Skip to main content

A few weeks ago I’m alone at home minding my own business. Suddenly my Sonos system starts playing a song (“Faith” by Stevie Wonder) without my intervention. It plays for a few seconds and then the volume goes up to max. Panic!

We live in a flat and have Sonos in several rooms. Poor neighbors…

After a few seconds i got myself together and I managed to open the Sonos app and press “pause”. Directly, the music “unpauses”, I “pause”, it “unpauses” and then I turn down the volume to a minimum and then nothing.

At first, I suspected that some intruder had gained access to our WIFI and started going over the security logs of our Unifi (Ubiquiti) system. Nothing suspicious there. After that my guess was that one of the neighbors that I know has Sonos in their homes mysteriously had connected to the system. I called the neighbors and asked if they had tried to start “Faith” by Stevie Wonder at that particular time. Nothing.

A few days later, I told my wife (who is working as a dance teacher) about this spooky incident. She asked when it was and I gave her the song, day and time. “Oh, that must have been when I gave a class at the studio. I had a hard time to play that song”.

Notable here is that the dance studio has no whatsoever connection to our WIFI and is located three kilometers away. She couldn’t say whether she was on the cellular network or was logged in to the studio’s WIFI at the time. But there is no doubt that it was her who managed to start the song at our home remotely. Thing is, she had played that particular song, just before leaving home.

Now, a few minutes ago the same thing happened with the song I heard her play just before going to work today. This time though, she must have realized what happened, because she didn’t try to turn the volume up and “paused” herself.

As far as I understand it, this shouldn’t be possible. Any suggestions?

Hypothetically if you gave your neighbor access to your WiFi they could do this without Spotify being involved at all, so long as they were in range of your WiFi. They would just have to install the Sonos app.

As has been said above: take care who you give access to your WiFi.


It’s strange behavior form Spotify, I agree, but how is this a security issue? This can only happen with users you gave access to your wifi….

 

Well maybe not a network security issue, but rather a badly implemented feature that can have rather serious consequenses, if you ask me:

I mean, this has a catastrophic potential. Imaging a Sonos user getting out of town for some time and mistakenly starts playing music at maximum volume. Probably the neighbors would call the police, maybe force the door, then not being able to turn the music off resulting in cutting cables and more.

 


It’s strange behavior form Spotify, I agree, but how is this a security issue? This can only happen with users you gave access to your wifi….


OK, thanks for your insights!


So it’s a Spotify flaw. From my point of view that is a quite serious security hole. I can see now, after googling that this has been discussed for years and Spotify doesn’t really see the problem.

Embarrassing if you ask me.

https://community.spotify.com/t5/Accounts/Security-hole-Remote-control-devices-on-other-networks-through/td-p/4577666

 

Yeah, that’s the ‘beauty and benefit’ of using Spotify Connect. An SC-enabled device can be controlled by friends, family members and foes from everywhere in the world once you gave them access to your WiFi.

 


It was farily easy to reproduce this flaw. I just started a track from Spotify on my Android phone while connected to my home WIFI and redirected it so a Sonos unit, paused the music, disconnected from the WIFI and connected to the cellular network, unpaused the music and voilà! the music played again on the Sonos system. I could still change tracks, change the volume. Even after restarting Spotify, I could still play on the same Sonos unit.


Yeah, that’s the ‘beauty and benefit’ of using Spotify Connect. An SC-enabled device can be controlled by friends, family members and foes from everywhere in the world once you gave them access to your WiFi.

 

Go to the Spotify webpage, log into your account, and …

 

Log out everywhere

To log out of all devices and web pages at once:

  1. Log in to your account page.
  2. Click SIGN OUT EVERYWHERE.

Note: This doesn't include partner devices (e.g. speakers, games consoles, and TVs), so for those go to your apps page and choose REMOVE ACCESS.

 

https://support.spotify.com/us/article/how-to-log-out/


I mean, this has a catastrophic potential. Imaging a Sonos user getting out of town for some time and mistakenly starts playing music at maximum volume. Probably the neighbors would call the police, maybe force the door, then not being able to turn the music off resulting in cutting cables and more.