Sonos support for SMB 2.0 protocol

  • 18 September 2016
  • 274 replies
  • 43885 views

Userlevel 4
Hi,

Recently I have turned off SMB 1.0 on my Windows 10 as per Microsoft's recommendation (https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/). However, after I've disabled SMB 1.0, the Sonos application stopped working on that Win10 machine (not able to connect to local drives configured in the library). I had to turn SMB back

Could you please advise when will Sonos start supporting SMB 2.0 or later?

Thanks

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

274 replies

Userlevel 3
Hey Sonos, as mentioned, SMB v2 is ancient and SMB v3 is out. And ... if you haven't heard ... SMB v1 is amazingly insecure and needs to die! As you may have noticed there was a little worldwide event this past week the leveraged the ancient SMB v1 protocol (WannaCry ring any bells?). I have a QNAP NAS and I came home today and switched the settings to SMB v3 ... nope Sonos doesn't read my music library. I switched to SMB V2.1 nope ... no music library. SMB v 2.0 nope. Not until I switched back to the most ancient of ancient protocols was my music library available. My MacBook supports SMB v3, Linux supports SMB v3. Can we please stop only supporting decades old protocols that are hugely vulnerable? I'd rather not risk my network security because I have to run SMB v1 to read my Sonos music library. I'm an Information Security professional ... it's no longer time to have SMB v2 on your radar. It's time to step up to the plate and do it and do it fast (less than 1 month). From my perspective, and I'm sure that anyone, given the information in an understandable version, would absolutely agree ... SMB v1 has got to go!
Userlevel 4
why not? SMB 2.0 was introduced in 2006, which is 10 years ago. out of all the applications and storage devices I have in my environment, Sonos is the only one that I have encountered problems after disabling SMB 1.0. I personally don't think it's too much to ask here, given the technology has been around for a decade?
Userlevel 4
Badge
Hi Ryan. I'm one of the Samba authors and a *BIG* SONOS fan/user. If you need any help in moving the SONOS Linux client code to SMB2/3 please feel free to reach out for help. I can be contacted on jra@samba.org

Thanks,

Jeremy Allison.
Userlevel 7
Badge +26
Thanks for asking. As suggested already, we don't have any official plans to announce or share right now. Sonos only uses SMB for sharing your local music library off of a Windows computer or a network attached storage (NAS) drive. Mac computers share to Sonos through a different protocol that's setup using the Sonos controller.

If your music listening is through a music service, you can have SMB disabled on your system and Sonos won't have any trouble at all. The only trouble that comes up with SMB1 disabled is for those music shares listed above.

I'll pass on your feedback and interest in SMB2 to the team to make sure they are aware of it all.
Userlevel 1
Registered just to post in this thread. Come on Sonos, add better SMB support. Hadn't noticed that my library was broken since turning off smb1 support on my Synology.

Some of the replies in this thread are crazy. Suggesting that uses should get a Pi to serve music just for the Sonos system? Please..

Sonos need to add SMB 2/3 native support, end of.
Userlevel 7
Badge +20
While there's clearly some over-reaction going on in this thread, there are some nasty security issues with SMB v1. There's a pretty good summary at: https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

While these issues are unlikely to present significant risks in standard domestic environments, it would nevertheless probably be wise for Sonos to provide an option to use SMB v2+.
Userlevel 1
The actual risk of SMB v1 vulnerabilities is fairly low for most people

This has the same odor as when I hear people say they have nothing to hide, therefore they aren't really bothered by their every movement and communication being gathered for later use or profit.

Microsoft, the actual people behind SMB, have for years now officially recommended migrating off of SMB v1. It's something like 30 years old. And when I see Sonos actually giving detailed step by step instructions on enabling SMB v1 I can only picture the websites that give step by step instructions on disabling air bags or the annoying audible chime your car makes when it knows you aren't wearing your seat belt. Because it's "SONOS", people merrily follow the directions. If it were a dinky startup nobody ever heard about, there would be all sorts of "pass this along" chain messages on Facebook urgently warning people to ignore it or they might die. It's the classic argument of the difference between a religion and a cult.
Userlevel 2
Badge +1

The refusal by Sonos to declare where they stand on the SMB1/2/3 fiasco is appalling.

