Skip to main content

So Sonos has a new web app that access my speakers from the internet through my firewall/router.  That’s kind of scary to me.  I don't like most appliances having access from the outside world and that opens to door to hackers to get into my network.  Does anyone know how Sonos opened that hole in my firewall without my knowledge?  Do we know what security is in place to prevent hacking?

Hi @Pschwenk, while I concur that the new web app raises concerns, it isn’t as bad as you might think. Sonos servers are not able to “reach into” your home network; rather your Sonos devices connect to the Sonos servers in tandem with the web app and the new mobile apps connecting to the Sonos servers. I call this a “split architecture” and it is prevalent in almost all smart home device (thermostat, lighting, etcetera). Nothing needs to be opened in your firewall, which is one reason the split architecture is used so widely.

First thing I suggest is setting a proper strong password on your Sonos account. Go to https://www.sonos.com/en-us/myaccount/user/profile and click the “Reset password” link. Second thing I suggest is letting Sonos know that they need to implement two factor authentication (2FA) on sonos.com (and by extension, the web app).


Hi @Pschwenk, while I concur that the new web app raises concerns, it isn’t as bad as you might think. Sonos servers are not able to “reach into” your home network; rather your Sonos devices connect to the Sonos servers in tandem with the web app and the new mobile apps connecting to the Sonos servers. I call this a “split architecture” and it is prevalent in almost all smart home device (thermostat, lighting, etcetera). Nothing needs to be opened in your firewall, which is one reason the split architecture is used so widely.

First thing I suggest is setting a proper strong password on your Sonos account. Go to https://www.sonos.com/en-us/myaccount/user/profile and click the “Reset password” link. Second thing I suggest is letting Sonos know that they need to implement two factor authentication (2FA) on sonos.com (and by extension, the web app).

When I access the web app through play.sonos.com from outside my network and can control the system wouldn’t this be a case of Sonos servers reaching in to the network?

 

With the way sonos web api worked before everything originated from within your network, now commands can come from outside.


Hi @Pschwenk, while I concur that the new web app raises concerns, it isn’t as bad as you might think. Sonos servers are not able to “reach into” your home network; rather your Sonos devices connect to the Sonos servers in tandem with the web app and the new mobile apps connecting to the Sonos servers. I call this a “split architecture” and it is prevalent in almost all smart home device (thermostat, lighting, etcetera). Nothing needs to be opened in your firewall, which is one reason the split architecture is used so widely.

First thing I suggest is setting a proper strong password on your Sonos account. Go to https://www.sonos.com/en-us/myaccount/user/profile and click the “Reset password” link. Second thing I suggest is letting Sonos know that they need to implement two factor authentication (2FA) on sonos.com (and by extension, the web app).

Thank you for that explanation.  Thats what I needed to know.  Funny cause I just reset my password today.  I always use strong passwords because I can remember them all anyway.


When I access the web app through play.sonos.com from outside my network and can control the system wouldn’t this be a case of Sonos servers reaching in to the network?

Technically, no. Each of your Sonos devices initiates a connection with the Sonos servers. After that connection is open, commands from the server—in response to what you do on the web app—are passed on to the selected device.

Now the above is somewhat pedantic, I suppose, as if someone guesses your password and logs into the web app (something that seems to have happened to a handful of users, documented on these forums) it certainly feels like the ne’er do well has hacked your Sonos device(s).