Sonos please task one of your engineers with adding a password option to the Sonos system just like Apple has done with their Homepods!
Airplay2 is a game changer when it comes to an open system like Sonos because any device with Airplay2 capability can take control of a sonos system without intentionally installing the Sonos app. While this is convenient on some networks it is a royal pain in the arse for others.
Take my home network as an example. I have two wireless networks - one for the family and one for guests. The guest network has no access to Sonos which is great. But everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).
BTW, this wasn't much of a problem before the Airplay2 update because none of the kids had the Sonos app installed on their devices but now they connect without a 2nd thought.
Please give us the option to protect speakers and groups of speakers.
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.
Page 1 / 4
everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).
Sounds like a discipline issue to me, not a Sonos issue... 😛
This thread originally had nothing to do with security issues, and people dumb enough to open port 1400 already lost us very valuable diagnostic tools. I'd hate to see what we lose next due to you attempting to cash in on security fears to get your personal wish for passwords to keep your kids from screwing up your volume and groupings.
I’m a natural worrier about all sorts of things but to be honest I don’t see any to worry about with the security of the Sonos system 🙂 I personally would hate if I had to enter a password to use the system so if it ever come to fruition I’d hope it would be an option rather than compulsory.
Treeguy,
I guess I could go out into town and get run over by a bus whilst crossing the road, or even fall down a sinkhole, I’m just not as paranoid about these things or the raised internal network matters as you, or some others here, appear to be.
I do my very best to keep my network secure and even if the hacker gets in I doubt he, or she, would find anything that’s really worth stealing.. if they want to waste their time trying then good luck to them. I do use hardware firewall and software/encryption and keep things updated. I pay for my email to be scanned and filtered eexternally too, prior to receipt. I keep some data secure offsite and all my information and operating systems are incrementally backed up.
I just don’t want the huge inconvenience of now having to enter a password every time I do something in an environment that I consider to be secure already. I understand some folk are paranoid about their security, but I don’t want those things forced on me.
The house analogy and 'padlocks on internal doors' that I mentioned earlier is the same thing... I don’t want to lock/unlock a bedroom door each time I enter/exit the room, in my secure home... if my home is broken into, the thief still has to find and get access to the safe. I prefer to spend my money on the perimeter and the safe, so I then have the freedom to move around the rest of the place, unhindered.
I have read the documents you refer to and nothing in those have altered my position on this, not in the slightest.
I guess I could go out into town and get run over by a bus whilst crossing the road, or even fall down a sinkhole, I’m just not as paranoid about these things or the raised internal network matters as you, or some others here, appear to be.
I do my very best to keep my network secure and even if the hacker gets in I doubt he, or she, would find anything that’s really worth stealing.. if they want to waste their time trying then good luck to them. I do use hardware firewall and software/encryption and keep things updated. I pay for my email to be scanned and filtered eexternally too, prior to receipt. I keep some data secure offsite and all my information and operating systems are incrementally backed up.
I just don’t want the huge inconvenience of now having to enter a password every time I do something in an environment that I consider to be secure already. I understand some folk are paranoid about their security, but I don’t want those things forced on me.
The house analogy and 'padlocks on internal doors' that I mentioned earlier is the same thing... I don’t want to lock/unlock a bedroom door each time I enter/exit the room, in my secure home... if my home is broken into, the thief still has to find and get access to the safe. I prefer to spend my money on the perimeter and the safe, so I then have the freedom to move around the rest of the place, unhindered.
I have read the documents you refer to and nothing in those have altered my position on this, not in the slightest.
Sonos devices (and any other network connected device that lacks secure authentication) are rife for exploit on any network that is connected to the the internet because the idea that your network is secure just because you sit behind a firewall is a myth.
https://www.securitymagazine.com/articles/89098-is-the-internet-of-things-impossible-to-secure
The KRACK attack is another example showing that our networks are not as secure as we think: https://www.krackattacks.com/. Luckily this was shared by the researchers allowing for a backward compatible patch but hackers don't share their exploits so there is no telling what exploits are out there that haven't been patched.
Because Sonos devices lack authentication they are exposed to intruders using methods that no one outside of the hacker community is aware of!
As I stated, linking yourself with these types of articles is bad for your cause. I for one would hesitate before supporting any passwords on the system when this type of paranoia is the basis of the argument.
That protects a different part of the system. It doesn't do anything to keep someone with access to the network from gaining control of the hardware.
You and others are making the assumption that your network is secure and impenetrable. It is not, no network is, that is why it is very important to have device level authentication.
Userlevel 6
+15
You keep on saying open port 1400 to the outside world, and are missing the fact that the bulk of exploitation nowadays doesn’t work that way. Cross site scripting, infected documents, phishing messages and other client side exploits are the rule rather than the exception these days. If a malicious actor infects a legitimate site you connect to, say this one, and your browser downloads JavaScript, it could be used to access internal systems. OP is presenting a legitimate, verified and documented real world attack, and you keep dismissing him with the port 1400 argument.
