ROCK on NUC - Network file sharing a security risk?

Ubuntu runs Samba, Rock runs Samba, seems very unlikely that it’s that.

I think it’s whether or not the SMB or samba service also supports the insecure guest auth.

My NAS (Synology) is not using SMB1 but will still connect to ROCK, so it must therefore implement insecure guest. But if it didn’t it would not work at all.

1 Like

Version conflict was what I mean. I can mount via the Ubuntu desktop no issues. But setting it to mount auto via fstab it would not do it without being set it use smb1.

Makes sense, I have had apps on my phone that won’t connect to it and some that do. So I think your right that it’s down to it not having a none guest username and some support that others don’t.

Coming to think of it, I ran Ubuntu until December, how quickly we forget. :rofl: I only ever mounted ROCK in the Nautilus file manager and it connected fine. Ubuntu should try the highest version possible, but I never checked the version and no idea what it negotiated eventually. Now I have Ubuntu in a Parallels VM on the Mac and I tried now, but from within the VM the ROCK gets mounted via prl_fs (Parallels FS), so samba does not get actually involved and so there is no version to check.

2 Likes

Given the take up of windows 11 that leaves a looong window of availability for home users. I’m still on 10 as I dont have a TPM chip.

Also most people don’t run roon on their work kit.
None of my work laptops from a proper enterprise class environment would let me install it never mind allow the connectivity.

1 Like

Hot off the press … it’s been demonstrated that Roon OS is not dependent on SMB1 … but Insecure Guest Authentication still needs to be enabled.

1 Like

Er, @Carl - I don’t have this parameter in my Windows 11 PC at all, I’m using SMB v3 and access my ROCK/NUC without a problem…

the parameter AllowInsecureGuestAuth in the registry

I had to add this on a modern Windows Server OS (2022), not on Windows 10/11

I use a combination of NUC10i5 with Roon 1.8 Legacy with Synology NAS. I just checked that the SMB was configured with maximum SMB3 dan minimum SMB2. I have not tried setting the minimum to SMB3 (i.e. forcing it to run SMB3 exclusively). But it runs fine. So I guess at the minimum ROON supports SMB2.

This is what “smbutil statshares -a” shows on a Mac when connecting to ROCK

SMB 2.002 is used for connections to ROCK. So no “SMB 1 only”, as has been pointed out before by other people already. SMB 3 would be nice to have in the future though.

The real security risk is definitely the guest access. More security using proper login credentials to ROCK (both Web interface and SMB access) has been on the wishlist for RoonOS 2.0 for a long time and should definitely be delivered by ROON to meet reasonable security standards.
Accompanied by an (default) option, to not use login credentials, the choice is with the user and everybody will be happy.

2 Likes

EDIT: I misinterpreted your post. Obviously you’re running ROCK on an NUC and accessing music files on the NAS via Roon. Obviously outgoing SMB connections from RoonOS using SMB2 and higher work including user credentials. Otherwise Roon couldn’t access those storage locations and would be quite useless.

The whole discussion circulates on having music files on the NUC and accessing the shares provided by RoonOS via SMB to upload/modify the music files from a PC/MAC, which is realized via guest access, giving full access without providing any user credentials.


Roon on a NAS and Roon on RoonOS (=ROCK) are not the same thing.

The SMB protocol stack is provided by the operating system (in your Case DSM by Synology) and is independent of the Roon Server application.

So SMB security for Roon on NAS is not an issue, you can configure SMB 3 in DSM and set user access rights to your needs.

The same thing is not possible in RoonOS since the user has no access to the relevant settings of the SMB protocol stack via the RoonOS Web Interface.

I bet, if root access to RoonOS was possible, it would be just a matter of minutes to configure user credentials via the command line. The effort that needs to be made lies in adding these settings to the Web Interface so they can be configured by the user in a comfortable fashion.
However this is no rocket sience, so I’m wondering why roon still haven’t done it.

I assume they believe most if not all users are on a trusted network in their home where this being locked down isn’t essential. They have made it a simple device most likely for Nucleus users which is aimed at the I don’t want to meddle with tech. Turn it on it works brigade. Personally I don’t see the urgency for it to have separate user and password login for administration. In the 15 years of using network streaming servers I have not had one locked down and not had one issue.

I struggle to see why members of your family or friends visiting would even attempt to log into Rock or your storage do they even know how to? Or if it exists. They need to know ip to start with or it’s network name. Not exactly easy for the uninitiated and if you can’t trust your family or friends then there a bigger issues at hands than this.

If someone’s broken into your network then I think worrying about Roon is the least of your worries and I think they would have bigger fish to fry then mess with a music server.

3 Likes

I agree, but I think the choice about enabling/disabling security options should be with the user. And we’re talking simple basic security measures here.

