Sonos support for SMB 2.0 protocol

  • 18 September 2016
  • 274 replies
  • 43897 views


Show first post
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

274 replies

Userlevel 6
Badge +5
Plex provides an easy workaround, no work required and no compromise to security.But, unless it's improved a lot recently, the Sonos version is so limited as to be useless for anyone with varied taste in music.
That's one issue. The other issue being that getting Plex to work on a FreeNAS is not as simple as on a Synology, QNAP or ReadyNAS. In the end, setting up a burner HDD was much simpler and easier for me. I also remain unconvinced that Plex is as secure a method to safeguard a NAS' contents as simply hosting a copy of the relevant Sonos content on a drive that is expendable. It's my canary in the coalmine.
Userlevel 1
Badge +1
I'm not enough of a techie to implement some of the DIY solutions suggested here or even to understand all of the debate. But this issue makes me extremely uncomfortable about my Sonos / NAS setup and I wish Sonos would fix it. Interestingly, it seems that at least some of Bluesound's products (Vault) also depend on SMB v1. There's a post in their community in early February where they say they hope to release an update "in the coming weeks".
The use of workarounds like a 'burner' HDD, Plex, etc. just to avoid getting bitten by issues associated with known-unsafe network protocols shouldn't be necessary.
Quite...
I'm not enough of a techie to implement some of the DIY solutions suggested here or even to understand all of the debate. But this issue makes me extremely uncomfortable about my Sonos / NAS setup and I wish Sonos would fix it. Interestingly, it seems that at least some of Bluesound's products (Vault) also depend on SMB v1. There's a post in their community in early February where they say they hope to release an update "in the coming weeks".
If a NAS Box is quite old and only supports the CIFS/SMB v1 protocol anyway, such as an old Netgear ReadyNAS for example, then anything that Sonos develop, is unlikely going to make a difference to things in such cases.

Likewise if a user has a Windows device on the LAN that has an operating system prior to Vista, for example ...Windows XP.

Support and firmware updates for many old NAS boxes probably ended a long time ago... and the same goes for Windows XP, so it may mean a NAS or computer hardware upgrade too in some cases, for those who have these security concerns.

I’m not personally concerned by the issues raised in this thread.

In a worst case scenario for those sharing just a Sonos music library on their LAN, is the access to the SMB unencrypted data in one or more of the protocol transfer pipes and redirection of the music file(s) that are in transfer, or the potential to execute code within the pipe and create a denial of service.

The data in transfer and the pipe have now been better protected with encryption in SMB v3.1.

None of the things in this thread really overly concern me and that’s assuming that the 'hacker' ever manages to get through the other protection in place on a secure LAN in the first instance.
Userlevel 7
Badge +15
Ken, nobody is asking Sonos to switch off SMB1, it's asking for support for the 'newer' (10+ years old!), more secure versions. If users of old equipment continue to use it, that's their choice.
We know you're not concerned by it, you've done it to death.
Ken, nobody is asking Sonos to switch off SMB1, it's asking for support for the 'newer' (10+ years old!), more secure versions. If users of old equipment continue to use it, that's their choice.
We know you're not concerned by it, you've done it to death.

sjw,
I didn’t say Sonos were going to switch off SMB v1 Support ... I said those still using old NAS Boxes and Windows XP would still need to upgrade their other old hardware if they were 'concerned' by the SMB security issue.

I think I am allowed to do things to death by the way... it looks like I need to sometimes, as you seem to completely misread some of the things in my posts.
Userlevel 7
Badge +15
Ken, if you feel the need to write such obvious things that old devices stuck on SMB1 won't be affected by a possible Sonos change then go for it. I don't misread your posts at all - although I will admit I don't and can't them all. You obviously have a huge amount of time on your hands as evidenced by the huge amount of posts that can rarely be read without the use of the scrollbar. Concise is not some you do.
Ken, if you feel the need to write such obvious things that old devices stuck on SMB1 won't be affected by a possible Sonos change then go for it. I don't misread your posts at all - although I will admit I don't and can't them all. You obviously have a huge amount of time on your hands as evidenced by the huge amount of posts that can rarely be read without the use of the scrollbar. Concise is not some you do.sjw,

You most certainly don’t have to read any of my posts here sjw, nor indeed waste any more of your time by replying to them. Yes I have lots and lots of time, but clearly you don’t, so I suggest you perhaps just skip past them.

I guess that’s all a bit obvious too, to say these things, but I really (really) just wouldn’t want to see you wasting your time any further.
Userlevel 6
Badge +5
Interestingly, it seems that at least some of Bluesound's products (Vault) also depend on SMB v1. There's a post in their community in early February where they say they hope to release an update "in the coming weeks".
That's at odds with a statement that I got from Bluesound almost a year ago: "All Bluesound Players are currently compatible with SMB3."

