Roon core hack attempts

Hi,

I moved Roon core on a NUC in October last year after my old Mac mini fell out of IOS support.

Was just browsing my firewall logs and it appears this is a very attractive target for hackers, are there any special measures needed to ensure the Roon core and NUC secured up appropriately, scans on the port suggest its not responding but the bad guys are recognising something on port 55000.

1 Like

Public IP addresses are constantly scanned by bots seeking open ports, known vulnerabilities and exploits. Roon only accepts authenticated connections, so this shouldn’t be considered a problem.

1 Like

Good thought, although if the source IP’s are correctly geolocated that means I’ve been in Ukraine, Russia, Bulgaria, Hong Hong amongst other interesting places, which isn’t the case! I haven’t really used ARC much to be honest.
I’ll check though and see if the firewall flags it.

1 Like

What is your network configuration? Typically, you would have one router (using NAT) connected to your ISP and all your other devices would be connected to the router and thus not visible from the outside. The only accessible ports would be the ones you forward in the router. If you only forward the ARC port, then attackers should only be able to access the ARC port on your core machine, so as long as the core is up to date, it shouldn’t matter whether it’s a NUC or a Mac or a Windows PC.

Marian, yes have a router (Unifi UDM Pro) facing the ISP using NAT as you describe, there’s a switch behind the router. Security settings are maxed on the router. Only two ports are forwarded, Roon and to a PS5.
Essentially my conclusion is I’m trusting Roon to be secure, it would be helpful to be able to get some validation of how this is achieved, bigger organisations have been found wanting when it comes to security. the ability to run my preferred virus scanner on the NUC would be helpful for my peace of mind.
Sony I tend to trust more, plus the PS5 is off when its not being used whereas the Roon core is always active.
I think for now I’ll disable ARC as its not something I use.

I’d argue you have it backward

The PS5 is a far more attractive target for hackers and considering there must be millions of them exposed like yours is, a far easier and profitable target.

Roon Core with open ports for Arc must number in the 10s or 100s of thousands at most. Not a very attractive target and unlikely any hacker is going to spend time trying to find a way in as the gain for the effort would be miniscule.

I use a UDM Pro as well and have seen a few attempts at the ARC port - nothing to worry about - just open ports being scanned as mentioned by Martin a few posts up.

If you’re concerned - easy to do on the UDM Pro - block all traffic from a few countries like Russia, Bulgaria, Belarus, China… unless of course you need them. It won’t stop all scans, but should stop a fair few

Fair enough, I don’t see any alerts against the PS5 however, and yes I’ve already blocked those countries since seeing the sources are so consistent.

I wondered if the Roon core had some kind of more recognisable signature to the hackers as it does seem to be the only device attracting any interest.

I would value a Roon integrity check such that if they see a device behaving outside they norms suggestive of it being hijacked or something, that they do something about it, even an alert would do.

This is the reason I’d prefer the core on a DMZ, but it’s not really supported because of the udp broadcast requirements.
My workaround is to set up a VPN-connection instead, and use ARC that way.

It really isn’t an issue unless you let it be one. Been port forwarding for over 15 years and yet to be hacked.

I would not trust Sony over any other company for security they have been hacked themselves. If a hacker wants in they will get in but it’s unlikely to be a port forward on its own unless its completely open and does not require authentication to establish connection.

1 Like

You can definitely use a standard Linux or Windows on the NUC instead of ROCK in that case. I don’t like closed systems and their limitations.

This topic was automatically closed 45 days after the last reply. New replies are no longer allowed.