Answered

Support for SMB v2 or v3


Show first post

37 replies

My set of speakers has largely remained unused for the three years I've had them. Evidently VLANs are another decades old technology that are too challenging for Sonos to figure out. I finally figured out how to overcome that hurdle, but now ridding my network of SMB1 has rendered them useless again. It may be too late already, but Sonos is really alienating a lot of current and potential customers. People like me who have discovered the wonders of sub $50 Chromecast Audio adapters.
Sigh.
I was thinking on buying some more Sonos speaker, but when they are totally unsecure and there is no change in sight, I even think about selling them again. Even if these are good speakers, but not even supporting SMBv2 ist unjustifiable!!! Especially when not only security advisors but even Microsoft explains this in detail!
Same here - was going to buy some Play1's for surround sound under the recent offer but my main use-case is SMB access to a Windows 2012 server that (for obvious reasons) now has SMB v1 disabled. I've got just over 1.1 TB of FLAC files on there that the Sonos can no longer access. Every CD / Vinyl I buy goes straight onto there (the latter using an M-Audio FireWire device and Audacity software)
I contacted support but they just DON'T CARE! They even said that just using it at home, and now it comes, IS NO RISK AT ALL!
That said I 'm not only angry, I will even tell everyone around me to stop buying sonos!
Userlevel 2
Badge +1
nightmare1942 wrote:

I contacted support but they just DON'T CARE! They even said that just using it at home, and now it comes, IS NO RISK AT ALL!
That said I 'm not only angry, I will even tell everyone around me to stop buying sonos!



For my education, could you outline the specific risks I'm facing in allowing my Sonos equipment to continue to utilise SMB v1 while connecting to the NAS on my Apple Time Capsule? In what way are my speakers 'totally insecure'? Or does the insecurity apply only to Microsoft's products? Thanks.
Userlevel 5
Badge +4
pwt wrote:

For my education, could you outline the specific risks I'm facing in allowing my Sonos equipment to continue to utilise SMB v1 while connecting to the NAS on my Apple Time Capsule? In what way are my speakers 'totally insecure'? Or does the insecurity apply only to Microsoft's products? Thanks.



Your speakers aren't insecure themselves. But if you connect your Sonos system to a music library stored on your computer or a Network Attached Storage (NAS) device, the connection to that music library is using a version of SMB that is full of vulnerabilities and attacks, and that Microsoft itself has recommended everyone stop using because of the vulnerabilities that exist in it. So Sonos is requiring that you run other devices in an insecure manner in order to use that functionality of Sonos.

But if you do all of your music listening through streaming sources and don't have your own local music library, then there's nothing for you to worry about, as far as Sonos is concerned.
Userlevel 2
Badge +1
Whilst I appreciate some of the concerns here, as far as I am concerned the known SMB V1 vulnerabilities have patches available. All you need to do is apply the patches and leave SMB V1 available.

Vendor advice to disable it, if you don't need it, makes a lot of sense. Same applies for any other protocol or service. But you do need it, so get patched and carry on as before.
Userlevel 2
Badge +1
RO53BEN wrote:

Whilst I appreciate some of the concerns here, as far as I am concerned the known SMB V1 vulnerabilities have patches available. All you need to do is apply the patches and leave SMB V1 available.


This. The patches have addressed the known vulnerabilities, so suggesting that:
PersonWhoLacksPerspective wrote:

they are totally unsecure


Is simply wrong.

Microsoft itself has recommended everyone stop using because of the vulnerabilities that exist in it. So Sonos is requiring that you run other devices in an insecure manner in order to use that functionality of Sonos.


The known vulnerabilities have patches, so Sonos isn't requiring you to run anything 'insecurely'. They're requiring you to run an aged protocol that is at a much higher risk for new exploits than the more current versions. It's important to remember that the major hacks Wannacry and Notpetya exploited problems that fixes had *already been released for*. That means if you were using SMBv1, and your system was up to date, then it couldn't have effected you.

So let's step back and look at the big picture here. Should Sonos address this by switching to a newer version as the default? Yes. I even believe they'll eventually get around to it, and there's nothing wrong with telling Sonos that it's important to you.

Throwing a tantrum like a two-year old is pointless and well outside of a rational response though:

I contacted support but they just DON'T CARE! They even said that just using it at home, and now it comes, IS NO RISK AT ALL!
That said I 'm not only angry, I will even tell everyone around me to stop buying sonos!



But if you do all of your music listening through streaming sources and don't have your own local music library, then there's nothing for you to worry about, as far as Sonos is concerned.


*This next part is only my opinion.*

There's an important kernel of information in that sentence you've posted. Sonos has made it clear that they view the streaming user as more of their core market. That means items such as the one being discussed in this thread will not be given top priority. If it's crucial to you then that should be weighed against new/future investments in their product line. Again, I'm all for telling Sonos what you want, but be aware of what they say too. It might not always be as clear as "we view your use case as marginal".


Edit:

I missed this earlier.

Evidently VLANs are another decades old technology that are too challenging for Sonos to figure out.


More than "too challenging", Sonos probably (accurately in my mind) decided that developing around technology in use by a fraction of a percentage of households probably isn't a good way to spend development dollars.
Userlevel 5
Badge +4
Actually, Microsoft has acknowledged at least one denial-of-service vulnerability in SMBv1 that it is not patching in Windows.

http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html

Now, some might say that's not a security issue, since it's not gaining control of an account or accessing data or elevating privileges, but it's still a vulnerability and it's still unpatched.

And yes, I'm aware that Sonos has stated that they see streaming as the future, regardless of how many of us have thousands of songs in digital music libraries stored on computers or NAS devices. I also realize that they may not put as high of a priority on fixing the issue as a result. But that doesn't lessen its importance, or the desire of some to continue pushing for this to be fixed/changed until it is done.
Userlevel 2
Badge +1

Now, some might say that's not a security issue, since it's not gaining control of an account or accessing data or elevating privileges, but it's still a vulnerability and it's still unpatched.


Unpatched but very easily addressed too. If I was being a contrarian I would call this more of a configuration error than a vulnerability. That's why it's present in all versions of SMB.

I'm aware that Sonos has stated that they see streaming as the future, regardless of how many of us have thousands of songs in digital music libraries stored on computers or NAS devices.


I would bet that Sonos has made their decision not "in spite of" the number of people who use local sharing but because of it.

I agree with the rest though, and intelligent commentary such as yours helps the conversation (even if we quibble on minor points). There are others who don't.
Userlevel 1
Badge +1
If you are worried about your NAS data just add a different NAS device that can be running the v1 SMB to keep Sonos happy. I used a Raspberry Pi and old disk drive and got it working for under $50. No need to worry if all that is there are copies of your music files.

Reply

    • :D
    • :?
    • :cool:
    • :S
    • :(
    • :@
    • :$
    • :8
    • :)
    • :P
    • ;)