Userlevel 6
+15
You keep on saying open port 1400 to the outside world, and are missing the fact that the bulk of exploitation nowadays doesn’t work that way. Cross site scripting, infected documents, phishing messages and other client side exploits are the rule rather than the exception these days. If a malicious actor infects a legitimate site you connect to, say this one, and your browser downloads JavaScript, it could be used to access internal systems. OP is presenting a legitimate, verified and documented real world attack, and you keep dismissing him with the port 1400 argument.
None of which has anything whatsoever to do with Sonos app or hardware, lol.
Lol - yes it does. Anything installed on a modern network should be designed to protect itself against internal and external issues. That’s a basic standard of security today, and I agree with OP that Sonos should provide that capability to require authentication locally. Make it an option, so those who want it can turn it on, but leave it off for others.
However, security is primarily about risk management, and the risk of some attacker randomly choosing you to attack and then choosing your Sonos speaker instead of a poorly configured windows, Mac or android device in your network is quite low. Sonos probably does not have high enough market penetration to make that a major risk for home users. I would not allow Sonos on my main network in a workplace - it would be on a protected vlan that required authentication to access, and limit control of the speakers to authorized parties. And would still have some concerns.
And what's the point of gaining access to a music system? Try and blackmail you because of your bad taste in music?
Userlevel 6
+15
Wow. There are any number of things that could be done, but apparently you guys don’t want to think about them. The Mirai botnet in November 2016 was made up of internet of things devices. Machines on your internal network are exposed when another system is infected.
However, as I said before, the risk is probably low. There are likely just not enough Sonos devices out there for someone to take the effort to find, say, a buffer overflow error, write an exploit, and use that to target other devices or create a backdoor. Home users aren’t a valuable enough target for that level of effort. However, in a professional engagement, if my reconnaissance showed the use of those speakers, I’d sure as heck have someone on my team look at Sonos for vulnerabilities to allow control over the device. My most likely goal would be to launch a reverse direction VPN server on the Sonos device to allow someone to connect to me and gain access to the internal network at will.
Back to the OPs original question: lots of people with families or visitors would probably like to have some control preventing access to the speakers from anyone with the appropriate app. It’s a good suggestion on its own merits.
Addendum: Not every suggestion should be refuted nastily as an attack on Sonos.
However, as I said before, the risk is probably low. There are likely just not enough Sonos devices out there for someone to take the effort to find, say, a buffer overflow error, write an exploit, and use that to target other devices or create a backdoor. Home users aren’t a valuable enough target for that level of effort. However, in a professional engagement, if my reconnaissance showed the use of those speakers, I’d sure as heck have someone on my team look at Sonos for vulnerabilities to allow control over the device. My most likely goal would be to launch a reverse direction VPN server on the Sonos device to allow someone to connect to me and gain access to the internal network at will.
Back to the OPs original question: lots of people with families or visitors would probably like to have some control preventing access to the speakers from anyone with the appropriate app. It’s a good suggestion on its own merits.
Addendum: Not every suggestion should be refuted nastily as an attack on Sonos.
There are more ways than I can count and many more that I've never heard of. It is a constant game of cat and mouse for the security industry.
https://www.wired.com/story/elaborate-hack-shows-damage-iot-bugs-can-do/
I don't need "more ways than I can count", I asked for one.
Just one.
Surely you can give me one way that you can log into a Sonos device in order to deliver mayhem.
And then when (If?) you give me one, explain how passwords for certain functions/rooms/volume in the app would prevent it.
There are more ways than I can count and many more that I've never heard of. It is a constant game of cat and mouse for the security industry.
https://www.wired.com/story/elaborate-hack-shows-damage-iot-bugs-can-do/
You didn't answer the question. Please name just ONE instance where a hacker has successfully obtained the root login for a Sonos device, logged in, and used it to do anything at all. I'll wait...
If I did leave a window or door open, to my network, the worst thing for me is, that the thief may eventually find the location of the safe. Let’s just say that the safe in this instance is a 'crude' encrypted hidden drive partition that uses 3rd party encryption software, which perhaps has a 16 digit key that is not written down, or stored on the network. It really doesn’t matter if the client application that provides access to the partition is stored locally, or stored on a USB stick. I don’t use this method anymore by the way, but I used to, back in the mid-late 1990’s.
What I really don’t see now, is how password protecting my sonos system, or application, would now make the slightest bit of difference to the thief that has already got this far onto the network. Who really is going to leave important stuff lying around unprotected and even, if they do, why on earth would the thief head for the Sonos system application, when there are probably thousands of other applications that the thief could use or bring with him through the open window or doorway.
I still remain baffled by the argument here, it’s really seems quite irrelevant to the original post in this thread, which was more about stopping the kids using the Sonos application, by installing a password, which I’m sure the kids will probably eventually discover anyway, just by looking over your shoulder.
I still think chicks was right when he said this was more of a discipline matter, rather than a security issue.
What I really don’t see now, is how password protecting my sonos system, or application, would now make the slightest bit of difference to the thief that has already got this far onto the network. Who really is going to leave important stuff lying around unprotected and even, if they do, why on earth would the thief head for the Sonos system application, when there are probably thousands of other applications that the thief could use or bring with him through the open window or doorway.
