Best answer by Phil.Coleman
View original
Support for SMB v2 or v3
Userlevel 3
With all the recent reports and issues with the WannaCry ransomware I wanted to restrict use of SMB v1 on my home network. My NAS blocks this to the outside world but I wanted to secure things internally as well. I can configure the NAS to not support SMB v1 but this then prevents the Sonos controller app from seeing the share. When will Sonos support later versions of SMB? I had seen another thread on this somewhere and it sounded like it wasn't going anywhere. Is it possible to get an update on this please.
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.
Page 4 / 5
Userlevel 7
+20
That said I 'm not only angry, I will even tell everyone around me to stop buying sonos!
For my education, could you outline the specific risks I'm facing in allowing my Sonos equipment to continue to utilise SMB v1 while connecting to the NAS on my Apple Time Capsule? In what way are my speakers 'totally insecure'? Or does the insecurity apply only to Microsoft's products? Thanks.
Userlevel 4
+2
Whilst I appreciate some of the concerns here, as far as I am concerned the known SMB V1 vulnerabilities have patches available. All you need to do is apply the patches and leave SMB V1 available.
Vendor advice to disable it, if you don't need it, makes a lot of sense. Same applies for any other protocol or service. But you do need it, so get patched and carry on as before.
Vendor advice to disable it, if you don't need it, makes a lot of sense. Same applies for any other protocol or service. But you do need it, so get patched and carry on as before.
This. The patches have addressed the known vulnerabilities, so suggesting that:
Is simply wrong.
Microsoft itself has recommended everyone stop using because of the vulnerabilities that exist in it. So Sonos is requiring that you run other devices in an insecure manner in order to use that functionality of Sonos.
The known vulnerabilities have patches, so Sonos isn't requiring you to run anything 'insecurely'. They're requiring you to run an aged protocol that is at a much higher risk for new exploits than the more current versions. It's important to remember that the major hacks Wannacry and Notpetya exploited problems that fixes had *already been released for*. That means if you were using SMBv1, and your system was up to date, then it couldn't have effected you.
So let's step back and look at the big picture here. Should Sonos address this by switching to a newer version as the default? Yes. I even believe they'll eventually get around to it, and there's nothing wrong with telling Sonos that it's important to you.
Throwing a tantrum like a two-year old is pointless and well outside of a rational response though:
I contacted support but they just DON'T CARE! They even said that just using it at home, and now it comes, IS NO RISK AT ALL!
That said I 'm not only angry, I will even tell everyone around me to stop buying sonos!
But if you do all of your music listening through streaming sources and don't have your own local music library, then there's nothing for you to worry about, as far as Sonos is concerned.
*This next part is only my opinion.*
There's an important kernel of information in that sentence you've posted. Sonos has made it clear that they view the streaming user as more of their core market. That means items such as the one being discussed in this thread will not be given top priority. If it's crucial to you then that should be weighed against new/future investments in their product line. Again, I'm all for telling Sonos what you want, but be aware of what they say too. It might not always be as clear as "we view your use case as marginal".
Edit:
I missed this earlier.
Evidently VLANs are another decades old technology that are too challenging for Sonos to figure out.
More than "too challenging", Sonos probably (accurately in my mind) decided that developing around technology in use by a fraction of a percentage of households probably isn't a good way to spend development dollars.
Now, some might say that's not a security issue, since it's not gaining control of an account or accessing data or elevating privileges, but it's still a vulnerability and it's still unpatched.
Unpatched but very easily addressed too. If I was being a contrarian I would call this more of a configuration error than a vulnerability. That's why it's present in all versions of SMB.
I'm aware that Sonos has stated that they see streaming as the future, regardless of how many of us have thousands of songs in digital music libraries stored on computers or NAS devices.
I would bet that Sonos has made their decision not "in spite of" the number of people who use local sharing but because of it.
I agree with the rest though, and intelligent commentary such as yours helps the conversation (even if we quibble on minor points). There are others who don't.
