Now that we have the new Sonos web app we can control our Sonos players from anywhere in the world, something that I believe wasn’t available before.
Is there any way to turn that off?
How do we disable remote access with the new Sonos web app?
Userlevel 6
+11
Without two-factor authentication it’s only a matter of time before users’ accounts get compromised and remote control of their speakers is possible by a third party!
Imagine the bad publicity that will bring Sonos on top of this car crash of a new app!
Userlevel 7
+14
I don’t currently want or have the need to control my music from outside my home. It seems like a pretty big oversight to not have the ability to turn this off as well as to have MFA on user accounts. Hopefully Sonos adds them both to their what must be a massive to do list.
Userlevel 7
+18
Hi
Thanks for your post!
Thank you - I've marked this thread as a feature request and it will be seen by the relevant teams for consideration. Keep the ideas coming!
Userlevel 7
+23
Downgrade to S1 - the web app doesn’t work against S1 systems.
Userlevel 7
+14
Downgrade to S1 - the web app doesn’t work against S1 systems.
This is not a feature in the new app.
I am shocked by the mindlessness of this so-called “update”.
This is a complete security and privacy nightmare.
The only upside is that I can see how TERRIBLY this all is implemented, errors all over the place, including HTTP 404 (not found), 500 (server error), 422 (unprocessable entity), 429 (too many requests) and highlight error messages like "Exception parsing upnp parameters" and "Unknown service. Service id: local-library. Account id: undefined". At least I know why my favorites aren’t loading.
Switch this off immediately. I’m wiling to take legal action and this is just the b/s I sensed when Sonos forced “accounts” down our throats. I don't want and need a Sonos account for the product to work, there's only benefit for one side. A shame!
The cloud API and ability to control our SONOS systems have actually been available for years but without much benefit to normal users - nothing much have changed other than people being aware of this.
And yes - the access really should be protected by 2-factor authentication!
I would prefer to be able to turn this “feature off”
Does anybody know how to setup firewalls in the router to block this access
Userlevel 7
+14
I would prefer to be able to turn this “feature off”
Does anybody know how to setup firewalls in the router to block this access
The sonos telemetry can be blocked through your dns service if you use something that supports blacklisting. This is what I’ll be looking at when I get time. But I’m not sure if this will be possible cause it seems like everything goes through the web now. I’m kinda hoping someone smarter than me will figure it out 🤣
Me to i was looking into the traffic to and from my arc but i font realtid the Knowhow to realisera whist to block
I also want to turn remote web access off please. There is no reason for anyone who is not on my network to control my system.
Userlevel 7
+22
Two types of access you need to look at blocking, from the speakers/device and from the Controller App. Figuring out what you can block without breaking anything is going to be time consuming. Figuring out what you can block that breaks stuff you don’t use a bit more time.
Easy way is add a filter to your firewall to tag all data from the device you are looking at. Then go in and block one stream at a time and note what works/breaks. Once done you might set up several rules: Block all Sonos, Block as much as possible but allowing essential features to work, Block non-essential features that you don’t need every day.
I’m still in the ‘Hope things get better soon.” camp so I won’t be working on this or tweaking my DNS block-lists unless I notice them breaking anything I need.
I also want to turn remote web access off please. There is no reason for anyone who is not on my network to control my system.
Without your password they can't login.
Userlevel 6
+11
I also want to turn remote web access off please. There is no reason for anyone who is not on my network to control my system.
Without your password they can't login.
Password only security for remote control of every Sonos speaker in the world is poor. If Sonos test their internal security as well as their apps then we’re screwed.
2FA is a must at minimum.
Userlevel 7
+22
I also want to turn remote web access off please. There is no reason for anyone who is not on my network to control my system.
Without your password they can't login.
Assuming they are trying to log on and not exploiting a security flaw they have discovered.
I haven’t looked at the password requirements, does Sonos enforce a long, random password or does it let you use something easily guessable?
Userlevel 7
+14
I also want to turn remote web access off please. There is no reason for anyone who is not on my network to control my system.
Without your password they can't login.
Assuming they are trying to log on and not exploiting a security flaw they have discovered.
I haven’t looked at the password requirements, does Sonos enforce a long, random password or does it let you use something easily guessable?
This is pretty bad
- At least 8 characters.
- No common passwords.
- Previously used passwords can't be reused.
Userlevel 6
+6
Assuming they are trying to log on and not exploiting a security flaw they have discovered.
THIS is the correct take. While I am all about strong passwords (and MFA), the greater concern is a threat actor exploiting a vulnerability in the Sonos back end that we’re all forced to interact with now. And at the risk of stating the obvious, I put zero faith in this crew having their act together on security.
Userlevel 6
+11
I also want to turn remote web access off please. There is no reason for anyone who is not on my network to control my system.
Without your password they can't login.
Assuming they are trying to log on and not exploiting a security flaw they have discovered.
I haven’t looked at the password requirements, does Sonos enforce a long, random password or does it let you use something easily guessable?
This is pretty bad
- At least 8 characters.
- No common passwords.
- Previously used passwords can't be reused.
“Previously used passwords can't be reused.”
Let's hope they’re not storing passwords unencrypted 😮
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.