I still remain baffled by the argument here, it’s really seems quite irrelevant to the original post in this thread, which was more about stopping the kids using the Sonos application, by installing a password, which I’m sure the kids will probably eventually discover anyway, just by looking over your shoulder.
I still think chicks was right when he said this was more of a discipline matter, rather than a security issue.
Once again, that was because some idiots opened up port 1400 for all the world to see. You would have to enter your router setup and free up that port for this to happen. Certainly one so consumed with security would never do something like that? Also, that type of attack has been plugged, with no need for a password on the app (not that a password on the app would do anything to intercept someone bringing up web pages on the Sonos UPnP web server).
Still waiting for one of the "many exploits" . . .
Still waiting for one of the "many exploits" . . .
IJN,
Yes you can create multiple 'secure' homes in the HomeKit App... see attached screenshot.
Hope that helps?
Yes you can create multiple 'secure' homes in the HomeKit App... see attached screenshot.
Hope that helps?
Userlevel 3
+4
This would be a must appreciated feature!
I know the thread is old, but still within the top 5 most commented threads on the community.
Any update on Sonos' thoughts on this?
Userlevel 7
+20
Airplay2 is a game changer when it comes to an open system like Sonos because any device with Airplay2 capability can take control of a sonos system without intentionally installing the Sonos app. While this is convenient on some networks it is a royal pain in the arse for others.
Take my home network as an example. I have two wireless networks - one for the family and one for guests. The guest network has no access to Sonos which is great. But everyone on the family network can control any speaker in the Sonos system because there is no way to secure them. Unfortunately I can't put them on a separate subnet due to the shared media and backup servers. Sure, I ask them not to connect to certain speaker and groups, but they don't see the harm in having the house filled with their cool tunes while I'm at work. Can't really blame them but it causes problems with the neighbors and even me (sucks to ask Alexa to play CNN on a speaker and have it blaring close to full volume because someone forgot to turn it down).
BTW, this wasn't much of a problem before the Airplay2 update because none of the kids had the Sonos app installed on their devices but now they connect without a 2nd thought.
Please give us the option to protect speakers and groups of speakers.
Hi there,
Thanks for the suggestion. I'll send along a feature request to add password protection to the Sonos system. For right now, the best way to limit access to the system is to use a guest network for internet access, but keep your Sonos system and music library shares on the private, password protected network.
Unfortunately that solution doesn't work if you already have a guest network for "guests" while there are other network resources that are shared with family members that you wouldn't share with guests.
Maybe some of both. IMO having unsecured devices on our networks is very risky and it is only a matter of time before we see malware that infects PCs with the goal of gaining access to the unsecured Sonos devices.
https://www.wired.com/story/hackers-can-rickroll-sonos-bose-speakers-over-internet/
""The unfortunate reality is that these devices assume the network they're sitting on is trusted, and we all should know better than that at this point," says Mark Nunnikhoven, a Trend Micro research director. "Anyone can go in and start controlling your speaker sounds," if you have a compromised devices, or even just a carelessly configured network."
"The researchers note that audio attack could even be used to speak commands from someone's Sonos or Bose speaker to their nearby Amazon Echo or Google Home. They went so far as to test out the attack on the Sonos One, which has Amazon's Alexa voice assistant integrated into its software. By triggering the speaker to speak commands, they could actually manipulate it into talking to itself, and then executing the commands it had spoken.
Given that those voice assistant devices often control smart home features from lighting to door locks, Trend Micro's Nunnikhoven argues that they could be exploited for attacks that go beyond mere pranks. "Now I can start to run through more devious scenarios and really start to access the smart devices in your home," he says"
From your link above:
Read the bold. Also, Sonos has already patched this security risk for those that are stupid enough to open port 1400 to the entire world.
Instead, if you own one of a few models of internet-connected speaker and you've been careless with your network settings, you might be one of thousands of people whose Sonos or Bose devices have been left wide open to audio hijacking by hackers around the world.
Read the bold. Also, Sonos has already patched this security risk for those that are stupid enough to open port 1400 to the entire world.
IMO, a design where anything with access to my home network can also connect to any Sonos device on my network without authentication is rife for abuse and exploits. I can lock down our network settings to prevent hackers from getting in the front door but there have been router exploits in the past and we are likely to see more in the future. Another example of an attack vector would be Malware that is spread via email and websites that users on the network access. IMO, as long as Sonos devices lack authentication they are an easy target because there is no such thing as a 100% secure home network if that network is also connected to the internet.
Then every smart device you own is "rife for exploit" if you are opening up your router to full access to the outside.
And that article said nothing about those other attacks, it was strictly about people who stupidly opened their routers up and basically yelled "C'mon in y'all!"
Look, you have a good case for wanting a PIN or password on your system. Allying yourself with the numb skulls who purposefully opened up their systems because they know nothing about networking does nothing but hurt that case.
So be it. IMO, having an understanding of the weaknesses inherent in network security is a good thing if you are going to deploy network connected devices that lack authentication because nets are constantly under attack.
http://map.norsecorp.com/
Optional authentication, similar to what we see in Apple's HomePod, shouldn't cause you to lose anything you already have. Instead it provides security to those customers that need it.
Page 1 / 4
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.