Throwing myself into the mix of this thread, an update has removed SMB 1 from my Windows 2012 r2 Essentials server it actually happened quite a while ago, but Sonos kit still worked fine. Now my Cisco Router has been patched and will no longer support SMB 1 either so if I force it back onto my server (or any server) it won't be networkable anyway.
Weird thing is My Sonos is still working... EXCEPT! I treated myself to 3 new speakers 2 play 5's to run in my kitchen and 1 play 1 to run in my bedroom... none of those will work with my library on the Windows Server. but the old system still works so if I play a track or play list to the old system then group those with the new speakers then the music plays on the new speakers... Which is a bit of a mystery to me!
But what I am going to do is slightly different. I have my music sync'ed to OneDrive to give me an off site backup. I am going to sync that back to a Mac Mini I have for other purposes and use that as my library temporarily.
BUT IF there is a Beta of an SMB 3 version of Sonos which there surely must be soon! please include me, I will have both libraries available as well as the extremely odd old v new speaker issue ready to give the new software a bit of a test.
Weird thing is My Sonos is still working... EXCEPT! I treated myself to 3 new speakers 2 play 5's to run in my kitchen and 1 play 1 to run in my bedroom... none of those will work with my library on the Windows Server. but the old system still works so if I play a track or play list to the old system then group those with the new speakers then the music plays on the new speakers... Which is a bit of a mystery to me!
But what I am going to do is slightly different. I have my music sync'ed to OneDrive to give me an off site backup. I am going to sync that back to a Mac Mini I have for other purposes and use that as my library temporarily.
BUT IF there is a Beta of an SMB 3 version of Sonos which there surely must be soon! please include me, I will have both libraries available as well as the extremely odd old v new speaker issue ready to give the new software a bit of a test.
Userlevel 7
+22
Just toss together a Raspberry PI as a NAS and open up SMB v1 on it, dirt cheap and the issue goes away.
Far better than using a more expensive WD Live Drive and finding you can't get security updates for it for very long.
Far better than using a more expensive WD Live Drive and finding you can't get security updates for it for very long.
Sonos devices are considered minimalistic and aesthetically beautiful.
Hah. Making something that "just works" with minimal fuss was *exactly* what catapulted Apple to the top, just like Sonos. But under that pretty skin is the product of countless hours of hard work, big innovations. Consider how Wifi mesh networking between Sonos players 'just works', is easy to set up, and so on. This focus on intelligent infrastructure is precisely why Sonos became so popular and the leader in its niche.
Problem is, us "non-cloud" users are no longer attractive to the company because the sale has been made and the potential to monetize us vs. the "cloud" users is minimal. Our end of the market is saturated, the cloud end is still wide-open, at least in the eyes of management.
I don't expect them to update allowable SMB protocols unless forced to. Instead, the focus is on iOS, android applications and trying to stake out as much territory as possible while fighting for relevance in the face of the HomePod, Alexa pods, and whatever Google is bringing to the table.
Management is basically pushing us all to abandon Sonos and go for a more competitor that is happy to 'just' do home HiFi well. That day may come for me, in the meantime I have disabled all 'updates' from Sonos since I'm not a fan of having functionality taken away from me.
Userlevel 7
+22
A fix would be great but at what cost? I'd sure hate to get a note from Sonos saying something like:
"We are now offering SMB v3 so the Windows 10 users will stop complaining about v1. Sadly that makes all your older Sonos gear obsolete, we are offering $100 per household to compensate you for all your Zone Players, older Connects and Play 5s becoming inoperative collector's items like your CR-100s."
If it was an easy fix I'm guessing Sonos would have done it long ago to end the moaning. Since it is then highly likely to be a painful fix, how much pain are you willing to undergo to get it?
I vote for minimal Pain and adding a Raspberry PI, WD LIve Drive or similar work around. Far more affordable for me than replacing a house full of older Sonos gear.
"We are now offering SMB v3 so the Windows 10 users will stop complaining about v1. Sadly that makes all your older Sonos gear obsolete, we are offering $100 per household to compensate you for all your Zone Players, older Connects and Play 5s becoming inoperative collector's items like your CR-100s."
