[Security] Question about Spotify Connect open connections?

Solved!
Reply

[Security] Question about Spotify Connect open connections?

canada11
Casual Listener

My Question or Issue

I had a question/suggestion related to this: https://community.spotify.com/t5/Accounts/Security-hole-Remote-control-devices-on-other-networks-thr...

 

TL;DR: Spotify intentionally remembers all speakers it has played to, allowing you to keep connections to networks you aren't physically local to anymore.

 

I've recently become more security concious, and I also noticed that the implementation in the link above seems to me like it is a dangerous one. I would love to be told that this was all thought of and that there's no problem by someone who knows the implementation. I know Spotify is security minded (thank you). But I also know that no one is exempt from bugs and things being overlooked and exploited. Like Google Home which had an issue where a public facing api allowed anyone online to get the noise level from the speaker, allowing someone to potentially know if people are home or not. Which was not awesome.

Anyway, this connection that's made to the speaker:

 

Is it something where when I open Spotify, my local client then pings the server for a list of speakers to play on for Spotify Connect and then opens a connection to the speakers it has listed, even if I don't play anything on it? (hopefully not because I'm using it and their network now has a connection open that shouldn't be there)

 

Or does it not even open a connection to the speaker at all until I play on it? (best case scenario, because I actually want to use the speaker)

 

Or is the connection on the speakers open all the time even when I don't have any of my Spotify clients open? (worst case scenario, an always open port in a network with no connection to it is asking for trouble <-- I'm worried about this scenario happening)

-------------------------------------------------------------------------------------------

 

ALSO realated -> I'm worried that this feature is creating unintended possibly dangerous security problems because I think poeple only intend for others to play Spotify on their networks when they are actually local to their network. I know that I don't want my friends having a persistent connection to my speakers after they leave my house, but I do want them to play music when they are there.

 

Can we make at least an option to be available where people can only play music when they are on the local network, and don't keep that connection when they leave? Once they go home I really don't want my home wifi to be opening connections out that I don't know about to anyone who has played Spotify on my home wifi before.

 

------------------------------------------------------------------------------------------

I  just want to make sure there's not open ports in networks that shouldn't be there waiting for connections. Because I trust Spotify way more than I do the speakers that are allowing the connections, so I want to make sure that the firmware/software on connected speakers can't be exploited because Spotify unintentionally left a connection open to my AVR, when my AVR probably doesn't have the same security mindedness that Spotify does and that in turn allows someone do something bad on my home network.

1 ACCEPTED SOLUTION

Accepted Solutions
Solution!

Jemi
Spotify Legend

Hey @canada11, help's arrived. 

 

We understand what you mean, and would like to explain more about this.

The difference between the Connect feature, with its current functionality, and output devices directly connected to your device, is that the Connect feature doesn't stream data directly from your device to play, but instead finds tracks from the internet and plays them from there. Your controlling device can be viewed as a command center, but doesn't directly stream music to your speaker when using the Connect feature.

 

This (intentionally) allows the last person who was connected to your speaker to connect again without being part of the same network. Restarting the speaker, or connecting to another speaker, will remove the last connection.

 

Keep in mind that only people who've had access to your WiFi (and WiFi password) can connect and re-connect to your speaker, so the security lies there as much as with the Connect feature. 

 

We'd also like to take the opportunity to assure you that Spotify takes security very seriously, and takes rigorous measures to keep your data safe. 

 

Hope that explains things 🙂 

View solution in original post

5 Replies
Solution!

Jemi
Spotify Legend

Hey @canada11, help's arrived. 

 

We understand what you mean, and would like to explain more about this.

The difference between the Connect feature, with its current functionality, and output devices directly connected to your device, is that the Connect feature doesn't stream data directly from your device to play, but instead finds tracks from the internet and plays them from there. Your controlling device can be viewed as a command center, but doesn't directly stream music to your speaker when using the Connect feature.

 

This (intentionally) allows the last person who was connected to your speaker to connect again without being part of the same network. Restarting the speaker, or connecting to another speaker, will remove the last connection.

 

Keep in mind that only people who've had access to your WiFi (and WiFi password) can connect and re-connect to your speaker, so the security lies there as much as with the Connect feature. 

 

We'd also like to take the opportunity to assure you that Spotify takes security very seriously, and takes rigorous measures to keep your data safe. 

 

Hope that explains things 🙂 

View solution in original post

txcrew
Casual Listener
Spotify is opening up my internal network and exposing it to devices outside of my network , unbeknownst to me. Whether this behavior is by design or not, this is a security hole. Full stop.

Arguing that it's only accessible to devices that have permissibly connected to my network, is an irresponsible and dangerous rationale. It's unrealistic to believe admins of Spotify Connect (like myself) can validate the level of security of each device that connects to the network, and the lifestyle of the respective users.

Furthermore, it's not just a matter of trusting other people. The integrity of my network, firewalls, and VLANs should not be boiled down to the Spotify application, should my own device be compromised.

Spotify is knowingly putting their premium users security at risk. Please fix this security hole unequivocally and expeditiously.

MellyNL
Casual Listener
  1. This is a bad ass security leak. Anyone once connected with my wifi can connect with any connection from any location. This issue is NOT solved. They can turn up the volume to the max. Involving my neighbors and the police will force my front door and turn it off. There is no way to secure and I see no reason to acces remote from any location. This is real damage and it should not be possible. Even when spotify connect and my sound system is on a public network. This should not be possible to acces. SPOTIFY; If you take security serious: PLEASE take action to solve this security leak. Becouse is can do serious damage to my neighbors, my bose soundsystem, my front door and a fine from the police! 

Nano8
Visitor
This is indeed a very annoying issue and could be a public disturbance if misused. There are a few sound systems connected to the malls free public wifi where i'm from. Because i'm an IT professional out of habit i scan the public network to see what is open or not. But yesterday when I was having lunch I noticed spotify was still open on my phone. I normally listen to music using spotify in my car through bluetooth. Out of curiosity I touched the "Devices Available" icon and lo and behold I saw that I could connect to a range of devices. There was an apple tv in there, an android tv and some other speaker sounds systems which I assume have spotify installed on them. I could play and control one of the speaker sound systems volume remotely. I could hear my music playing very loud somewhere in the mall while sitting in the food court. Pressed for time I headed back to work. While driving to work in my car I was still connected to this sound system over my LTE connection. Baffled I started to search on the internet for similar experiences. Spotify should fix this. Not every why wifi network is private. There are alot of free public wifis where spotify enabled devices are connected to. These devices are at risk of being connected to.

MellyNL
Casual Listener

Was it a bose sound system?

SUGGESTED POSTS