Question

How does play.sonos.com control devices on my local network?


Userlevel 2

I’m curious to know how the web app hosted at play.sonos.com is able to make the speakers I have play, given that I have a firewall completely blocking inbound connections.

Like others, I want to reduce the possibility of a bad actor exploiting my network, so I’d like to control my Sonos system exclusively from within my local network.

So, what do I need to do to configure either the sonos app or my firewall to prevent external control of my devices?

 

Thanks!


2 replies

I believe sonos speakers are communicating with sonos.com cloud server maintaining connection that way. In order to prevent this you need to disable outbound access but this makes adding speakers impossible since the app now forces you to login to your sonos account when adding a speaker. 

I was pretty concerned when I saw this yesterday, and went about doing a few things to block it, which seem to have worked so far, without limiting some of the features I want to enjoy on our system.

 

The first thing I did was add a rule to my Adguard custom filter to block all outgoing requests to *.sslauth.sonos.com as they seemed to relate to login activities.  I don’t know if this had any effect or not, but it didn’t break anything, so I left it in place.

 

Then I started looking at the traffic on my devices while browsing play.sonos.com on another device at the same time.  I noticed three separate IP addresses that each of my devices were talking too, and looked them up.  I couldn’t tell much about them (all seemed to be AWS), but I decided to have a go at blocking outbound traffic from my devices to the ranges that the IP addresses sat in.  These were:

* 35.168.0.0-35.175.255.255

* 54.196.0.0-54.197.255.255

* 54.208.0.0-54.209.255.255


I did the blocking by adding firewall rules on my router, and as I added the ranges one at a time, I saw my devices become unavailable on play.sonos.com to the extent that if I log in now, a pop up appears saying “Your speakers are offline” which suits me just fine.  I would imagine that there are likely several other IP ranges that are being used to make play.sonos.com function, so we might need to build up a definitive list here.

 

But like I said, my devices are now no longer showing, and the functionality of the devices at home is still ok (Apple Music and Sonos Radio still work as expected, although I have no intention of using the latter).

 

Hopefully, at a minimum, someone at Sonos decides MFA would be a stellar idea at some point soon, but ideally we would have the option to disable this web app functionality completely and maintain a local only + services desired environment.  But for now at least I can sleep slightly easier with the above blocking in place…

Reply