ROCK and network security

Hi, I have recently built and installed ROCK on an Intel NUC and I am very happy with it.

I do have a question though. The NUC is exposed on my home network and is not password protected. Am I creating a network vulnerability that could be exploited by cyber criminals to get into my personal data? If it’s a risk, how do I protect myself?

If they have access to your network, you are screwed anyway unless you are nuts about locking stuff down.

1 Like

Thanks for making my day! lol :smile:

@Philip_Kent I dont think they per say “target you” at a user/personal level… most data compromises happen by self infliction, meaning you did something you where not suppose to do because you didn’t know better…
IE: Clicking on that pop up that said “You are infected, Please click here to clean your Computer” or You email back the King of Nigeria regarding the said ransom you are about to inherit… :laughing:

@danny makes an excellent point… You have bigger problems if they are inside your network.

Keep in mind that being “exposed on your home network” is not the same as having your home network exposed to the outside internet. Unless you’ve specifically done this (by opening certain ports on your router), simply running the Rock music server on a local computer on your network is not a security problem.

Don’t really agree with several of the statements made here :slight_smile:
The OS and apps on the computers on your network are being tested and receive security updates all the time (Mac/Windows/Linus). All other networked ‘things’ (web cams, baby monitors, etc…) are much less tested for security and pose a larger security risk.
ROCK is no exception to that. Luckily, ROCK is running the absolute minimum OS to get your music streamed to your various endpoints but should be pen tested regularly as well.
Here is an example of a simple washing machine server that opened the door for hackers to get on a hospital network:

Point taken. I should modify my statement to say that:

“running the Rock music server on a local computer on your network is not a serious security problem.”

Obviously, there is no foolproof system. My point is that short of opening the server to outside access (via opening ports on one’s routers) the chance of gaining access to an internal network via a ROCK server is somewhere between slight and nonexistent. But I’m no IT Security expert, so I’ll let others chime in that know more about this than me.

There is a huge difference between a network share being open to getting your files, and running code on your washing machine (or anywhere else).

1 Like

I too am concerned about security, but … This is – so far – a theoretical breach. And it appears to require local network access, eg, a human operator clicking on a malware link. But if the human operator does that, there may be juicier targets in the local network than a washing-machine server.

That said, the theoretical problem is concerning, because I wouldn’t expect the manufacturers of a washing-machine server to be as assiduous about security as the developers of OSes like Windows, Mac and, I presume, at least some Linux versions.

Not sure I follow. Could you elaborate?

Nefarious code (which I will call NC) already on your Mac/Windows/Linux machine inside your home already has access to all files and hardware on that machine, and the only thing you’ve given NC in this case is the ability to delete or copy your music.

If NC was on the machine that already had your music mounted, it’d already have access to this even if it was password protected, so the only situation this lack of password protection hurts is when NC gets on a machine that does not have the ROCK share accessible. However, an effective NC can usually get into another machine pretty easily if it is on the local network, especially if all security patches are not applied. If they are, it’s still usually possible because NCs know about problems well before the software vendors do (including the operating system vendors).

NC on your machine can do a lot more damage than delete/copy your music. For example, an NC can locate username/password combos, look for credit cards, bank logins, etc…

1 Like

How could someone else have inherited it? I already claimed it last week!

(The King must be busy in any case as he never got back to me)

1 Like

@danny What I would like to avoid is NC (Nefarious Child) or NG (Nefarious Guest) from getting access and accidentally deleting music files. A simple password protect and banning guest access would help that.

Anyone wants to access ROCK just like NAS or other OS, it needs to gain access to username and password via online authentication. Remember not to check ‘remember to log on’ So everytime you need to gain access you have manually type in the username and password. This level of security is more than sufficient for home use.

As for other OS, there’s option to enable firewall and antivirus scanners so there’s higher level of protection. However I don’t see the need for ROCK. There are other Linux based OS streamers like Lumin, Aurender, Auralic etc uses the same concept. After all it’s mean purpose is to optimise sound quality.

I experimented with ROCK on an old HP desktop 2 or 3 weeks ago. When I used the Roon app on an Android tablet to get music from Roon server on ROCK, I don’t recall being asked for id/password. (I do recall being asked, the first time, to switch a license from my old HP/Windows system to the HP/ROCK system.) Maybe I’ve forgotten being asked for and supplying id/password, but I don’t think so.

Now, about optimizing sound quality as the main purpose. Good as far as it goes. But if something is running on a general-purpose OS, an OS that could do all kinds of things, security in a server under that OS cannot be dismissed. An program, like Roon server, when it runs on a general-purpose OS, is using all kinds of code (think DLLs, not to mention kernel functions) about which the program probably knows very little. So that program has to be sensitive to security issues. And finally, remember that Roon server isn’t just dealing out music files; it’s accepting commands about what to play, about information to put into its database (tag information, I guess), about how to play music (upsampling and filtering, I think). Roon server in a general-purpose OS is being told how to behave, possibly by a Roon app on a different system (eg, tablet). Buffer overruns, for example, are a classic exploitation of a command interface. I do not say that Roon server is vulnerable to buffer overruns specifically, but I am concerned that Roon server might be vulnerable in some way or another.

I agreed there’s a trade off running on general purpose OS vs ROCK but when you come to simplicity and sound quality ROCK rules, I’m looking forward for manufacturers to come out ROCK that runs on their dedicated hardware with built in DACs, or simply network streaming DACs. Something like Aurender, Lumin and Auralic. it is hard to beat and a right step direction for future of Roon.

You can run a scan against your external facing network interface here

using ShieldsUP option. A full all service ports scan will take some time, but the lower common ports should be fairly quick.

then roll your own Linux… ROCK is about ease-of-use and we made the call to do guest only SMB access.


I might be a little dense. No username or password is needed to gain access to ROCK SMB share, right?

@danny Yep. I get it. Not arguing with your decisions. I get the trade offs.

What about virus protection for ROCK? Is it built-in or is there a separate package that can be added to the ROCK OS?