I received the Malwarebytes notification (below) with RoonServer running on my Windows 10 computer. The port (redacted) is the Roon ARC port. Also below are results from searching the IP address in question.
Roon Remote was not running on any of my devices and nothing was playing on any endpoint.
I’m not very technical about these things. How worried should I be about security breaches through the Roon ARC port? How can I completely disable Roon ARC from the RoonServer?
The first thing you would do is turn OFF UPNP on your router. After that, you can then go into the Roon, settings ARc Setup and enter 0 as a port number in the box.
This is precisely why we need a better means of connection. One that doesn’t involve opening up a port onto the internet. Hackers and bots are constantly scanning for open ports. Lets hope a future version of ARC will alleviate the need for port forwarding.
Just because a port is open doesn’t mean it’s possible to connect to it
I disagree. Today There are so many possibilities in finding security holes (metasploit, 0 day etc.).
That still doesn’t mean that just because a port is open it’s vulnerable.
This is very naive. All software has flaws some of which may be exploitable. There is no way that Roon nor the end user has certainty that there are no exploitable vulnerabilities in ARC service. Roon has not published security design or assessments of ARC, so even an advanced consumer has no basis to make an informed decision.
Roon further does not explain the risks, and users are in general not equipped to understand or mitigate the risks, for example by segregating their Roon Core and music library from the rest of their home network and data, or by using a VPN with strong authentication, like a business would do if it had the same requirement to allow incoming connections.
The concept of what ARC delivers is fantastic but the way it is implemented should be reconsidered including designing to not require inbound connections (there are secure peer-to-peer protocols that do not require opening incoming ports to the Internet) . Roon should publish security design and assessments of ARC, and safer deployment architectures with better communication of the risks of using ARC.