Additionally, unlike Sonos, the Bluesound Node players can have a USB-based storage media plugged into them directly for site-wide music library use (i.e. no NAS needed).

The Vault is basically a Node player with a CD ripper and hard drive. While it is possible that the Vault could be running a very different network protocol stack than Nodes and Power Nodes, I find that a highly-unlikely scenario. Do you have a reference?

As for the SMB1v1 issue, there are known, unpatched issues with SMB1, there have been exploits in the wild, and there is no reason to believe that there won't be any more attempts at exploits in the future. To me, running a server with any sort of important content that allows SMB1v1 connections borders on the irresponsible. That's why I host my Sonos content on a burner HDD attached to a Apple Base Station.

To me, network security means battening down all the hatches, minimizing attack surfaces. There are many aspects to this, ranging from keeping up with firewall firmwares, using honeypots, to isolating unrelated components via VLANs. If that sounds rather corporate, oh well. How much is your data worth to you?
Userlevel 6
Badge +5
Interestingly, it seems that at least some of Bluesound's products (Vault) also depend on SMB v1. There's a post in their community in early February where they say they hope to release an update "in the coming weeks".

Interesting. As of June last year, Bluesound wrote to me that all their players supported SMB3. Do you have a link you could share?
Badge
I was updating my Music Server to Windows 10 1803 and even with activated SMB v1 I got no Access to my Music Share with Sonos. Right now I haven't fully investigated if this is a result of the update failing or if it is something with the Firewall but wanted to mention this as this could give pressure in case this is 'works as designed' in Win 10 1803...

I will try with a clean install soon just to verify if Sonos will work with Win 10 1803 or not...
Lost my music library due to this. Had to force my Netgear router back to old firmware to get it to work again. Plex service requires Internet connectivity which doesn't work for our mobile setups.
Userlevel 1
can't believe this isn't fixed yet and there's massive outcry regarding this. everyone on an updated Windows 10 OS running a local library is affected. How can they let their customers down this way? This baffles me.
Userlevel 7
Badge +21
What a two minute tweak to Windows is too much to ask? If you don't want to tweak your Windows then add a NAS for under $100 and be done with the issue.

The details of what would have to be done by Sonos to make the v1 to v3 change have been guessed at here on the forums and it is not a small task and may force Sonos to drop support for older hardware like the early Zone Players.

I DO NOT WANT a $100 coupon from Sonos telling me "Sorry your Zone Players are as dead as the CR-100" and having to buy newer Connects to replace them. I'd be even less happy if they had to zap my really old Play 5s too.
Userlevel 1
Badge
Stanley, your solution is indeed not very hard to do, nor is it expensive. Buying a RPi and an external HD should not cost more than $100. Putting OpenMediaVault on it is also not very hard to do thanks to all the online tutorials.

On the other hand, all this should not be needed. If only Sonos would update it's SMB stack and simply add at least SMB2, but preferably also SMB3. Up to now this problem did exist but was largely unknown because Sonos "just worked". Recently, Microsoft disabled SMB 1 with every fresh Windows 10 install and possibly also when you do one of the bigger updates (like spring or fall update). So the users running into this problem will increase a lot now, and hence also the support questions regarding this issue.
I'm sure Microsoft did not take this decision lightly or unannounced. When Sonos then simply suggests setting up SMB v1 again to "rectify" this issue this seems very irresponsible to me.

I get there is more money to be made for Sonos in the streaming market, but I sure hope they do not forget that users who play their own content were their very first customers. The customers that helped to define their success.
As has been extensively discussed in this thread, and others regarding the same topic, many of us feel as though the reason they have not moved yet to SMBvX is because they are not forgetting the users who play their own content who were the very first customers. Many of us are of the opinion that in order to update the SMB version, it would require invalidating many of the older speakers, as we think that the kernel difference would no longer fit on the available memory of some number of speakers. Many of us are also of the opinion that Sonos is doing a significant amount of research into other methods that might obviate the need to use SMBv1, and also not increase the size of the kernel.

As to how easy that might be, I leave it to the reader, and imagine that Sonos probably was aware of the SMBv1 retirement before many of us.

They've responded to this and many other threads with acknowledgment that it's an issue they're thinking about. It's hard to believe that they would respond in such a fashion if they weren't indeed looking at figuring out how to resolve it.
Userlevel 7
Badge +21
BartDG, You don't even have to add Open Media Vault, the Raspberry Pi has SAMBA as an option in the default software load.

