ROCK on NUC - Network file sharing a security risk?

EDIT: I misinterpreted your post. Obviously you’re running ROCK on an NUC and accessing music files on the NAS via Roon. Obviously outgoing SMB connections from RoonOS using SMB2 and higher work including user credentials. Otherwise Roon couldn’t access those storage locations and would be quite useless.

The whole discussion circulates on having music files on the NUC and accessing the shares provided by RoonOS via SMB to upload/modify the music files from a PC/MAC, which is realized via guest access, giving full access without providing any user credentials.

Roon on a NAS and Roon on RoonOS (=ROCK) are not the same thing.

The SMB protocol stack is provided by the operating system (in your Case DSM by Synology) and is independent of the Roon Server application.

So SMB security for Roon on NAS is not an issue, you can configure SMB 3 in DSM and set user access rights to your needs.

The same thing is not possible in RoonOS since the user has no access to the relevant settings of the SMB protocol stack via the RoonOS Web Interface.

I bet, if root access to RoonOS was possible, it would be just a matter of minutes to configure user credentials via the command line. The effort that needs to be made lies in adding these settings to the Web Interface so they can be configured by the user in a comfortable fashion.
However this is no rocket sience, so I’m wondering why roon still haven’t done it.

I assume they believe most if not all users are on a trusted network in their home where this being locked down isn’t essential. They have made it a simple device most likely for Nucleus users which is aimed at the I don’t want to meddle with tech. Turn it on it works brigade. Personally I don’t see the urgency for it to have separate user and password login for administration. In the 15 years of using network streaming servers I have not had one locked down and not had one issue.

I struggle to see why members of your family or friends visiting would even attempt to log into Rock or your storage do they even know how to? Or if it exists. They need to know ip to start with or it’s network name. Not exactly easy for the uninitiated and if you can’t trust your family or friends then there a bigger issues at hands than this.

If someone’s broken into your network then I think worrying about Roon is the least of your worries and I think they would have bigger fish to fry then mess with a music server.

I agree, but I think the choice about enabling/disabling security options should be with the user. And we’re talking simple basic security measures here.

Once you have access to the network, it’s easy to find ROCK as it uses standard network discovery features to be found on the network. No insider knowledge needed, just open “Network” on your Explorer / Finder and there it is.

AND it’s not only the music storage that’s exposed to guest access, but also the RoonServer and Database folders including Machine Settings where for instance it’s possible to read out your WiFi SSID and password in plain text (just tried that).

More critical settings like your username/pwd to connect to your NAS with the music library might be accessible as well (haven’t checked for that as I have my music on the NUC itself).

So a qualified hacker might take over your network and get access to more critical data on other machines via ROCK, even if the data on ROCK itself might be of no interest to him.

All that wouldn’t be a concern, if some basic access security could be enabled.

If there on your network in the first place you have a bigger problem than them finding your Wi-Fi password or not. They are in regardless. Stuff like that should be encrypted by Roon though so that’s sloppy on their side of things for sure.

Agreed, once you’re in, you don’t need the key anymore.

I was trying to point out that RoonOS could pose a security risk to the rest of your network if more critical access data was just as easy to find.

To be fair: I found a file called “quboz account”. Much to my relief, it wasn’t holding my qobuz login credentials in plain text. But nevertheless, it can be copied so someone might try some brute force decrypting on it and gain access this way.

My Machine Settings folder only seems to contain files of zero length…

Same here nothing in them at all.

Indeed

mario@chronic ~ % cd /Volumes/Data/MachineSettings/network
mario@chronic network % ls -l
total 0
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth0_enabled
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth0_use_dhcp
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth1_enabled
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth1_use_dhcp
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth2_enabled
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth2_use_dhcp
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth3_enabled
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth3_use_dhcp
mario@chronic network % cat *
mario@chronic network %

I’m a big fan of security reality instead of security theater.

If someone got onto my network, I would be far more worried about them holding my precious photos and music files and family document scans hostage than them being able to manipulate any system or gain access to any data kept on my network. So I keep an offsite NAS which backs up my local NAS and an airgapped hard drive with everything that I update once a year.

If someone got access to my Qobuz account I really couldn’t care less… Like what is the actual risk to me? I keep all my passwords in one of the password keepers. The passwords are all as complicated and long as sites will let me have them - they are gibberish with many symbols. Typing in 32 characters of gibberish is hard, let me tell you, on the rare occasion I have to. I have no idea what any one of my passwords is except for my AppleID, because I am required to type that one in. I have 2FA on wherever I can. It’s relatively difficult to compromise these password managers - LastPasd showed it can be done.

I’ve had a credit card stolen. It sucks. But it was social engineering at a gym, not a sophisticated attack. It was a couple months of feeling vulnerable, and a bunch of letters, and it was fixed. Almost everyone I know who has had an actual financial compromise was the result of a phishing attack that got by them or social engineering.

