Agreed. What exactly is the use case for web access to my speakers? So I can remotely play music for my dogs? No one asked for this, no one needs this and it’s just a security risk. At the very least, please offer the option to disable access outside the home network.
If I had dogs, I would certainly like to play music for them while I’m at the beach. Seriously, the security risk is ridiculous. No web access! Please fix the SONOS app so I can add the speakers that I bought two days ago to my Sonos system for crying out loud. #WORSTUPGRADEEVER
Don’t need the remote access but a web based controller would be a real plus here where I have multiple devices that are either too old to run the App or were never compatible with it.
Haven’t bothered to look at it but it is likely you could toss in a couple firewall rules to block the remote connection. If you are worried it is worth the effort.
@Keith - Sonos any chance of any kind of reply re web app from someone from Sonos? Or is it going to be avoided like pretty much everything else?
The Web App uses the outbound connections the speakers have to sonos to control them and hence we cannot block the traffic easily without affecting speaker functionality.
- blocking speakers ability to access the internet may likely block speaks ability to access radio and other music services
- Blocking speakers access to Sonos (the company) may affect the ability to update speakers plus have advanced configuration features such as limiting speaker volume etc.
From my point of view two things need to happen and should have happened from the start:
- Sonos should have enforced 2-FA on all accounts (usernames and passwords alone, no matter how complex are currently not sufficient in securing internet services
- The Web access feature to control the speakers must be optional and customers must be able to turn this off. I understand that there may be some use cases but this should not be forced on everyone
What Sonos (the company have done is to expose all their users to risks that are not really necessary and could have been avoided by simply taking a security first approach. This clearly did not happen and may have been simply a feature-lead release.