Once you have access to the network, it’s easy to find ROCK as it uses standard network discovery features to be found on the network. No insider knowledge needed, just open “Network” on your Explorer / Finder and there it is.

AND it’s not only the music storage that’s exposed to guest access, but also the RoonServer and Database folders including Machine Settings where for instance it’s possible to read out your WiFi SSID and password in plain text (just tried that).

More critical settings like your username/pwd to connect to your NAS with the music library might be accessible as well (haven’t checked for that as I have my music on the NUC itself).

So a qualified hacker might take over your network and get access to more critical data on other machines via ROCK, even if the data on ROCK itself might be of no interest to him.

All that wouldn’t be a concern, if some basic access security could be enabled.

1 Like

If there on your network in the first place you have a bigger problem than them finding your Wi-Fi password or not. They are in regardless. Stuff like that should be encrypted by Roon though so that’s sloppy on their side of things for sure.

Agreed, once you’re in, you don’t need the key anymore.

I was trying to point out that RoonOS could pose a security risk to the rest of your network if more critical access data was just as easy to find.

To be fair: I found a file called “quboz account”. Much to my relief, it wasn’t holding my qobuz login credentials in plain text. But nevertheless, it can be copied so someone might try some brute force decrypting on it and gain access this way.

My Machine Settings folder only seems to contain files of zero length…

Same here nothing in them at all.

Indeed

mario@chronic ~ % cd /Volumes/Data/MachineSettings/network
mario@chronic network % ls -l
total 0
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth0_enabled
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth0_use_dhcp
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth1_enabled
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth1_use_dhcp
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth2_enabled
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth2_use_dhcp
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth3_enabled
-rwxrwxrwx 1 mario staff 0 Nov 12 2020 eth3_use_dhcp
mario@chronic network % cat *
mario@chronic network %

I’m a big fan of security reality instead of security theater.

If someone got onto my network, I would be far more worried about them holding my precious photos and music files and family document scans hostage than them being able to manipulate any system or gain access to any data kept on my network. So I keep an offsite NAS which backs up my local NAS and an airgapped hard drive with everything that I update once a year.

If someone got access to my Qobuz account I really couldn’t care less… Like what is the actual risk to me? I keep all my passwords in one of the password keepers. The passwords are all as complicated and long as sites will let me have them - they are gibberish with many symbols. Typing in 32 characters of gibberish is hard, let me tell you, on the rare occasion I have to. I have no idea what any one of my passwords is except for my AppleID, because I am required to type that one in. I have 2FA on wherever I can. It’s relatively difficult to compromise these password managers - LastPasd showed it can be done.

I’ve had a credit card stolen. It sucks. But it was social engineering at a gym, not a sophisticated attack. It was a couple months of feeling vulnerable, and a bunch of letters, and it was fixed. Almost everyone I know who has had an actual financial compromise was the result of a phishing attack that got by them or social engineering.

My Wi-Fi password is really long and also gibberish, and kept on my password manager. My guest network’s password is “password6”. Because I’m networking curious that means that guests can not run Sonos or Roon. Big whoop.

Other than ransomware or corporate info (and managing the corporate perimeter is a different issue, the company should defend everything including BYOD according to actual risk) there’s nothing I can imagine anyone wanting on my home network. If my ecobee thermostats or ring cameras are attacked, so what? They become part of a bot net? Are we talking about a HAL9000 situation? Is someone actually going to try to freeze my pipes on my second home? If they get a copy of my family photos, is it really so bad? If they somehow got a copy of old credit card bills or bank account statements, what could they realistically accomplish? If someone got my banking details somehow, it’s unlikely they could get away with that much because of hire I gave things configured at my banks. But if they did, they would have an easier way of getting there than getting into my home network.

I’m not trying to be callous, but I keep a copy of everything safe, and the actual risk to me is likely no worse than if I had hard copies of everything in my home, and a reasonable alarm system and someone broke in. Unlike corporate espionage/ransom ware , breaking into someone’s home network is a high effort, low value target. And in the grand scheme of things I’m a reasonable target - I would guess a lot of people on here are. Stealing Roon’s forum credentials would likely be a worthwhile effort because I bet a while bunch of people here use the same password here as they do on other more important platforms like banking.

So perhaps you place a different value on all these things than I do. Or you assign different likelihoods. Or you think the effort I go to is ridiculous. You absolutely can do whatever you want. But I think that freaking out about low bar access controls for one device on your network for file access to something where it really likely only has FLACs on it and you really oughtta have a copy somewhere else is kind of overboard and not focusing on what actually are the risk vectors. But that’s a value judgment. You can see above my rough calculations.

2 Likes