Skip to main content
With all the recent reports and issues with the WannaCry ransomware I wanted to restrict use of SMB v1 on my home network. My NAS blocks this to the outside world but I wanted to secure things internally as well. I can configure the NAS to not support SMB v1 but this then prevents the Sonos controller app from seeing the share. When will Sonos support later versions of SMB? I had seen another thread on this somewhere and it sounded like it wasn't going anywhere. Is it possible to get an update on this please.
My set of speakers has largely remained unused for the three years I've had them. Evidently VLANs are another decades old technology that are too challenging for Sonos to figure out. I finally figured out how to overcome that hurdle, but now ridding my network of SMB1 has rendered them useless again. It may be too late already, but Sonos is really alienating a lot of current and potential customers. People like me who have discovered the wonders of sub $50 Chromecast Audio adapters.
Sigh.
I was thinking on buying some more Sonos speaker, but when they are totally unsecure and there is no change in sight, I even think about selling them again. Even if these are good speakers, but not even supporting SMBv2 ist unjustifiable!!! Especially when not only security advisors but even Microsoft explains this in detail!
Same here - was going to buy some Play1's for surround sound under the recent offer but my main use-case is SMB access to a Windows 2012 server that (for obvious reasons) now has SMB v1 disabled. I've got just over 1.1 TB of FLAC files on there that the Sonos can no longer access. Every CD / Vinyl I buy goes straight onto there (the latter using an M-Audio FireWire device and Audacity software)
I contacted support but they just DON'T CARE! They even said that just using it at home, and now it comes, IS NO RISK AT ALL!

That said I 'm not only angry, I will even tell everyone around me to stop buying sonos!
I contacted support but they just DON'T CARE! They even said that just using it at home, and now it comes, IS NO RISK AT ALL!

That said I 'm not only angry, I will even tell everyone around me to stop buying sonos!




For my education, could you outline the specific risks I'm facing in allowing my Sonos equipment to continue to utilise SMB v1 while connecting to the NAS on my Apple Time Capsule? In what way are my speakers 'totally insecure'? Or does the insecurity apply only to Microsoft's products? Thanks.
For my education, could you outline the specific risks I'm facing in allowing my Sonos equipment to continue to utilise SMB v1 while connecting to the NAS on my Apple Time Capsule? In what way are my speakers 'totally insecure'? Or does the insecurity apply only to Microsoft's products? Thanks.



Your speakers aren't insecure themselves. But if you connect your Sonos system to a music library stored on your computer or a Network Attached Storage (NAS) device, the connection to that music library is using a version of SMB that is full of vulnerabilities and attacks, and that Microsoft itself has recommended everyone stop using because of the vulnerabilities that exist in it. So Sonos is requiring that you run other devices in an insecure manner in order to use that functionality of Sonos.



But if you do all of your music listening through streaming sources and don't have your own local music library, then there's nothing for you to worry about, as far as Sonos is concerned.
Whilst I appreciate some of the concerns here, as far as I am concerned the known SMB V1 vulnerabilities have patches available. All you need to do is apply the patches and leave SMB V1 available.



Vendor advice to disable it, if you don't need it, makes a lot of sense. Same applies for any other protocol or service. But you do need it, so get patched and carry on as before.
Whilst I appreciate some of the concerns here, as far as I am concerned the known SMB V1 vulnerabilities have patches available. All you need to do is apply the patches and leave SMB V1 available.

This. The patches have addressed the known vulnerabilities, so suggesting that:

they are totally unsecure

Is simply wrong.



Microsoft itself has recommended everyone stop using because of the vulnerabilities that exist in it. So Sonos is requiring that you run other devices in an insecure manner in order to use that functionality of Sonos.


The known vulnerabilities have patches, so Sonos isn't requiring you to run anything 'insecurely'. They're requiring you to run an aged protocol that is at a much higher risk for new exploits than the more current versions. It's important to remember that the major hacks Wannacry and Notpetya exploited problems that fixes had *already been released for*. That means if you were using SMBv1, and your system was up to date, then it couldn't have effected you.



So let's step back and look at the big picture here. Should Sonos address this by switching to a newer version as the default? Yes. I even believe they'll eventually get around to it, and there's nothing wrong with telling Sonos that it's important to you.



Throwing a tantrum like a two-year old is pointless and well outside of a rational response though:

I contacted support but they just DON'T CARE! They even said that just using it at home, and now it comes, IS NO RISK AT ALL!

That said I 'm not only angry, I will even tell everyone around me to stop buying sonos!




But if you do all of your music listening through streaming sources and don't have your own local music library, then there's nothing for you to worry about, as far as Sonos is concerned.


*This next part is only my opinion.*



There's an important kernel of information in that sentence you've posted. Sonos has made it clear that they view the streaming user as more of their core market. That means items such as the one being discussed in this thread will not be given top priority. If it's crucial to you then that should be weighed against new/future investments in their product line. Again, I'm all for telling Sonos what you want, but be aware of what they say too. It might not always be as clear as "we view your use case as marginal".





