I’m curious to know how the web app hosted at play.sonos.com is able to make the speakers I have play, given that I have a firewall completely blocking inbound connections.
Like others, I want to reduce the possibility of a bad actor exploiting my network, so I’d like to control my Sonos system exclusively from within my local network.
So, what do I need to do to configure either the sonos app or my firewall to prevent external control of my devices?
Thanks!
Best answer by funster
I was pretty concerned when I saw this yesterday, and went about doing a few things to block it, which seem to have worked so far, without limiting some of the features I want to enjoy on our system.
The first thing I did was add a rule to my Adguard custom filter to block all outgoing requests to *.sslauth.sonos.com as they seemed to relate to login activities. I don’t know if this had any effect or not, but it didn’t break anything, so I left it in place.
Then I started looking at the traffic on my devices while browsing play.sonos.com on another device at the same time. I noticed three separate IP addresses that each of my devices were talking too, and looked them up. I couldn’t tell much about them (all seemed to be AWS), but I decided to have a go at blocking outbound traffic from my devices to the ranges that the IP addresses sat in. These were:
* 35.168.0.0-35.175.255.255
* 54.196.0.0-54.197.255.255
* 54.208.0.0-54.209.255.255
I did the blocking by adding firewall rules on my router, and as I added the ranges one at a time, I saw my devices become unavailable on play.sonos.com to the extent that if I log in now, a pop up appears saying “Your speakers are offline” which suits me just fine. I would imagine that there are likely several other IP ranges that are being used to make play.sonos.com function, so we might need to build up a definitive list here.
But like I said, my devices are now no longer showing, and the functionality of the devices at home is still ok (Apple Music and Sonos Radio still work as expected, although I have no intention of using the latter).
Hopefully, at a minimum, someone at Sonos decides MFA would be a stellar idea at some point soon, but ideally we would have the option to disable this web app functionality completely and maintain a local only + services desired environment. But for now at least I can sleep slightly easier with the above blocking in place…
I believe sonos speakers are communicating with sonos.com cloud server maintaining connection that way. In order to prevent this you need to disable outbound access but this makes adding speakers impossible since the app now forces you to login to your sonos account when adding a speaker.
I was pretty concerned when I saw this yesterday, and went about doing a few things to block it, which seem to have worked so far, without limiting some of the features I want to enjoy on our system.
The first thing I did was add a rule to my Adguard custom filter to block all outgoing requests to *.sslauth.sonos.com as they seemed to relate to login activities. I don’t know if this had any effect or not, but it didn’t break anything, so I left it in place.
Then I started looking at the traffic on my devices while browsing play.sonos.com on another device at the same time. I noticed three separate IP addresses that each of my devices were talking too, and looked them up. I couldn’t tell much about them (all seemed to be AWS), but I decided to have a go at blocking outbound traffic from my devices to the ranges that the IP addresses sat in. These were:
* 35.168.0.0-35.175.255.255
* 54.196.0.0-54.197.255.255
* 54.208.0.0-54.209.255.255
I did the blocking by adding firewall rules on my router, and as I added the ranges one at a time, I saw my devices become unavailable on play.sonos.com to the extent that if I log in now, a pop up appears saying “Your speakers are offline” which suits me just fine. I would imagine that there are likely several other IP ranges that are being used to make play.sonos.com function, so we might need to build up a definitive list here.
But like I said, my devices are now no longer showing, and the functionality of the devices at home is still ok (Apple Music and Sonos Radio still work as expected, although I have no intention of using the latter).
Hopefully, at a minimum, someone at Sonos decides MFA would be a stellar idea at some point soon, but ideally we would have the option to disable this web app functionality completely and maintain a local only + services desired environment. But for now at least I can sleep slightly easier with the above blocking in place…
I’ve completely blocked Sonos from sending or receiving information from the Internet. The lack of information about the security protocols in place here has me nervous. Fortunately I can still airplay music to my speakers locally, but no Sonos services work, including playing local music.
I was pretty concerned when I saw this yesterday, and went about doing a few things to block it, which seem to have worked so far, without limiting some of the features I want to enjoy on our system.
The first thing I did was add a rule to my Adguard custom filter to block all outgoing requests to *.sslauth.sonos.com as they seemed to relate to login activities. I don’t know if this had any effect or not, but it didn’t break anything, so I left it in place.
Then I started looking at the traffic on my devices while browsing play.sonos.com on another device at the same time. I noticed three separate IP addresses that each of my devices were talking too, and looked them up. I couldn’t tell much about them (all seemed to be AWS), but I decided to have a go at blocking outbound traffic from my devices to the ranges that the IP addresses sat in. These were:
* 35.168.0.0-35.175.255.255
* 54.196.0.0-54.197.255.255
* 54.208.0.0-54.209.255.255
I just want to say Thank you, thank you, thank you! This is GOLD.
I started down this road, capturing outgoing Sonos traffic to block web access but got sidetracked by life… Fixing broken Sonos cannot be most people’s priority. I cannot imagine how much wasted time Sonos has caused for people who would rather their speakers work just like they did back in April. The new half-done control app is bad enough, but the idiotic approach to web-app access takes the cake.
Feature creep in software and tech products drives such wasted time for people that just want to use products and software, as-is.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
