After recently having stated in a Tweet that Sonos speakers expose a web interface, I just wanted to add some information here.I first found this interface about 4..5 years ago, when a good friend bought himself a Sonos system and I decided to just run a quick scan. Back then there wasn't a lot of information on this interface online, which has changed over the past few years. Today, if you search for 'sonos web interface' or 'sonos hidden interface' you'll finde various information, just as published here.
The Interface
With the Sonos Sound Platform, bring new ways of listening to millions of Sonos homes around the world. Sonos says the new platform includes support for higher-resolution audio technologies such as Dolby Atmos on the Sonos Arc, better security, and an improved user interface. The new app supports.
The interface can be found on port 1400/TCP. The service listening on this port introduces itself as Linux UPnP/1.0 Sonos/45.1-56150 (ZPS12) Direct access to http://sonos-speaker:1400 will return a 403. The first base access you'll find is /status (be sure to not have a slash on the end, you want the file, not the folder).
/status/zp
The zp page contains an XML with some system information.
I decided to remove the HouseholdControlID
It uses a style sheet located at/xml/review.xsl.
A copy of the XSL can be found here.
/status/enetports
/status/version
/status/proc/ath_rincon/status
/status/ifconfig
/status/showstp
Sonos Controller Web Interface
Yes this is Spanning Tree Protocol :-)
/support/review
This page gives us a similar view as the /support page, but with some JS magic.
/reboot
The reboot function actually uses a csrfToken!
/wifictrl
Which also uses the csrfToken
/tools
ping
A copy of the XSL can be found here.
/status/enetports
/status/version
/status/proc/ath_rincon/status
/status/ifconfig
/status/showstp
Sonos Controller Web Interface
Yes this is Spanning Tree Protocol :-)
/support/review
This page gives us a similar view as the /support page, but with some JS magic.
/reboot
The reboot function actually uses a csrfToken!
/wifictrl
Which also uses the csrfToken
/tools
ping
Back in The Day
Sonos Web Interface Reboot
Right now you're probably thinking the same as I did back when I first saw the interface 'Oh, yeah! Command Injection! Just give me five minutes' and then a bit later 'Let's just hit it with Shellshock'. Sadly, things aren't as insecure as they look and feel at first sight.
Neither manual injection nor the typical scanners were able to get anything executed on the speakers :-(
How Bad is it?
Well, this is a complicated topic. When run on a home network, behind a closed home router everything should be fine. You should not let strangers into your home network! If run on a public network or in general on a network shared with guests (just as its done in many restaurants) somebody might badly mess with the system. Badly meaning: Everything from a DoS, a Rick Roll to playing crazy sound tracks.
The biggest fail would of course be if somebody decided to expose his speaker to the internet.
Sonos Web Interface
In that case some attacker will be able to just play music from whereever. Which has obviously already been done.