Edit:



I missed this earlier.

Evidently VLANs are another decades old technology that are too challenging for Sonos to figure out.


More than "too challenging", Sonos probably (accurately in my mind) decided that developing around technology in use by a fraction of a percentage of households probably isn't a good way to spend development dollars.
Actually, Microsoft has acknowledged at least one denial-of-service vulnerability in SMBv1 that it is not patching in Windows.



http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html



Now, some might say that's not a security issue, since it's not gaining control of an account or accessing data or elevating privileges, but it's still a vulnerability and it's still unpatched.



And yes, I'm aware that Sonos has stated that they see streaming as the future, regardless of how many of us have thousands of songs in digital music libraries stored on computers or NAS devices. I also realize that they may not put as high of a priority on fixing the issue as a result. But that doesn't lessen its importance, or the desire of some to continue pushing for this to be fixed/changed until it is done.
Now, some might say that's not a security issue, since it's not gaining control of an account or accessing data or elevating privileges, but it's still a vulnerability and it's still unpatched.


Unpatched but very easily addressed too. If I was being a contrarian I would call this more of a configuration error than a vulnerability. That's why it's present in all versions of SMB.



I'm aware that Sonos has stated that they see streaming as the future, regardless of how many of us have thousands of songs in digital music libraries stored on computers or NAS devices.


I would bet that Sonos has made their decision not "in spite of" the number of people who use local sharing but because of it.



I agree with the rest though, and intelligent commentary such as yours helps the conversation (even if we quibble on minor points). There are others who don't.
If you are worried about your NAS data just add a different NAS device that can be running the v1 SMB to keep Sonos happy. I used a Raspberry Pi and old disk drive and got it working for under $50. No need to worry if all that is there are copies of your music files.
Throwing myself into the mix of this thread, an update has removed SMB 1 from my Windows 2012 r2 Essentials server it actually happened quite a while ago, but Sonos kit still worked fine. Now my Cisco Router has been patched and will no longer support SMB 1 either so if I force it back onto my server (or any server) it won't be networkable anyway.



Weird thing is My Sonos is still working... EXCEPT! I treated myself to 3 new speakers 2 play 5's to run in my kitchen and 1 play 1 to run in my bedroom... none of those will work with my library on the Windows Server. but the old system still works so if I play a track or play list to the old system then group those with the new speakers then the music plays on the new speakers... Which is a bit of a mystery to me!



But what I am going to do is slightly different. I have my music sync'ed to OneDrive to give me an off site backup. I am going to sync that back to a Mac Mini I have for other purposes and use that as my library temporarily.



BUT IF there is a Beta of an SMB 3 version of Sonos which there surely must be soon! please include me, I will have both libraries available as well as the extremely odd old v new speaker issue ready to give the new software a bit of a test.
So to revive an old thread. I run an entirely Mac/FreeBSD/Unix network at my house. I have been allowing smb v1 regretfully for a while now. Even before wanacry virus became known to the masses. I recently shut it off on the last remaining device I have on my network (My Nas). I am left with two options... Wait for sonos to fix the problem, Or hack my sonos if possible. The other option is to replace the sonos with a small form factor linux box and run CMUS with some of the remote applications for it. They won't be as polished as the sonos app on my phone, but I can be sure the file share over SSHFS is going to be a hell of a lot more secure than SMB V1.



So SONOS. I have been a customer since the ZP90. I have told many people how easy to use your system is. How it has Apple-like 'it just works' qualities. But until you decide to patch such a gaping security hole as SMB v1, I can't continue to use or recommend your products.
Just toss together a Raspberry PI as a NAS and open up SMB v1 on it, dirt cheap and the issue goes away.



Far better than using a more expensive WD Live Drive and finding you can't get security updates for it for very long.
In 2010 Sonos didn't have any open source competition. Now not only do they have that competition, but it is better suited for my use case. I don't have to send Sonos any data... at all, I know exactly what network traffic it will generate and it uses modern protocols. Sorry Sonos but you have definitely lost a customer on this one. Your attempts to tell me SMB v1 is secure is complete garbage. Don't pee on my back and tell me it's raining.



I would highly recommend that others look into other options beyond Sonos. It is quite apparent that Sonos will not listen to it's user base. This thread is months old, and the other one is even older. You have had your opportunity to fix this and you refused.
The missing implementation of SMBv2 just gave me some headache when trying to connect my SONOS setup to the new NAS. I pushed this discussion to twitter. Maybe this helps to get a higher priority. Feel free to comment.



https://twitter.com/naml1t/status/935990595369230336
I got bit by this today, in an effort to improve security on my Synology NAS, I set SMB V2 as the minimum level. Everything was hunky dory except all of a sudden music library on the Sonos doesn't work. Foolish me, thinking my "premium" audio solution would support SMB levels from this millennium!
I got bit by this today, in an effort to improve security on my Synology NAS, I set SMB V2 as the minimum level. Everything was hunky dory except all of a sudden music library on the Sonos doesn't work. Foolish me, thinking my "premium" audio solution would support SMB levels from this millennium!



