope). Kids shouting to Alexa through a letterbox though can be a pain, I guess, but it’s usually no worse than them knocking the front door and running away.
I think for the reasons stated, I would firstly look to discipline my kids and the next is, I would try to remember to switch off my mic or the accessible devices when away from home and if the network is hacked via the internet etc, then perhaps worry moreso about other things the hacker could get hold of, rather than just controlling the Sonos or Alexa system. If a user were at home, they would of course hear these things (Alexa commands) being used anyway.
Security of my music system and echo devices is probably the least of my worries, but I do try to think sensibly about all the potential issues.
The case of any kids in the house blasting out music and perhaps not doing as they are told, is easily solved, surely?
Even a passerby to my home, can shout commonly known Alexa instructions through a letter box, here in the UK, and I do try to cater for that type of scenario already, well as best I can, by switching off the microphones at the front of the home when we’re out and about. I switch the devices off altogether when we go on holiday. The external cameras would alert me anyway to anyone upto no good in this way (I hope). Kids shouting to Alexa through a letterbox though can be a pain, I guess, but it’s usually no worse than them knocking the front door and running away.
I think for the reasons stated, I would firstly look to discipline my kids and the next is, I would try to remember to switch off my mic or the accessible devices when away from home and if the network is hacked via the internet etc, then perhaps worry moreso about other things the hacker could get hold of, rather than just controlling the Sonos or Alexa system. If a user were at home, they would of course hear these things (Alexa commands) being used anyway.
Security of my music system and echo devices is probably the least of my worries, but I do try to think sensibly about all the potential issues.
The case of any kids in the house blasting out music and perhaps not doing as they are told, is easily solved, surely?
Optional authentication, similar to what we see in Apple's HomePod, shouldn't cause you to lose anything you already have. Instead it provides security to those customers that need it.
This thread originally had nothing to do with security issues, and people dumb enough to open port 1400 already lost us very valuable diagnostic tools. I'd hate to see what we lose next due to you attempting to cash in on security fears to get your personal wish for passwords to keep your kids from screwing up your volume and groupings.
Page 3 / 4
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.