Sonos can be considered a pioneer in the multi-room speaker market. The California-based company has a full range of active speakers in its portfolio and also offers models with Amazon Alexa voice control. In the following test, we will go into more detail about the security and privacy of the Play:1 model.

Local communication

For the initial connection to the WiFi network, the speaker first had to be connected to the network via cable. Afterwards, the communication with the app and the connection to the WiFi network worked perfectly.

Apart from the setup, almost all communication between the app and the speaker takes place unencrypted via port 1400. Behind this port is a UPnP (Universal Plug and Play) service, which also enables third-party applications to control playback or volume. Unfortunately, it is also possible to read or manipulate when adding music services.

Adding a music service

If several speakers are used, they build up an AES-encrypted, proprietary mesh network between each other via radio, which, for example, enables synchronized playback.

Online communication

Since the Sonos speakers cannot be controlled via the Internet, this part of the test only covers the connection of the app or Play:1 to the Sonos cloud. The security of the connection to the many available music services was not considered.

Basically, communication with Sonos servers is TLS1.2 encrypted. However, one of the exceptions was the firmware update downloaded over an unencrypted connection. Although the update itself is encrypted, we still cannot understand why the update is not downloaded via the available HTTPS endpoint of the server.

Download of the firmware update via http

App

The Sonos App was tested in version 10.0. It does not use code obfuscation. This makes it easier for potential attackers to understand how the app works and to use this information for their own purposes.

The app contains numerous third-party libraries, including several analysis services.

For local communication, advanced certificate validation, certificate pinning, is supported. However, encrypted communication between the app and the speaker could not be detected apart from the setup.

Privacy

Sonos’ privacy policy is one of the longest of the products we have tested, with 7800 words. It contains detailed information on how the data is handled at Sonos. However, the readability according to Flesch-Kincaid index is difficult. Within the framework of the general data protection regulation, the term “easily perceptible form and […] understandable and clearly comprehensible manner” is used. This is not ensured here and should be adapted by the manufacturer.

Sonos collects detailed usage data by default, which can also be viewed via the website. Parts of the recorded data can be viewed in the user profile.

Sonos statistics

Even though the privacy statement is very extensive and also deals with voice control, for example, we miss information on anonymization – this term can unfortunately not be found in the 22 A4 pages long document. (see also: iRobot) Furthermore, the information about the storage time of the recorded data is rather spongy with “as long as we consider it necessary”.

Conclusion

With its smart Play:1 speaker, Sonos offers a multi-room audio solution rarely found on the market. However, there are points in local communication that could be improved. Although an attack on the local network is unlikely, it should not be trusted that it will always be secure.

The privacy statement is very detailed and covers the most important aspects. Although doubts may arise as to whether data collection remains within the necessary limits.