If it was easy to do Sonos would have upgraded their SMB long ago and stopped all this abuse. Look at the Sonos GPL software pages and see if you can sort out a way to add SMB v2 or v3 without going beyond the limits of the older hardware or dropping features that are more important to more users.

I do not want another CR-100 style e-mail for my older Sonos gear!
I do not want another CR-100 style e-mail for my older Sonos gear!
Well, yes... Critical as I may be of the lack of later versions of SMB, I'd much rather keep my ZP90 working with a sacrificial NAS than have to dump it. However, I have no use for voice control or for paid streaming (I very occasionally use radio), so would much prefer better support for local networks. As I accept that this is not the direction that Sonos is moving in, then I just have to wait until either Sonos completely breaks my setup or something that suits my particular purposes better comes along. I don't really need all rooms in sync, so there may well be better and cheaper options available for my preferred use.
Userlevel 7
Badge +21
You could build a Sonos like system that you had full control over, you probably couldn't sell copies though as Sonos has a lot of the needed tech locked up in patents. Reading them would be a good place to start but don't be Denon and get your hand slapped for stealing!

Look into a Raspberry Pi as your hardware base, Ethernet, WiFi and a good amount of computing power, memory and flash. Skip using the built-in analog audio and get a good DAC add-on card for the output. Several other SBCs would also serve as a base if you don't like the Pi's offerings.
Userlevel 1
Badge +1
Interestingly, it seems that at least some of Bluesound's products (Vault) also depend on SMB v1. There's a post in their community in early February where they say they hope to release an update "in the coming weeks".

Interesting. As of June last year, Bluesound wrote to me that all their players supported SMB3. Do you have a link you could share?


Constantin, apologies for the delay in responding. I haven't logged in here for several weeks I'm not sure if the thread below in the Bluesound community is the same one I'd seen before but the gist is I think the same. The relevant quote is in the latest post in the thread.

https://support1.bluesound.com/hc/en-us/community/posts/115008228848-Cannot-Access-Vault-2-Via-Home-Network-After-New-Windows-10-Upgrade-
Allowing any device in your network to use smb1 is just plain retarded. Gateway or not the myriad of security flaws in smb1 remain.
https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

Sonos really should get on this and support at least smb 2 or better 3.
Just curious, did you read the thread, or simply post your opinion?
Gensplejs,

I would like to know how the 'man in the middle' is going to get onto my LAN in the first place to execute the code in the SMB pipes that will cause 'the denial of service', or maybe redirect some of my song tracks?

I would like to think my LAN 'perimeter', 'entrances' and 'exits' are all well-guarded and if they are not, for any reason and there is a failing on my part to secure the LAN from outsiders, then the SMB protocol and message block transfers, will probably be the least of my worries anyway.

That aside, Sonos have said they are working on this issue, presumably for Windows users, where SMB v1 has been disabled by default. There will be nothing Sonos can do though, for people with old unsupported NAS boxes that still use CIFS/SMB v1.
Userlevel 6
Badge +5
Constantin, apologies for the delay in responding. I haven't logged in here for several weeks I'm not sure if the thread below in the Bluesound community is the same one I'd seen before but the gist is I think the same. The relevant quote is in the latest post in the thread.
Thank you for the reply! the content of that thread is more than a bit confusing but the gist appears to be that SMBv1 support is still needed. That's a direct contradiction with what the OEM shared with me last summer.... reality check between Sales vs. Tech Support. :8 I wonder if they've resolved it by now, it's been several months. :D

With a burner NAS as a local Sonos source for content, one should be able to sleep relatively well at night. Given how much time has elapsed since the relevant Sonos team was made 'aware' of the user request for better network security, I wouldn't expect a solution anytime soon. Perhaps the new windows 10 default settings will prod the issue to a higher position on the to-do list, but I doubt it.

Based on what firmware upgrades have been released recently, streaming and Alexa/Siri/whatever integration seems to be the current focus. I doubt that guarding entry and exit points on the network is sufficient. Every organization I've been with uses multiple layers to secure their networks. I don't see why it shouldn't be any different at my home.

Stanley, have you installed a IDS on that Raspberry Pi of yours yet? Might as well get additional uses out of it. 😃
Userlevel 7
Badge +21
I have far too many PI's running here, wife is thinking of staging an intervention.

Sonos music server Pi. UPS server Pi. Pi Hole ad-filter Pi. NTP server PI. Plus a couple for playing with. I really should look at consolidating the first three, the NTP box is far more accurate with no other load or an active GUI so it is safe from tinkering.