The least they could do is tell us the official position even if it is that they are not going to implement a real solution then at least we know where we stand.

It seems from what some users have found out that older Sonos 1 gear doesn’t have the memory to run SMB3, but why can’t Sonos spell this out clearly and advise if Sonos 2 gear does have adequate memory or is it simply not possible.

I have been combing through this forum wasting too much time looking for an answer to no avail. All I see is wishy washy non answers from Sonos staff. Not good enough Sonos. Lift your game.

 

Userlevel 7
Badge +15
Hi Ryan, when you say you haven't removed support for SMB 'at this time' what does that actually mean - and how will shares from NAS's be affected by this? The point of a NAS with regards to Sonos is so PC's aren't left on permanently so I'm sure there are many users interested in how sharing will be achieved from NAS's if you appear to be going the opposite way and removing functionality as opposed to adding support for the later, more secure versions.
Userlevel 5
Badge +9

 I’m just urging caution that we can’t expect ‘all’ upgrades possible in the first release, due to both code effort, and QA time involved. There’s a lot of work in updating a kernel, I’d be happy to wait for some feature to be sure it all works each time. 

Worth repeating this comment. 

Fair point but this isn't about"all upgrades" - it's about fixing a massive security flaw thhat'sbeen around for years. S2 is over 6 months since anounce, expecting this to be fixed isn't some unreasonable expectation imo.

I've been monitoring the questions and replies concerning SMB here on the community since people got a bit more aware about the flaws with SMBv1.
What I don't understand are the comments about the need for Sonos to disable support for SMBv1.
Neither do I understand why some seem to blame the NAS vendors that support SMBv1 as a reason for Sonos not enabling support for SMBv2 or v3. Most NAS products let you choose the SMB level (v1 through v3) to your liking.
From my point of view Sonos may continue the support for SMBv1 for infinity if they are happy running insecure protocols.

What I would like, is to get a simple update of the product so that I can turn on SMBv2 or preferably SMBv3 and at the same time turn off the SMBv1 protocol on my Sonos system. Simple checkboxes under advanced options will do in addition to adding the protocols in the code.
That should be pretty straight forward to accomplish, but for some reason Sonos choose not to. They've had more than 10 years to incorporate SMBv2...
It seems that Sonos have stopped developing their product to customers who prefer to have their music on a local network and don't want to rely on streaming through the internet.
To bad really. I've been a happy user of Sonos since 2010, but everything must come to an end.
If I find that Denon Heos, Bluesound Pulse or similar products supports SMBv2 or SMBv3, one of those will replacing my Sonos solution.
Userlevel 5
Badge +11

Uploading your music collection to a streaming service, e.g. Google Music or Amazon Music, (the latter on payment of € 24.90 a year) isn't an option?


yes, but sonos still has the local library in the handbook and user are failing setting up sonos ... that is bad ... sonos just works nothing else....
https://sonos.custhelp.com/app/answers/detail/a_id/79/related/1

In fairness, that article specifically mentions you will need a NAS that supports SMBv1.

I feel like I'm harping on this point in untold number of threads, but the SMBv1 security drama is overblown. SMBv1 doesn't have any known, unpatched vulnerabilities at this point. It's simply at a higher risk of new problems occurring. I am genuinely supportive of the idea that Sonos should make security fixes a high priority, but I can't allow myself to be lumped in with people making comments like this:

I'm pretty sure your CEO would not like the bad press if all of your customers get hacked because you are too lazy to fix this.

First of all, only a minor subset of Sonos customers use any NAS, so they sure as heck aren't all getting hacked. And let's be clear here, the only people who would be hacked are the ones who don't put the existing patches on from Microsoft.

http://securityaffairs.co/wordpress/61530/hacking/smbloris-smbv1-flaw.html

Here's an SMBv1 vulnerability that can't be patched. MS's answer is insufficient - blocking at the boundary is ineffective against client-side attacks, which are the most common now.