If it was an easy fix I'm guessing Sonos would have done it long ago to end the moaning. Since it is then highly likely to be a painful fix, how much pain are you willing to undergo to get it?
I vote for minimal Pain and adding a Raspberry PI, WD LIve Drive or similar work around. Far more affordable for me than replacing a house full of older Sonos gear.
Hey Stanley, based on the GPL page, there are a variety of Linux distributions to choose among, see: http://www.sonos.com/documents/gpl/8.4/gpl.html
It's an interesting read. The latest Linux distribution in there (3.10.53) appears to have dedicated SMB1, SMB2, and SMB3-related files in it (see the /FS/CIFS folder) while the 2.6.35 version also hosted at Sonos just has a few smb2 references embedded inside its CIFS-related documents. So, I'd guess the appearance of SMB3 support in the Sonos universe would signal a switch to Linux 3.10.x from 2.x?
Hilariously, that version of Linux has also been deprecated as of last year (see https://www.linux.com/news/linux-kernel-310-reached-end-life-users-are-urged-move-linux-44-lts-1) with 3.10.x users being urged to switch to 4.4. The version of Linux hosted at Sonos appears to be outdated, even within the branch, as the last release was 3.10.108. That said, the Linux versions that the developers are using internally may quite possibly more recent than the stuff they're hosting on the Sonos GPL page.
It's an interesting read. The latest Linux distribution in there (3.10.53) appears to have dedicated SMB1, SMB2, and SMB3-related files in it (see the /FS/CIFS folder) while the 2.6.35 version also hosted at Sonos just has a few smb2 references embedded inside its CIFS-related documents. So, I'd guess the appearance of SMB3 support in the Sonos universe would signal a switch to Linux 3.10.x from 2.x?
Hilariously, that version of Linux has also been deprecated as of last year (see https://www.linux.com/news/linux-kernel-310-reached-end-life-users-are-urged-move-linux-44-lts-1) with 3.10.x users being urged to switch to 4.4. The version of Linux hosted at Sonos appears to be outdated, even within the branch, as the last release was 3.10.108. That said, the Linux versions that the developers are using internally may quite possibly more recent than the stuff they're hosting on the Sonos GPL page.
That's an impressive graph, though as you note, the Sonos team can easily omit all sorts of included stuff that is not needed on an embedded system. The good news is that both of us have a workaround that protects the original sound files while serving up copies to the Sonos. Having worked on embedded systems for fun, I can also appreciate the RAM, Flash, etc. limitations that the coders at Sonos are likely grappling with.
I imagine that decoding secure streams in particular to be a challenge relative to the hardware they get to work with. Too bad that the RAM in zone players is not considered 'upgradeable' (assuming that's one of the limitations the coders have to contend with).
I imagine that decoding secure streams in particular to be a challenge relative to the hardware they get to work with. Too bad that the RAM in zone players is not considered 'upgradeable' (assuming that's one of the limitations the coders have to contend with).
Yes, ran into that when I built a DAQ system that uses a cellular link. Regs around Cellular RF make unlicensed bands look positively tame in comparison. I also suppose that reduces their business risk somewhat - using a known-good reference design. Plus, with the kinds of profit margins they enjoy, paying a small premium for the module is in the noise.
All that said, I also found it very interesting to hear that the SMB3.11 stack is smaller than the SMB1 stack. I hear your your points about code dependencies and so on, but if they're really scrounging for every bit of Flash and RAM as has been implied in all the emails detailing the woes associated with "mini-computer" CPUs, wouldn't one want to upgrade to SMB3.11?
All that said, I also found it very interesting to hear that the SMB3.11 stack is smaller than the SMB1 stack. I hear your your points about code dependencies and so on, but if they're really scrounging for every bit of Flash and RAM as has been implied in all the emails detailing the woes associated with "mini-computer" CPUs, wouldn't one want to upgrade to SMB3.11?
Seeing that a Samba team member from MSFT offered to help them implement SMB3 at Sonos, I cannot think of a better resource to make it happen. Given the lack of progress over the last year on this issue, I conclude that it's simply not a priority and it won't be until MSFT and other vendors won't even allow SMB1v1 to be used.
