Archive for June 11, 2018

Why Is Sonos Still Using SMBv1 In Its Products? [UPDATED]

Posted in Commentary with tags on June 11, 2018 by itnerd

Recently I got called in to a client’s home to troubleshoot an issue with their Sonos speaker setup. The core issue was that the client was unable to play the music from her Windows 10 PC on the Sonos speaker that she had in the home. When I investigated this, I fired up Sonos Controller for Windows 10, then I did the following:

  1. Go to Manage
  2. Go to Music library settings
  3. Click Add
  4. Choose My music folder

When I did that, I got an error saying that “The computer <Insert Computer Name Here> Is Not Responding.” So what I read from that was that if the computer “wasn’t responding” there was no way for it to send music to the speaker. That was weird because the music library was local to the computer that she was using, so there should be no way I should be seeing that message.

I spent about 30 minutes troubleshooting this and found something that I found to be very weird and scary at the same time. The Sonos software for Windows 10 requires that the SMBv1 protocol be turned on for it to use the music on that PC. It was off in her case. More on how to fix that in a moment.

Here’s the problem with using SMBv1. This protocol. has been implicated in a variety of exploits and cyberattacks including the one that rocked the world not too long ago. Microsoft considers this to be enough of a threat that they have been turning off SMBv1 by default when you install any of their Windows 10 feature updates starting with the Fall Creators Update. And they have been warning users about the evils of the protocol as well since late last summer.

So why is Sonos using a protocol that is clearly so insecure that Microsoft who created the protocol in question is not only ditching the protocol, but is even naming and shaming Sonos and other companies that are still using it? That’s a good question. The closest thing to an answer that I have found are some extremely vague promises for SMBv2 or SMBv3 support from Sonos. But no hard and fast timelines for that support. That’s just craptastic on the part of Sonos as clearly they need to do something on this front because you know that that the next cyberattack that leverages SMBv1 is coming, and it would look really bad for Sonos to be the attack vector of that attack because they couldn’t pony up support for a protocol that Microsoft says that they shouldn’t be using.

Now back to how to fix this issue with Sonos Controller on Windows 10. If you understand that you are taking a bit of a risk with having SMBv1 turned on, here’s what you need to do:

  1. Open the Windows Control Panel
  2. Go to Programs and Features
  3. Go to Turn Windows Features on or off
  4. Select SMB 1.0/CIFS File Sharing Support
  5. Reboot your Windows machine.

That should make everything work again. But, like I said, there is a risk associated with this as the next cyberattack that uses this attack vector can pwn your computer. Plus it is entirely likely that future feature updates from Microsoft will turn SMBv1 off (which would require you to go through the above steps to turn it back on), or remove SMBv1 entirely.

Sonos really needs to address this issue sooner rather than later. Users should not ever have to run an insecure protocol just to use their products. So I am asking Sonos, will you fix this issue so that users of your products are secure? If so, when will you do it? No vague promises. Your users deserve a hard and fast date for this. Because Microsoft announced the depreciation of this protocol last year. Which means you truly have no excuse for not being on the ball when it comes to this. So when are Sonos users going to see some action on this front with an updated version of Sonos Controller that does not use SMBv1?

UPDATE: Apparently Sonos now has no choice but to fix this as soon as possible as the Windows 10 April 2018 Update not only turns SMBv1 off, but according to threads on Microsoft’s discussion forums like this one, you can’t turn it back on. Which means that any Sonos user who updates to April 2018 could be left unable to play music on their really expensive wireless speakers. It’s not clear if this is a bug or a deliberate attempt by Microsoft to force their users to stop using SMBv1. But I am leaning towards a bit from the former and a bit from the latter as a couple of Knowledge Base articles on the subject exist. Specifically KB4103721 and KB4100403. Both warn of a problem running programs from a shared folder via SMBv1. Both suggest that the workaround until a fix is available is to stop using SMBv1. Which again is a non starter for Sonos users who want to stream their music libraries from their Windows 10 computers.

Over to you Sonos.

UPDATE #2: Apparently if you update to Sonos version 8.6 or higher, Sonos has killed off SMBv1 for a HTTP based protocol which makes this allegedly a non-issue.