My Wi-Fi password is really long and also gibberish, and kept on my password manager. My guest network’s password is “password6”. Because I’m networking curious that means that guests can not run Sonos or Roon. Big whoop.

Other than ransomware or corporate info (and managing the corporate perimeter is a different issue, the company should defend everything including BYOD according to actual risk) there’s nothing I can imagine anyone wanting on my home network. If my ecobee thermostats or ring cameras are attacked, so what? They become part of a bot net? Are we talking about a HAL9000 situation? Is someone actually going to try to freeze my pipes on my second home? If they get a copy of my family photos, is it really so bad? If they somehow got a copy of old credit card bills or bank account statements, what could they realistically accomplish? If someone got my banking details somehow, it’s unlikely they could get away with that much because of hire I gave things configured at my banks. But if they did, they would have an easier way of getting there than getting into my home network.

I’m not trying to be callous, but I keep a copy of everything safe, and the actual risk to me is likely no worse than if I had hard copies of everything in my home, and a reasonable alarm system and someone broke in. Unlike corporate espionage/ransom ware , breaking into someone’s home network is a high effort, low value target. And in the grand scheme of things I’m a reasonable target - I would guess a lot of people on here are. Stealing Roon’s forum credentials would likely be a worthwhile effort because I bet a while bunch of people here use the same password here as they do on other more important platforms like banking.

So perhaps you place a different value on all these things than I do. Or you assign different likelihoods. Or you think the effort I go to is ridiculous. You absolutely can do whatever you want. But I think that freaking out about low bar access controls for one device on your network for file access to something where it really likely only has FLACs on it and you really oughtta have a copy somewhere else is kind of overboard and not focusing on what actually are the risk vectors. But that’s a value judgment. You can see above my rough calculations.

Looks like this here:

ROCK machine settings1686×978 211 KB

Probably these files are only written, if WiFi was actually used.

To put some facts regarding storage of access data to external SMB shares inside RoonOS:

I just created an empty dummy share on my NAS and added it as music storage location in roon.

a new file holding the access date is created in:
/Volumes/Data/RoonServer/Database/Registry/Storage/

here are the contents:
{
“id”: “083159a5-c5e1-4a7c-899f-94e53c58e2d1”,
“version”: 2,
“rescandelay”: 4,
“location”: {
“drive”: {
“type”: “Share”,
“volume”: {
“cifsconfig”: {
“network_path”: “\\nas-rosine.local\Test_Dummy”,
“username”: “dummy_user”,
“password”: “wkXZAMh+4ZhU1XYSaZcVSQ==”,
“workgroup”: “WORKGROUP”
}
}
},
“isdir”: true,
“path”: “\”
},
“ignoreitunes”: true,
“ignoreplaylists”: true,
“ignorepatterns”: [
“/tmp/”,
“/temp/”,
“/.”,
“.pmbmf/”
]
}

Plain text for SMB share and user, only the password is encrypted!

So at least two valuable informations (Server and user name) are available at no effort at all. Take it from there …

Ah yes, and since the recommendation is that the Core should be wired, not connected by wifi, then I don’t have that file.

My point is:

If there was some basic security applied to RoonOS, we wouldn’t even have to discuss about risks and likelihoods.

As i demonstrated above, 2/3 of critical data to access other machines on your network, which may contain more valuable data, are stored in plain text on RoonOS and are accessible to anyone with access to your network.

I find this discussion highly theoretical, and I run far larger risks (personally) with devices that I cannot readily access myself (thermostats, Sonos, home assistants, etc etc) but which might be far greater attack vectors because of their popularity. You may choose not to go down this path. That’s cool.

I wouldn’t call it theoretical, but speculative.

The vulnerability of RoonOS regarding guest access and storage of critical data is not theoretical but proven fact.

What damage can arise from this is the speculative part and depends on everybody’s personal situation and network configuration.

I think, that many people have pointed out, to not be comfortable with the situation.
IMHO this shouldn’t be ignored by roon.

The “security” problem is not smb1 or smb3 or nfs or cifs or any other network based storage protocol…

The problem is unauthenticated read / write guest access. Until there is a way to, minimally, set a username and password all of these protocols have the exact same security risk. Now…

Let’s talk about that security risk…
To access the share you need access to Roon Core. Roon Core is supposed to live only on you “home” network. The only people “attacking” the Core are those on your home network. If you can’t trust the people on your home network then kick them off

Well over half of all cybercrime is an “inside job”. I don’t think someone, on my home network, would maliciously damage Roon… but the fact they can easily do it inadvertently is a problem. The guest access has got to go. Then we can argue about the protocols in use.

I had this problem with old Sonos S1. Windows 10 started to dislike Sonos.
Turns out there is a workaround for it. Running a similar protocol.
Or in my case just give up with sharing from a Windows 10 system to legacy Sonos.

See posts above, the premise that ROCK only supports SMB1 is wrong

Read the thread? Surely someone who is very concerned about security does that

That’s great, then I’m the wrong person for you to argue with. And I am not interested in security theater. Goodbye