Currently, Sonos can get away with telling their home-hosting content customers to dumb down their network protocol security; that may not be an option in the future. However, the bet in the management suite may simply be that by the time MSFT makes it impossible for Windows users to even turn on SMB1v1 that enough people will accept streaming-only product and hence an update won't even be needed. No more support for a home NAS should open up some Flash / RAM too.
Yeah, they might lose a few customers over this but there is a precedent for that at Sonos now.
Why anyone who has voluntarily frozen their system at 8.4 keeps posting about wanting a future update to support SMB v2 is yet another question for the ages. So which is it, do you want to be able to freeze your system to legacy versions, or install a new version for SMB support? Because you can't have both (unless "getting both" is merely code for getting to complain about both).
Userlevel 7
+22
So add a cheap NAS like the WD Live drives or even cheaper roll your own NAS using a Raspberry Pi and move on.
I'd love to have newer SMB but not at the cost of having to replace my older Sonos Zone Players because they don't have the hardware needed to support it. Look at the unhappiness over the ending of the CR 100 that for most folks was a minor issue.
I'd love to have newer SMB but not at the cost of having to replace my older Sonos Zone Players because they don't have the hardware needed to support it. Look at the unhappiness over the ending of the CR 100 that for most folks was a minor issue.
Userlevel 6
+15
Is this HTTP file sharing a Sonos proprietary protocol, or are you utilizing an open standard?
Latest firmware release 8.6 deprecates smb1 in favor of http.
https://en.community.sonos.com/announcements-228985/sonos-8-6-app-improvements-and-new-windows-library-sharing-6808278
https://en.community.sonos.com/announcements-228985/sonos-8-6-app-improvements-and-new-windows-library-sharing-6808278
Thank You.
Can confirm it is working too.
Pete
Userlevel 7
+21
Many NAS boxes do have the ability to run a web server... it's just a matter of getting things configured in such a way that Sonos would be able to connect to it... like the odd port number, authentication (if any), and any path structure that Sonos might use ahead of the actual folders/files.
Shouldn't be too hard to monitor with something like Wireshark, since it's HTTP. Of course, then getting Sonos to use it as a web service rather than SMB might be the next trick.
Shouldn't be too hard to monitor with something like Wireshark, since it's HTTP. Of course, then getting Sonos to use it as a web service rather than SMB might be the next trick.
Besides all the fuzz: what is so difficult in implementing an SMBv2 or v3 client in Sonos speakers? I guess we all would accept any reasonable answer much more than just no communication and weird hacks/incomplete workarounds.
Jonas
As long as Sonos does not officially state the name of the actual Linux distro and, more importantly, the kernel version which is running on all of their zone players, we'll never know the particular reason for dodging a much required SMBv2/3 implementation.
Could be insufficient physical memory (at least on older components), a very much outdated kernel version or even a bit of both.
Userlevel 7
+21
[quote=passopp]
Could be insufficient physical memory (at least on older components), a very much outdated kernel version or even a bit of both.
Considering IPv6 was recently discovered to be present on some newer speakers (namely, those that have been identified as having Airplay support coming soon, though someone found it on a newer Play:1 too), a lack of device resources on older devices is a good possibility for why SMBv1 hasn't been updated to a newer version. Of course, there's also the possibility that they're using multiple kernel versions, with newer devices on a newer version.
And while I know Macs aren't attacked as often as PCs are, this HTTP sharing process has been present with the MacOS Sonos controller for a while now... I scratched the surface of it over 8 months ago, but I think it had already been in use for a few months before then.
Could be insufficient physical memory (at least on older components), a very much outdated kernel version or even a bit of both.
Considering IPv6 was recently discovered to be present on some newer speakers (namely, those that have been identified as having Airplay support coming soon, though someone found it on a newer Play:1 too), a lack of device resources on older devices is a good possibility for why SMBv1 hasn't been updated to a newer version. Of course, there's also the possibility that they're using multiple kernel versions, with newer devices on a newer version.
