Sonos please task one of your engineers with adding a password option to the Sonos system just like Apple has done with their Homepods!
Airplay2 is a game changer when it comes to an open system like Sonos because any device with Airplay2 capability can take control of a sonos system without intentionally installing the Sonos app. While this is convenient on some networks it is a royal pain in the arse for others.
Take my home network as an example. I have two wireless networks - one for the family and one for guests. The guest network has no access to Sonos which is great. But everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).
BTW, this wasn't much of a problem before the Airplay2 update because none of the kids had the Sonos app installed on their devices but now they connect without a 2nd thought.
Please give us the option to protect speakers and groups of speakers.
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.
Page 4 / 4
So be it. IMO, having an understanding of the weaknesses inherent in network security is a good thing if you are going to deploy network connected devices that lack authentication because nets are constantly under attack.
http://map.norsecorp.com/
As I stated, linking yourself with these types of articles is bad for your cause. I for one would hesitate before supporting any passwords on the system when this type of paranoia is the basis of the argument.
Sonos devices (and any other network connected device that lacks secure authentication) are rife for exploit on any network that is connected to the the internet because the idea that your network is secure just because you sit behind a firewall is a myth.
https://www.securitymagazine.com/articles/89098-is-the-internet-of-things-impossible-to-secure
The KRACK attack is another example showing that our networks are not as secure as we think: https://www.krackattacks.com/. Luckily this was shared by the researchers allowing for a backward compatible patch but hackers don't share their exploits so there is no telling what exploits are out there that haven't been patched.
Because Sonos devices lack authentication they are exposed to intruders using methods that no one outside of the hacker community is aware of!
Then every smart device you own is "rife for exploit" if you are opening up your router to full access to the outside.
And that article said nothing about those other attacks, it was strictly about people who stupidly opened their routers up and basically yelled "C'mon in y'all!"
Look, you have a good case for wanting a PIN or password on your system. Allying yourself with the numb skulls who purposefully opened up their systems because they know nothing about networking does nothing but hurt that case.
IMO, a design where anything with access to my home network can also connect to any Sonos device on my network without authentication is rife for abuse and exploits. I can lock down our network settings to prevent hackers from getting in the front door but there have been router exploits in the past and we are likely to see more in the future. Another example of an attack vector would be Malware that is spread via email and websites that users on the network access. IMO, as long as Sonos devices lack authentication they are an easy target because there is no such thing as a 100% secure home network if that network is also connected to the internet.
From your link above:
Read the bold. Also, Sonos has already patched this security risk for those that are stupid enough to open port 1400 to the entire world.
Instead, if you own one of a few models of internet-connected speaker and you've been careless with your network settings, you might be one of thousands of people whose Sonos or Bose devices have been left wide open to audio hijacking by hackers around the world.
Read the bold. Also, Sonos has already patched this security risk for those that are stupid enough to open port 1400 to the entire world.
Maybe some of both. IMO having unsecured devices on our networks is very risky and it is only a matter of time before we see malware that infects PCs with the goal of gaining access to the unsecured Sonos devices.
https://www.wired.com/story/hackers-can-rickroll-sonos-bose-speakers-over-internet/
""The unfortunate reality is that these devices assume the network they're sitting on is trusted, and we all should know better than that at this point," says Mark Nunnikhoven, a Trend Micro research director. "Anyone can go in and start controlling your speaker sounds," if you have a compromised devices, or even just a carelessly configured network."
"The researchers note that audio attack could even be used to speak commands from someone's Sonos or Bose speaker to their nearby Amazon Echo or Google Home. They went so far as to test out the attack on the Sonos One, which has Amazon's Alexa voice assistant integrated into its software. By triggering the speaker to speak commands, they could actually manipulate it into talking to itself, and then executing the commands it had spoken.
Given that those voice assistant devices often control smart home features from lighting to door locks, Trend Micro's Nunnikhoven argues that they could be exploited for attacks that go beyond mere pranks. "Now I can start to run through more devious scenarios and really start to access the smart devices in your home," he says"
Unfortunately that solution doesn't work if you already have a guest network for "guests" while there are other network resources that are shared with family members that you wouldn't share with guests.
everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).
Sounds like a discipline issue to me, not a Sonos issue... 😛
Userlevel 7
+20
Airplay2 is a game changer when it comes to an open system like Sonos because any device with Airplay2 capability can take control of a sonos system without intentionally installing the Sonos app. While this is convenient on some networks it is a royal pain in the arse for others.
Take my home network as an example. I have two wireless networks - one for the family and one for guests. The guest network has no access to Sonos which is great. But everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).
BTW, this wasn't much of a problem before the Airplay2 update because none of the kids had the Sonos app installed on their devices but now they connect without a 2nd thought.
Please give us the option to protect speakers and groups of speakers.
Hi there,
Thanks for the suggestion. I'll send along a feature request to add password protection to the Sonos system. For right now, the best way to limit access to the system is to use a guest network for internet access, but keep your Sonos system and music library shares on the private, password protected network.
Page 4 / 4
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.