Skip to main content

Now that we have the new Sonos web app we can control our Sonos players from anywhere in the world, something that I believe wasn’t available before.

Is there any way to turn that off?

Without two-factor authentication it’s only a matter of time before users’ accounts get compromised and remote control of their speakers is possible by a third party!

Imagine the bad publicity that will bring Sonos on top of this car crash of a new app!


I don’t currently want or have the need to control my music from outside my home. It seems like a pretty big oversight to not have the ability to turn this off as well as to have MFA on user accounts. Hopefully Sonos adds them both to their what must be a massive to do list. 

 


Hi @dave77 

Thanks for your post!

Thank you - I've marked this thread as a feature request and it will be seen by the relevant teams for consideration. Keep the ideas coming!


Downgrade to S1 - the web app doesn’t work against S1 systems.


Downgrade to S1 - the web app doesn’t work against S1 systems.

This is not a feature in the new app. 


I am shocked by the mindlessness of this so-called “update”.

This is a complete security and privacy nightmare.

The only upside is that I can see how TERRIBLY this all is implemented, errors all over the place, including HTTP 404 (not found), 500 (server error), 422 (unprocessable entity), 429 (too many requests) and highlight error messages like "Exception parsing upnp parameters" and "Unknown service. Service id: local-library. Account id: undefined". At least I know why my favorites aren’t loading.

Switch this off immediately. I’m wiling to take legal action and this is just the b/s I sensed when Sonos forced “accounts” down our throats. I don't want and need a Sonos account for the product to work, there's only benefit for one side. A shame!


The cloud API and ability to control our SONOS systems have actually been available for years but without much benefit to normal users - nothing much have changed other than people being aware of this.

And yes - the access really should be protected by 2-factor authentication!


I would prefer to be able to turn this “feature off” 

 

Does anybody know how to setup  firewalls in the router to block this access


I would prefer to be able to turn this “feature off” 

 

Does anybody know how to setup  firewalls in the router to block this access

The sonos telemetry can be blocked through your dns service if you use something that supports blacklisting. This is what I’ll be looking at when I get time.  But I’m not sure if this will be possible cause it seems like everything goes through the web now. I’m kinda hoping someone smarter than me will figure it out  🤣


Me to i was looking into the traffic to and from my arc but  i font realtid the Knowhow to realisera whist to block


I also want to turn remote web access off please.  There is no reason for anyone who is not on my network to control my system. 


Two types of access you need to look at blocking, from the speakers/device and from the Controller App. Figuring out what you can block without breaking anything is going to be time consuming. Figuring out what you can block that breaks stuff you don’t use a bit more time.

Easy way is add a filter to your firewall to tag all data from the device you are looking at. Then go in and block one stream at a time and note what works/breaks. Once done you might set up several rules: Block all Sonos, Block as much as possible but allowing essential features to work, Block non-essential features that you don’t need every day.

I’m still in the ‘Hope things get better soon.” camp so I won’t be working on this or tweaking my DNS block-lists unless I notice them breaking anything I need.


I also want to turn remote web access off please.  There is no reason for anyone who is not on my network to control my system. 

Without your password they can't login.


I also want to turn remote web access off please.  There is no reason for anyone who is not on my network to control my system. 

Without your password they can't login.

 

Password only security for remote control of every Sonos speaker in the world is poor. If Sonos test their internal security as well as their apps then we’re screwed.

2FA is a must at minimum.


I also want to turn remote web access off please.  There is no reason for anyone who is not on my network to control my system. 

Without your password they can't login.

Assuming they are trying to log on and not exploiting a security flaw they have discovered.

 

I haven’t looked at the password requirements, does Sonos enforce a long, random password or does it let you use something easily guessable?


I also want to turn remote web access off please.  There is no reason for anyone who is not on my network to control my system. 

Without your password they can't login.

Assuming they are trying to log on and not exploiting a security flaw they have discovered.

 

I haven’t looked at the password requirements, does Sonos enforce a long, random password or does it let you use something easily guessable?

This is pretty bad  

  • At least 8 characters.
  • No common passwords.
  • Previously used passwords can't be reused.

 


Assuming they are trying to log on and not exploiting a security flaw they have discovered.

THIS is the correct take. While I am all about strong passwords (and MFA), the greater concern is a threat actor exploiting a vulnerability in the Sonos back end that we’re all forced to interact with now. And at the risk of stating the obvious, I put zero faith in this crew having their act together on security.


I also want to turn remote web access off please.  There is no reason for anyone who is not on my network to control my system. 

Without your password they can't login.

Assuming they are trying to log on and not exploiting a security flaw they have discovered.

 

I haven’t looked at the password requirements, does Sonos enforce a long, random password or does it let you use something easily guessable?

This is pretty bad  

  • At least 8 characters.
  • No common passwords.
  • Previously used passwords can't be reused.

 

 

“Previously used passwords can't be reused.”

Let's hope they’re not storing passwords unencrypted 😮


Thanks for pointing out the Web App. I disables access to the internet for my SONOS speaker in my router (AVM Fritzbox). The WebApp now complains about the speakers not being connected. I like that very much.

I do agree, that security to the web app is awful. No MFA or any other up to date authentication mechanisms. No transparency what API`s my local SONOS speakers expose. No 3rd party security test or attestations for the SONOS boxes. So I have to assume worst case, that attackers could hijack my local hardware and I have no way to defend against it.

What makes me wonder even more is the GDPR compliance. Not sure what features of the SONOS boxed would still work, if I refuse (working on that) to accept their data privacy policy. Puts SONOS in an awkward position, customers buying expensive SONOS boxes in a retail store just to find out they can not make them work without exposing their personal data outside of the GDPR compliant governance space. GDPR = European data protection law.

 


The cloud API exposed by your system is described here: https://docs.sonos.com/docs/control-sonos-players - however I know for a fact of APIs not described there, so consider it a subset.

You do have to give permission for any 3rd party to use this API on your system, via “login with Sonos”, the UX that Sonos themselves do not use in their web app.


It’s an insult and disrespect to all Sonos users to mark disabling remote access/player as a “feature” request. Do you call the front door of your house a “feature?” or your house just doesn’t come with a door when you buy it and you have to “improve” your house by adding a front door at your expense? So moral of the story? Don’t buy a Sonos product or you’ll regret and want to buy competitor’s product that does come with “feature” most people expect to be there.

 


It’s an insult and disrespect to all Sonos users to mark disabling remote access/player as a “feature” request. Do you call the front door of your house a “feature?” or your house just doesn’t come with a door when you buy it and you have to “improve” your house by adding a front door at your expense? So moral of the story? Don’t buy a Sonos product or you’ll regret and want to buy competitor’s product that does come with “feature” most people expect to be there.

 

Supreme arrogance that they think they can flout privacy legislation. Clearly the constant scrutiny and court cases for FB, etc in the EU and US don't put them off. 


In addition, Sonos does not have anyway to see who’s logged in to you account and from where, similar to what Plex does and most online streaming services.

I’ve just reset my password as I am getting random favourites added on my Android app that I can’t delete, but that is pointless if it doesn’t log out anyone who is logged in with my account

 


In addition, Sonos does not have anyway to see who’s logged in to you account and from where, similar to what Plex does and most online streaming services.

I’ve just reset my password as I am getting random favourites added on my Android app that I can’t delete, but that is pointless if it doesn’t log out anyone who is logged in with my account

 

Every single one of those services has had data breaches and been subject to attacks by hackers over the last few years. And they have all sorts of encryption in place. Sonos are so incompetent that they have zero checks and controls in place. They have moved the app to the web without ANY consideration of safety and security.