And while I know Macs aren't attacked as often as PCs are, this HTTP sharing process has been present with the MacOS Sonos controller for a while now... I scratched the surface of it over 8 months ago, but I think it had already been in use for a few months before then.
Userlevel 7
+22
Sonos Linux source code is available, this post and the next few talk about that:
https://en.community.sonos.com/controllers-software-228995/support-for-smb-v2-or-v3-6787081/index3.html#post16228313
Thought I would report my recent experience, via twitter @SonosSupport. I asked status of attaching NAS which now does not seem to work unless you use SMB1 (in my case QNAP TS-253B, QTS 4.3.5)
FYI: https://www.qnap.com/en/how-to/faq/article/why-cant-i-find-my-nas-in-windows-file-explorer-after-installing-the-windows-10-fall-creators-update-version-1709/
Sonos says:
As discussed, the SMB1 security risk should no longer affect us as we have moved over to HTTP sharing now. If your library is still using SMB1, you can remove it and add it to Sonos again but this technically should have automatically happened.
Then:
Apologies. The NAS is still on SMB1, you are correct. We will pass on your request to have this changed to our development team. In the meantime, as we mentioned earlier, you can sync the NAS with Plex and add Plex to your Sonos system.
I tired the PLEX option and found it to be very unreliable. Meh solution by Sonos. We have 1.4TB music library, 5+ Sonos units, use .flac, and really hate "rented" (read further monetized) ugly-compressed streaming. Sure feels like we're doomed, unable to protect music library and Sonos investment.
The extensive posting on this issue demonstrates many unhappy customers. It’s just a huge lapse, frailty. If it’s bad enough for Microsoft to exit SMB1, security risk must be (read IS) pretty bad, and we respectfully request a robust fix urgently.
FYI: https://www.qnap.com/en/how-to/faq/article/why-cant-i-find-my-nas-in-windows-file-explorer-after-installing-the-windows-10-fall-creators-update-version-1709/
Sonos says:
As discussed, the SMB1 security risk should no longer affect us as we have moved over to HTTP sharing now. If your library is still using SMB1, you can remove it and add it to Sonos again but this technically should have automatically happened.
Then:
Apologies. The NAS is still on SMB1, you are correct. We will pass on your request to have this changed to our development team. In the meantime, as we mentioned earlier, you can sync the NAS with Plex and add Plex to your Sonos system.
I tired the PLEX option and found it to be very unreliable. Meh solution by Sonos. We have 1.4TB music library, 5+ Sonos units, use .flac, and really hate "rented" (read further monetized) ugly-compressed streaming. Sure feels like we're doomed, unable to protect music library and Sonos investment.
The extensive posting on this issue demonstrates many unhappy customers. It’s just a huge lapse, frailty. If it’s bad enough for Microsoft to exit SMB1, security risk must be (read IS) pretty bad, and we respectfully request a robust fix urgently.
Could you point me to one Sonos system that fell victim to this "pretty bad" security risk? Just one.
Userlevel 7
+22
With the change to HTTP sharing I'm sure SMB 2/3 has fallen even further down the "to do" list at Sonos.
Make up your mind if it is a problem for you or not and then ignore it or mitigate it and quit hoping for a Sonos fix.
Oh, and to make things even easier it is simple to set up a Pi as an SMB v1 repeater for your non-SMB v1 NAS. Pi 0w or A are good enough if you are too broke to get a 3b+.
Make up your mind if it is a problem for you or not and then ignore it or mitigate it and quit hoping for a Sonos fix.
Oh, and to make things even easier it is simple to set up a Pi as an SMB v1 repeater for your non-SMB v1 NAS. Pi 0w or A are good enough if you are too broke to get a 3b+.
"Oh, no one has fallen victim to this attack vector, so we shouldn't worry about fixing it" ... is that your approach? I sure hope you aren't responsible for securing data anywhere important.
Well I'm certainly not as worried about it until it is documented as actually happening to someone, somewhere, at least once. I also don't put out Bigfoot traps or launch barrage balloons against alien space craft. YMMV.
Page 4 / 5
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.