Roon security issues with remotes

I am new to Roon so perhaps I am wrong. Remotes have the option to delete albums. This means that everybody on your network with a Roon Core (with a Roon remote) has the option to delete your entire music collection. Am I right about this? It would be nice to explicitly whitelist remotes in Roon Core. Nobody wants to lose their music collection because of a silly prank or something else.

I can imagine that in the time Roon was created, security was of a lesser importance then it’s today. To see this in 2020 does make the hair in my neck stand up. The Roon remote app and the server page on Rock makes it possible for everybody in my network to do a lot of damage. It’s not a lot of work to fix this.

I venture to suggest that to do it properly, is probably quite a lot of work… :slightly_smiling_face:

Yes, it could be. I think the remotes talk to Core with an API. You can put in some authorization there. But i’m afraid the communciation between remote and core is not encrypted. Not sure though. Did no research. Jet.

And remotes are one thing. If you are able to delete music via the API you dont even need a remote app to delete the complete music collection.

Possible workaround for this, which I tried myself with success: I basically store all my music on a NAS. Roon has its own user account on that, which can only access the files as read-only.

Well, perhaps that would be an easy thing for Roon to implement, and a short term fix?
On the Settings > Storage page, under options, there could be a “Folder is read only” setting?

Every remote can change the settings :slight_smile:

Personally, I’m pro building security inside the Roon ecosystem. I see that as part of guest users, more elaborate profiles, etc… I don’t consider the security aspect a high priority though.

Before demanding such a feature, I’d like to see people define a threat model (what am I protecting myself against) before anything else. Only then can you pick (a) suitable method(s) to protect yourself against it. And I bet Roon security wouldn’t even be the most appropriate method to acomplish it.

In my case, deleted music files is not high on my list of things I’d like to protect myself against. First of all, only people on your internal network can access Roon. They’d have to already have breached your first layer of defense. Once they’re inside my local network, I’d rather protect certain devices and documents than my music. Plus, there are many ways to protect yourself against deleted files (backups anyone?).

If you’re simply concerned about accidentally deleting files, If I recall, there’s a confirmation dialog. If you’re concerned about some malicious user, there’s more to it than ‘adding a read-only button in the UI’.

Bart, I agree with what you say. But I do wonder about the use case of a Student House, where presumably there is one network for everyone to use. In such a situation, I would also be a bit nervous…

I also have a work around, this with two non-techie ladies in the house who admit needing protection from themselves LOL.

Simply store all music on my Qnap nas. Where I add music, edit meta data, etc.
When done I then use a file synchronization program called Allway Sync to copy the latest version/ new version of files over my Roon-Rock server. The only Windows account that has read write access on the Qnap is my own so files safe there.

This meets making mistakes difficult and also solves keeping at least two copies of files on two different storage locations. I then once a month bring a copy of all my files offsite across city in case of disaster trying to rerip or redownload 2900 albums is not something I want to do again. (only 700 cd’s to go). I quickly discovered one of ladies was deleting files of hard drive not her playlist when file sync noted missing files on Rock side. Phhhhew

Stay safe and enjoy the music.

PS I agree there should be some level of protection for your files from within Roon not everyone has a 20 year background in Information Technology and many get rid of their CD collections once ripped…

Sure, maybe…

I’m not saying it couldn’t be a solution for some people, but I doubt there’s many people out there for whom it’s the best solution.

Let’s take the student houses for example, where everyone is on one network. If it’s wired ethernet, I’d put a router behind it, so I have my own private network that I have full control of (been there, done that). Problem solved.

If it’s wireless only, well…the only case where Roon security would make sense, is when you have a split Roon core/remote situation (otherwise you could just disallow remote connections to the core). Which makes me wonder, how many students would have a setup like that? My guess is not many…

Good case for keeping backups of your collection and the Roon database. Maybe a feature suggestion that Roon remote deletions must have a passcode entry. That would prevent unintentional deletions.

One “problem” with that approach: the album will still get deleted from the Roon library, regardless of the fact that the files can’t be deleted from the NAS.