Let's be clear here. It isn't a SMBv1 vulnerability for two reasons. It's not a vulnerability, it's a configuration issue. Suggesting that "blocking at the boundary" isn't effective is like saying you shouldn't have to use a password. The second reason is, and this is important to underscore the configuration point, is that it's present in all versions of SMB.

As for the idea of client-side attacks, you're partially blaming Sonos for the failure of some other exploit that allows them in. Sonos is a home device, so we're not talk about enterprise networks here with thousands of connected devices. Is this a good reason for why Sonos should be publishing the updated support sooner rather than later? Absolutely!

Even experienced security professionals accidentally click the wrong things or get phished regularly.

Partially true at best. I don't know any experienced security pros who "regularly" do either of those things. If one of my team was even frequently, let alone regularly, falling into phishing traps you would be terminated for cause. We make non-technical staff take a training session every time they fall for our mock phishing attempts at our company.

Knowing this, developing should have started 2007, having everything finished with quality check and even gamma tests until 2009! It seems sonos slept 7 years too long.

Again, I'm not sure if these posts are coming from people who don't understand the reality of the tech landscape or what. It would've been nice if Sonos has been testing newer SMB support many years ago, but acting like they're some anomaly for still using SMBv1 is simply false. There's a reason Microsoft hasn't dropped the tech until this year despite the fact that it's been high risk for a long time.... it's because everyone keeps using it! If you bank in the United States, there's more than a 75% chance that your bank heavily leveraged a platform that didn't even support SMBv2 until two months ago. I promise you that if you think of the four largest banks you know at least 3 were in that situation, and there's a better chance all four did.

TL;DR
Sonos needs to take security seriously, and they should have already delivered a solution.

Some customers need to chill out and stop acting like this is the worst thing that's ever happened to them. You undermine the valid security concerns with your rants.
Userlevel 1

 

I agree if this would be a feature, but this is a major problem. Its not exactly a security flaw on Sonos side as the client is not vulnerable but it compels me to open one on the serverside to make it work.

This topic exists for more than three years and there are alot of other topics. This can’t be ignored. 

If there is a problem with kernels or what so ever I expect them to be transparent.

 

So you want them to be transparent about a supposed security flaw and reveal its causes?  Why not set up a “Hackers Welcome!” sub-forum while they are at it?  

 

The world knows about it for years....so why not being transparent about why this hasn’t been fixed already. The flaw and cause is known.

You should really learn what the SMB1 flaw is about.

Userlevel 7
Badge +20
It is also completely unfair on the probable majority of users without the necessary technical skills.
That's the key point here. The actual risk of SMB v1 vulnerabilities is fairly low for most people, but the current user experience of Sonos local libraries just mysteriously not working with recent Win10 installs is very poor.

It's absolutely not a low risk - are you an antivaxxer too?

Well, I don't enjoy injections, if that's what you mean 🙂 However, that seems a bit personal and I don't see what it has to do with Sonos and SMB.

Look, I completely agree that Sonos should address this, and that SMB v1 is riddled with problems. I'm just making the point that for people running Windows on personal computers with up-to-date patches, in the typical home usage scenarios applicable to Sonos, there is very little risk. If you disagree, point me to an exploit that would cause meaningful harm in this situation.
Userlevel 7
Badge +20
One of the conditions you outlined was "on personal computers with up-to-date patches" - the premise is flawed from the start. Home users in general are not rigorous in this. Specific evidence is temporal, and changes with new vulnerabilities being discovered and patched/ignored.
So, let me help you: I know of no evidence of PCs being exploited via SMB v1, at any point in time, provided there's been reasonable adherence to keeping those PCs up to date. There have been no zero-day exploits with the exception of a couple of denial of service vectors that I would argue are not very likely and not particularly important under home usage scenarios.

The specific issue with SMB v1 is that its design makes it a hotspot for exploits, and Sonos should clearly move away from requiring its use. In the meantime any important emerging SMB v1 exploits are still being patched on supported operating systems. If users are genuinely concerned about security, rather than focusing on SMB v1 and Sonos they should just keep their systems patched, otherwise they are exposed to a wide range of exploits well beyond SMB v1.

