Sonos please task one of your engineers with adding a password option to the Sonos system just like Apple has done with their Homepods!
Airplay2 is a game changer when it comes to an open system like Sonos because any device with Airplay2 capability can take control of a sonos system without intentionally installing the Sonos app. While this is convenient on some networks it is a royal pain in the arse for others.
Take my home network as an example. I have two wireless networks - one for the family and one for guests. The guest network has no access to Sonos which is great. But everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).
BTW, this wasn't much of a problem before the Airplay2 update because none of the kids had the Sonos app installed on their devices but now they connect without a 2nd thought.
Please give us the option to protect speakers and groups of speakers.
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.
Page 3 / 4
You are making the assumption that app level access is safe. It is not. Exploiting a bug or security weakness in an app to gain root access is a common attack vector. Because the Sonos device is unprotected at the API level that common attack vector readily available.
How? The app cannot be used unless you are on the same subnet. And how are passwords in the app supposed to secure the API, assuming it is unsecure?
As implemented on the Sonos Airplay doesn't require a password and I haven't found a way to give it a password.
In the scenario presented above the hacker has gained asses to the network via one of the many exploits out there, therefore they have access to all unprotected devices on that network.
In the scenario presented above the hacker has gained asses to the network via one of the many exploits out there, therefore they have access to all unprotected devices on that network.
But the hacker is still not on the same subnet. Unless you are saying they have gained access to your device's controller app on your network? In that case, you are entering a password every time you enter the controller, an annoying scenario at best.
Look, you painted yourself in a corner here. You tried to piggy back on security, and are now talking silly scenarios to justify it. You want passwords for your kids, a legitimate request, but one which has nothing to do with network security. End it there.
If they have gained access to the network where the Sonos devices reside then they can poke, prod, control and attempt to hack those devices. That is an indisputable fact. How they gained access to the net and what devices they are using to attack the Sonos devices is not important.
Perhaps this article will help: https://blog.sucuri.net/2014/11/most-common-attacks-affecting-todays-websites.html
If they have gained access to the network where the Sonos devices reside then they can poke, prod, control and attempt to hack those devices. That is an indisputable fact. How they gained access to the net and what devices they are using to attack the Sonos devices is not important.
Gaining access to your network and being on the same subnet are 2 different things. And it is important if you are claiming an app based password will protect against a lack of network security. That is why they require authentication when linking services and not when loading the Sonos app, because apps from services like Spotify don't need to be on the same subnet.
And stop with the judicious snipping. Answer the whole post or don't answer at all.
If you have gained access to the network it is but a small step to gain access to a device on that net. Once that happens all bets are off.
Not sure what you mean. The sonos device does not require user authentication to control the device from non-sonos apps.
If you have gained access to the network it is but a small step to gain access to a device on that net. Once that happens all bets are off.
Not sure what you mean. The sonos device does not require user authentication to control the device from non-sonos apps.
So you are claiming they are using a controller on your system. Which would mean you need a password every time you use the app? Not many are fans of that.
And it most certainly requires you to authenticate when you initially link your service app to the Sonos app. Not to use the app to control Sonos, because that would be annoyingly stupid for 99% of users (see above).
Make it optional and when in place give the user the option to save the password in the app they use to control Sonos.
I am talking about controlling sonos from any app. No authentication is required, at least not as far I can see.
Make it optional and when in place give the user the option to save the password in the app they use to control Sonos.
I am talking about controlling sonos from any app. No authentication is required, at least not as far I can see.
If something were so important for security, you'd think it would be mandatory? Which brings me back to the point that this security topic is a charade. And saving it in the app would not prevent someone taking over your device and messing with Sonos, the very scenario you present above.
To the controlling from another app thing, you cannot control via Spotify, Pandora, Alexa, etc. until you link the account with your Sonos account, which requires authentication. No authentication, no control from another subnet, no security risk. Which is the very reason they require it (as opposed to making it optional).
IMO it should be mandatory but others here feel differently so make it optional. I would definitely have it enabled just like I do for every other device on my net.
I have not mentioned any of those services and they are not part of this discussion as far as I'm concerned. I'm talking about controlling Sonos devices.
Too bad, control from those apps is actually a way someone could gain access to Sonos from the outside, unlike your absurd scenarios. Then again, that is why Sonos has secured them.
Oh by the way, your insistence on defending this security tangent has taken all the focus off your original request. Not sure that was your intent. Perhaps if you drop the tangent, we can get back on topic.
Oh by the way, your insistence on defending this security tangent has taken all the focus off your original request. Not sure that was your intent. Perhaps if you drop the tangent, we can get back on topic.
Hacking those apps/services would be several orders of magnitude more difficult then gaining access through the common attack vectors mentioned in this thread.
Hacking those apps/services would be several orders of magnitude more difficult then gaining access through the common attack vectors mentioned in this thread.
Nonsense. All you would need to do is gain access to your network and sign on your app and you would have almost full control over the Sonos devices. Which is why Sonos requires you to link with your Sonos account, using a password.
Still snipping I see. I don't know why you keep trying to take the focus off your original request. It's ok, I'll play along.
Gosh the paranoia is still growing here for one or two.
My home is well protected and locked, but I will never see the point in putting a padlock on my bedroom door that I would then have to open/close everytime I entered/exited that part of the premises. There’s nothing in the bedroom anyway, the good stuff is all in the secure safe downstairs.