Yeah, it's ridiculous...
I agree with stanley, treat your music server for the Sonos as a disposable device. I use a Airport extreme base station (AEBS) with a 2TB 2.5" drive to host the data and it works fine. Every time I update my iTunes library, I use Carbon Copy Cloner to synchronize the Sonos source drive with my NAS. Doesn't take too long. It's my canary in the coalmine and if the data is lost, so what, it's just a copy.



With the above, I don't put *all* the data on my NAS at risk just to accommodate a outdated network stack by the only product that still needs it in my home. AFAIK, no NAS allows selective SMB authentication requirements on a per-share basis. Thus, as file sharing protocols go, the server security is only as good as the dumbest/most outdated file sharing protocol you allow it to use.
I agree with stanley, treat your music server for the Sonos as a disposable device. I use a Airport extreme base station (AEBS) with a 2TB 2.5" drive to host the data and it works fine. Every time I update my iTunes library, I use Carbon Copy Cloner to synchronize the Sonos source drive with my NAS. Doesn't take too long. It's my canary in the coalmine and if the data is lost, so what, it's just a copy.



With the above, I don't put *all* the data on my NAS at risk just to accommodate a outdated network stack by the only product that still needs it in my home. AFAIK, no NAS allows selective SMB authentication requirements on a per-share basis. Thus, as file sharing protocols go, the server security is only as good as the dumbest/most outdated file sharing protocol you allow it to use.




Unfortunately not a minimal configuration at all...

Sonos devices are considered minimalistic and aesthetically beautiful.
Unfortunately not a minimal configuration at all...

Sonos devices are considered minimalistic and aesthetically beautiful.




Hah. Making something that "just works" with minimal fuss was *exactly* what catapulted Apple to the top, just like Sonos. But under that pretty skin is the product of countless hours of hard work, big innovations. Consider how Wifi mesh networking between Sonos players 'just works', is easy to set up, and so on. This focus on intelligent infrastructure is precisely why Sonos became so popular and the leader in its niche.



Problem is, us "non-cloud" users are no longer attractive to the company because the sale has been made and the potential to monetize us vs. the "cloud" users is minimal. Our end of the market is saturated, the cloud end is still wide-open, at least in the eyes of management.



I don't expect them to update allowable SMB protocols unless forced to. Instead, the focus is on iOS, android applications and trying to stake out as much territory as possible while fighting for relevance in the face of the HomePod, Alexa pods, and whatever Google is bringing to the table.



Management is basically pushing us all to abandon Sonos and go for a more competitor that is happy to 'just' do home HiFi well. That day may come for me, in the meantime I have disabled all 'updates' from Sonos since I'm not a fan of having functionality taken away from me.
A Raspberry PI can be quite minimal and attractive if you buy a nice looking $10 or so case, and it doesn't need more than USB power, Ethernet and your data drive attached to it. You could possibly use a BIG SD card for your music and the operating system but that isn't the best long term solution. Easy to tuck a Pi behind your router or somewhere similar, out of sight and mind. All updates and administration (vary rarely needed) can be done via the Ethernet and VNC.



https://www.adafruit.com/product/2604
A Raspberry PI can be quite minimal and attractive if you buy a nice looking $10 or so case, and it doesn't need more than USB power, Ethernet and your data drive attached to it. You could possibly use a BIG SD card for your music and the operating system but that isn't the best long term solution. Easy to tuck a Pi behind your router or somewhere similar, out of sight and mind. All updates and administration (vary rarely needed) can be done via the Ethernet and VNC.



https://www.adafruit.com/product/2604






But the point is CONSUMER SALES will keep it alive, it's not good enough for tech geeks to love Sonos any more, competition is here and aiming at people who want to plug it in and use it.



I find it hard to believe this is still an issue... just like to wish SMB 3 a happy 15th birthday, and SMB 2 is now old enough to vote in most countries! Even version 4 would be of school age now...



This isn't a feature request, it's not even a keep up with the technology request, it's just a desire to keep it real and keep Sonos competitive, Mesh is now common, many competitors are snapping at the heals of Sonos the next couple of years will have competition like never before.



Isn't it about time 18 year old technology was implemented as standard!



:?
A fix would be great but at what cost? I'd sure hate to get a note from Sonos saying something like:



"We are now offering SMB v3 so the Windows 10 users will stop complaining about v1. Sadly that makes all your older Sonos gear obsolete, we are offering $100 per household to compensate you for all your Zone Players, older Connects and Play 5s becoming inoperative collector's items like your CR-100s."



If it was an easy fix I'm guessing Sonos would have done it long ago to end the moaning. Since it is then highly likely to be a painful fix, how much pain are you willing to undergo to get it?



I vote for minimal Pain and adding a Raspberry PI, WD LIve Drive or similar work around. Far more affordable for me than replacing a house full of older Sonos gear.