I'll close by retirating that I do think Sonos should address this, and quickly, in case I give the impression I think it's unimportant. I was just seeking to put the risk in the correct perspective. I'll leave it at that.
Userlevel 7
Badge +15
Appears to be working on the matter? For security issues, I'd expect a whole lot more reassurance when, years down the line, they still insist on users running superseded protocols that even the original developers no longer recommend - and haven't done so for a significant amount of time.
The issue is not theirs in the making?That 'logic' is crazy. If your AV provider didn't update their AV definitions list because they didn't create the issue you would be OK with them leaving you exposed? Sonos have a duty to their customers to have/allow as secure an environment as they can.
Please don't condescend me by telling me why or how things come to the top of the pile and other things get released, I know very well how software development works and is released, it's my job. I already made the point that security should be at the top of the list. They may well have got somebody in - although one of the original developers publicly offered their services here and it was passed on. Nothing came of it.
The smb issue is easily solved now without any help at all from Sonos.Easily solved?
The use of workarounds like a 'burner' HDD, Plex, etc. just to avoid getting bitten by issues associated with known-unsafe network protocols shouldn't be necessary.
Quite...
Userlevel 7
Badge +15
Ken, nobody is asking Sonos to switch off SMB1, it's asking for support for the 'newer' (10+ years old!), more secure versions. If users of old equipment continue to use it, that's their choice.
We know you're not concerned by it, you've done it to death.
Userlevel 1
can't believe this isn't fixed yet and there's massive outcry regarding this. everyone on an updated Windows 10 OS running a local library is affected. How can they let their customers down this way? This baffles me.
Userlevel 1
Badge
Stanley, your solution is indeed not very hard to do, nor is it expensive. Buying a RPi and an external HD should not cost more than $100. Putting OpenMediaVault on it is also not very hard to do thanks to all the online tutorials.

On the other hand, all this should not be needed. If only Sonos would update it's SMB stack and simply add at least SMB2, but preferably also SMB3. Up to now this problem did exist but was largely unknown because Sonos "just worked". Recently, Microsoft disabled SMB 1 with every fresh Windows 10 install and possibly also when you do one of the bigger updates (like spring or fall update). So the users running into this problem will increase a lot now, and hence also the support questions regarding this issue.
I'm sure Microsoft did not take this decision lightly or unannounced. When Sonos then simply suggests setting up SMB v1 again to "rectify" this issue this seems very irresponsible to me.

I get there is more money to be made for Sonos in the streaming market, but I sure hope they do not forget that users who play their own content were their very first customers. The customers that helped to define their success.
Userlevel 7
Badge +26
OK, thanks.
Presumably switching it off with no other option isn't on the table?...

We don't have any plans to turn off support for NAS drives.
Userlevel 5
Badge +9

Happy greetings here!

I sold the Sonos and now have a system that does  not bring a security risk to the NAS!:wink:

DNFTT

@EAZ has been a member since 2017, calling them a troll isn’t fair IMO. The smb complaint is legit 

Userlevel 4
well, you've got start the conversation somewhere, right? the software vendor may not aware of potential issues or threads, thus people communicate via social media such as a forum like this. I appreciate your input, but I'm really after a response from someone who works at Sonos. they don't have to give me a hard date or anything. An acknowledgement would be a good start.
Userlevel 7
Badge +21

I’m optimistic, if Sonos goes to the new Linux kernel they would actually have to do extra work to disable the newer SMB version support.

Userlevel 3
I'll look into but this is an issue:

"Tip!: Other audio formats such as FLAC or ALAC will be transcoded by your Plex Media Server to be compatible."

I have virtually everything that I own ripped to FLAC files and I have them ripped that way for a reason and it isn't so that it can get transcoded to some lesser format.

I know you "can't give me a specific date" but I / We need to know that it's more than "on your radar". It looks like it's been "on the radar" for at least 7+ months now.

This needs to be on the list for release with the next software update.

How about a commitment to your customers for that? Will Sonos commit to ensuring their customers are able to support the music formats and delivery methods (i.e. local NAS directly) that are current and secure?

Robert