Question

How secure is our registration information? Is Mirai a possibility for Sonos speakers?

  • 24 October 2016
  • 12 replies
  • 720 views

Hardware registration, Sonos account information, and the Sonos forum are all handled by the same software - Insided. Given that after 2 weeks this software is still incapable of rejecting spam, how secure is our account and registration information?

Is it possible that all Sonos speakers could be hacked using Mirai or similar to become part of a botnet used in DDOS attacks?

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

12 replies

Great question! Following.
Userlevel 7
Badge +26
Hi Peter,

Security concerns are always valid in this day and age. The Sonos account information is managed on our servers, not InSided. We use an SSO so that you don't need multiple accounts, but the account credentials are managed mostly on our end of things. The spam is being done by people manually creating accounts and posting spam.

As to the most recent attacks, there is zero evidence to suggest that Sonos speakers were compromised. If you have any questions or concerns you're more than welcome to DM me too.

...the account credentials are managed mostly on our end of things.


Mostly? Where else are they managed? And is this a security risk?
Userlevel 7
Badge +26

...the account credentials are managed mostly on our end of things.


Mostly? Where else are they managed? And is this a security risk?


There has to be a handshake to confirm the account is authenticated, but I don't have all the details there, so "mostly" is just to cover my lack of knowledge. The specifics may be something that the team would prefer not posted here as well, but I'll check in with them. I can assure you though that they're definitely concerned with your privacy and security.
Thanks Ryan. I'm sure the Sonos team are concerned with our privacy and security. But the fact that after 2 weeks the forum is still being spammed doesn't generate a lot of confidence. Expressions of concern and absence of spam are two very different things.
As I remarked elsewhere, product -- specifically firmware -- development and customer services are typically entirely different parts of an organisation. There's no logical reason why the shortcomings of this particular choice of forum software should affect the behaviour of the player firmware.
Nor should there be any relationship between account security and spam posted on a board. Two very separate things. Posting spam doesn't require any access to account information.

That's not to absolve them from needing to be concerned about account security, but there really isn't any reason to link the two in your mind.
Ratty and "Bruce" - I would very much like to agree with you. So let me outline my concerns and you can point out where you think I'm wrong.

If InSided are sufficiently technically incompetent as to be unable to control some very simple spamming within 2 weeks, then I have trouble trusting they can manage other more complicated aspects of their software. One of these aspects is managing the SSO (single-sign on) required to authenticate forum users. As Ryan states above, this is done via a handshake with servers at Sonos that must be connected with our account information there. So there is the possibility for a hack of Sonos computers this way. Once inside Sonos, presumably it would be possible to access Sonos devices remotely (if Sonos can do it, so can a hacker), and/or alter firmware maliciously.

Now I confess this is all low probability stuff but it does happen. The Australian Bureau of Meteorology was recently hacked, despite already being vigilant and competent in IT security. As well as stealing IP and research, the alleged Chinese hackers were looking for a way into other Government agencies such as Defense because they are connected; Defense uses weather forecasts!

Cheers, Peter.

p.s. I have nothing but admiration for Ryan and all the other Sonos staff having to deal with this. It must be very frustrating.
If InSided are sufficiently technically incompetent as to be unable to control some very simple spamming within 2 weeks, then I have trouble trusting they can manage other more complicated aspects of their software. One of these aspects is managing the SSO (single-sign on) required to authenticate forum users.
I agree. Even the great and mighty have been hacked, and they are neither of those things. At the beginning of this year they were described as a startup with 60+ employees.
https://medium.com/@wouterinsided/insided-6m-series-a-investment-round-founders-notes-29654454da29#.27z9tpl50

Sonos themselves have already had their own brush with data exposure. Just 4 years ago they were transmitting the user ID and password credentials for our streamed services, between zones, in plain text. Not just when the account was created, but each time a track was opened.
https://en.community.sonos.com/troubleshooting-228999/sonos-security-patch-27627

The exposure of that was probably an excellent wake-up call, and with no embarrassing data breach apparently, other than just a few techie types sending each other network transaction dumps. I think that it is good that our account info is in-house, but it is concerning that Insided is handling more than just forum traffic and archives.
At the beginning of this year they were described as a startup with 60+ employees.
https://medium.com/@wouterinsided/insided-6m-series-a-investment-round-founders-notes-29654454da29#.27z9tpl50

Oh dear.
We are on a mission to communitize the world.

Lots of fancy words, but nothing about the fact that the "traditional old school (1st generation) forums" actually provided the features that regular board users (and admins) really needed. Such as a useful advanced search, to take one glaring example. Or an auto-moderator.

And from http://www.insided.com/news/insided-raises-6m-round/:
While traditional forum-based communities have been around for decades, inSided has added technology to reach existing company business goals, with results like 80% less calls to the contact centre

Could this be by 'deflection into peer-to-peer interactions', encouraged by those badges and scores? The tragic irony is that the "ambassadors and super users" found their efforts so hamstrung by the quality of the supporting platform that a lot of the old forum regulars evaporated.
Userlevel 7
Badge +18
a lot of the old forum regulars evaporated.
The way this 'community' is structured doesn't incite me to pitch in as I was used to doing. I've got the distinct feeling 'the old forum regulars' are being used to function as non-paid Sonos employees. Those 'regulars' play the role of a regular first line helpdesk, and the Sonos employees only get to work as a second line helpdesk. Doesn't feel right to me.
Intersting perspective, beynym. That's exactly the same kind of behaviour I've seen in most communities that I've either partaken in, or managed.Those who have knowledge and desire to help do so. And frankly, there's quite a few folks who are members here who seem to have even greater knowledge about the way the system works than the folks who are paid to be community managers. And are quite willing to help those who ask for it.

I applaud, and respect those who do so. I lament the fact that many of us, myself included, sometimes become short or less than helpful, since we often seem to be answering the same question over, and over, and over.... I admire those community managers from Sonos who seem to do a great job keeping things in check. Having managed several groups of community managers, I recognize how difficult their job is. Especially given the hate often spewed on them, when they're likely not the decision makers, but those who just have to pass on a message that someone above them has expressed.

But If you feel it's not for you, I do respect that. There's never going to be a perfect environment for every type of user, just like there's never a piece of software that is perfectly designed for me. Every company has to look at the question of "how do I best serve the maximum amount of people, with the least amount of resources, so I can continue to be profitable". That generally leads to losing contact with corner cases that are equally as valid as the mainstream, but just can't get the amount of attention that they need. I've been looking for a solution to that my entire professional life, and haven't found a great solution yet.

I'm sorry that you don't feel comfortable in this environment. However, I'll continue to assist those who I think need help, mostly because I believe that the Sonos environment, once set up properly and functioning, is a balm for the soul. Do I think Sonos is perfect? No. Would I love to be a product manager at Sonos? Sure. But no, I'm not a Sonos employee, just a former musician that enjoys technology and having pretty good music going in the background in my home.

But the bottom line is, what works for me doesn't necessarily work for you. And I'm wise enough to admit that I am not the center of the universe, and that other perspectives are equally valid as mine.

I hope you find someplace where you can feel that it's "right" for you.