Sonos can be considered a pioneer in the multi-room speaker market. The California-based company has a full range of active speakers in its portfolio and also offers models with Amazon Alexa voice control. In the following test, we will go into more detail about the security and privacy of the Play:1 model.
The Sonos Port is a small, matte-black box, which has RCA and digital coaxial audio outputs for connecting to your existing home stereo or home theater sound system, and an RCA audio in port for. It doesn't sound like the target player has been able to poll the others for info. Try:1400/status on any player. You should get a page of links for that node. Allow main vlan access to any and all ports This with avahi and mdns reflection allows Sonos to work across vlans with app on phone app and pc/Mac app I think port 1400 is also required for Sonos connect. I've spent this week getting all my Chromecast and Sonos speakers to communicate across vlans with Sonos app and Google home app. Sonos used to have a way to handle this. Sonos Connect was a box that connected to your network and streamed music. Connect was discontinued a year or so ago. For a while, there was no replacement, but now there is: Sonos Port. Sonos Port has two Ethernet ports. It has RCA input and outputs.
For the initial connection to the WiFi network, the speaker first had to be connected to the network via cable. Afterwards, the communication with the app and the connection to the WiFi network worked perfectly.
Apart from the setup, almost all communication between the app and the speaker takes place unencrypted via port 1400. Behind this port is a UPnP (Universal Plug and Play) service, which also enables third-party applications to control playback or volume. Unfortunately, it is also possible to read or manipulate when adding music services.
Sonos Port 1400 Mhz
If several speakers are used, they build up an AES-encrypted, proprietary mesh network between each other via radio, which, for example, enables synchronized playback.
Since the Sonos speakers cannot be controlled via the Internet, this part of the test only covers the connection of the app or Play:1 to the Sonos cloud. The security of the connection to the many available music services was not considered.
Basically, communication with Sonos servers is TLS1.2 encrypted. However, one of the exceptions was the firmware update downloaded over an unencrypted connection. Although the update itself is encrypted, we still cannot understand why the update is not downloaded via the available HTTPS endpoint of the server.
The Sonos App was tested in version 10.0. It does not use code obfuscation. This makes it easier for potential attackers to understand how the app works and to use this information for their own purposes.
The app contains numerous third-party libraries, including several analysis services.
For local communication, advanced certificate validation, certificate pinning, is supported. However, encrypted communication between the app and the speaker could not be detected apart from the setup.
Sonos collects detailed usage data by default, which can also be viewed via the website. Parts of the recorded data can be viewed in the user profile.
Even though the privacy statement is very extensive and also deals with voice control, for example, we miss information on anonymization – this term can unfortunately not be found in the 22 A4 pages long document. (see also: iRobot) Furthermore, the information about the storage time of the recorded data is rather spongy with “as long as we consider it necessary”.
Sonos Tcp Port 1400
With its smart Play:1 speaker, Sonos offers a multi-room audio solution rarely found on the market. However, there are points in local communication that could be improved. Although an attack on the local network is unlikely, it should not be trusted that it will always be secure.
The privacy statement is very detailed and covers the most important aspects. Although doubts may arise as to whether data collection remains within the necessary limits.