I don’t see the point in padlocking the bedroom door at all, as that does absolutely nothing to help keep my safe secure, even if the thief can get into the house in the first place.
And there is the analogy for me.
My home is well protected and locked, but I will never see the point in putting a padlock on my bedroom door that I would then have to open/close everytime I entered/exited that part of the premises. There’s nothing in the bedroom anyway, the good stuff is all in the secure safe downstairs.
I don’t see the point in padlocking the bedroom door at all, as that does absolutely nothing to help keep my safe secure, even if the thief can get into the house in the first place.
And there is the analogy for me.
What app are you referring to here?
My home is well protected and locked, but I will never see the point in putting a padlock on my bedroom door that I would then have to open/close everytime I entered/exited that part of the premises. There’s nothing in the bedroom anyway, the good stuff is all in the secure safe downstairs.
I don’t see the point in padlocking the bedroom door at all, as that does absolutely nothing to help keep my safe secure, even if the thief can get into the house in the first place.
And there is the analogy for me.
If you locked your doors and windows then your home may be reasonably secure but as soon as you unlock a window or door that changes. Your network is similar. Even though you may have your router/firewall secured (and there is probably no such thing as a secure router/firewall), the moment one of your devices connects to and receives information from the internet you have opened the door for hackers. By design a home or business network that connects to the internet cannot be locked up tight like a house.
If you want a secure net that is not subject to attack from the outside the only option is to create an air-gapped network. I've been a software developer for 40 years and we've worked on these types of nets from time to time. It is a pain in the rear but it does solve much of the security issue.
What app are you referring to here?
You can control Sonos devices directly from the Spotify app, the Pandora app, or Alexa, sometimes even when not on the same subnet. Hence Sonos requires you to authenticate both your Sonos account and your Spotify, Pandora and/or Alexa account before it allows this linking of functionality. If Sonos thought there was any danger of someone being able to control Sonos from outside the network via any other means, they most certainly would require authentication.
But they don't.
Got it, that is a different attack vector and not part of this discussion.
But they don't.
I don't know what Sonos thinks but we aren't really discussing controlling Sonos devices from outside the network (e.g. control from a different subnet) here because the control comes from a compromised device inside a breached network. The point of this thread is that networks are inherently insecure. Therefore hackers can (and do) gain remote access to local devices on what people believe are secure networks. This is an disputable fact.
Since when are you the arbiter of what is and isn't part of the discussion? Quit dismissing scenarios because they don't fit your narrative.
And I'm still waiting for you to describe one example, just one, of how someone can gain control of your Sonos devices that would be thwarted by an app level password.
Just one. Give me one. No dodging. No links. Give us details. I've actually given you one that they have plugged. Now you give me one they haven't. Heck, we all know your original request needs more diversions.
And I'm still waiting for you to describe one example, just one, of how someone can gain control of your Sonos devices that would be thwarted by an app level password.
Just one. Give me one. No dodging. No links. Give us details. I've actually given you one that they have plugged. Now you give me one they haven't. Heck, we all know your original request needs more diversions.
I'm dismissing it because it is irrelevant to this discussion as Sonos has already addressed the authentication issue related to it.
The ability to control Sonos would be greatly diminished if those controls required authentication before activation.
The last link I provided gives excellent examples. As a software developer I can conceive of others but I'm certainly not going to post them on the web.
The last link I provided gives excellent examples. As a software developer I can conceive of others but I'm certainly not going to post them on the web.
Still can't find one single example, I see. Give it up. Your security issues have absolutely nothing to do with your original request.
I already provided links to examples.
Never said they did. However, if Sonos devices had the option for authentication this thread wouldn't exist.
There are something like 20 million Sonos devices in the wild and they are part of the IoT universe which is under constant attack. Why would you or anyone else have a problem with protecting those devices with an optional authentication feature?
With numerous Sonos Speakers, plus many more smart-bulbs, smart-plugs, wireless hubs, cameras, doorbells etc. I’d get to the stage that compulsory password authentication to use these things on a daily basis, would drive me nuts!.. It would just be far too inconvenient for any end user.
The device authentication on the LAN itself has to be sufficient for these type of things... if a hacker wants to play songs by 'Vera Lynne' and flash a few lights to let me know I left a network window open, then so be it. The focus should be on securing the LAN, not the individual devices.
In all seriousness, I do see LAN security as being very important and it has to come down to the owner/admistrator to be responsible for it. I personally don’t see it as a Sonos problem, or a Philips problem, or any other device manufacturer, who’s products are actually intended for use on 'secure' local networks.
The security for my network is, and always will be, down to me... I actually don’t want to shift that responsibility across to all my individual devices... in the same way that I don’t want to have locks on the internal doors in my home, that lead to the kitchen, or the bedroom etc.
The device authentication on the LAN itself has to be sufficient for these type of things... if a hacker wants to play songs by 'Vera Lynne' and flash a few lights to let me know I left a network window open, then so be it. The focus should be on securing the LAN, not the individual devices.
In all seriousness, I do see LAN security as being very important and it has to come down to the owner/admistrator to be responsible for it. I personally don’t see it as a Sonos problem, or a Philips problem, or any other device manufacturer, who’s products are actually intended for use on 'secure' local networks.
The security for my network is, and always will be, down to me... I actually don’t want to shift that responsibility across to all my individual devices... in the same way that I don’t want to have locks on the internal doors in my home, that lead to the kitchen, or the bedroom etc.
Page 3 / 4
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.