Roon Software Security

In another section of the forum I posted question about locking down the Roon Core Web Site for Management in which requires no password or authentication to Reinstall, Format, Stop or Reboot the Roon Core. To me this a basic failure of basic security.

Feature Requests:

1.) Require an Administrator Password for Roon Core Management Website Access or Functions

2.) Require an Authentication for shares; "Guest is disabled on some hosts making it challenging to mount with Guest access; to keep it simple maybe three basic accounts something such as:
Administrator/Password: Entire Roon Mount similar to Guest today
Username/Password or Null: Roon Music Folder Read Only
Username/Password: Roon Music Folder Read/Write


Just a couple of scenario to attempt to prevent:

1.) Your network is compromised
2.) a negative player accesses your Roon Core and Formats your drive; or reinstalls Roon without your knowledge
3.) a negative player downloads your music collection without your permission
4.) a negative player puts files with bad code within your system

It could be developed to retain its current functionality with no passwords, but have the ability to add such for those that don’t like things open

1 Like

Do we leave our cars and front doors unlocked? Do we lock up important things in safes at home?

Answer is yes; it happens more often than folks want to believe. Even state, federal, and local governments have been impacted through the simplest of attacks through the most obscure methods.

Just consider Ransomware situations; would you want all your audio files to be encrypted? Would you want the deleted.

Why have the open risk…This has been brought up by others: Roon Security Concern - Full access to another user’s files through App

Understand that it hasn’t been address yet, but it only a matter of time, and when a product finds itself on the front page as the source of the propagation of an attack or spread.

We all felt the IOT device in our homes were nothing but now we are developing standards because they propagated issues…

1 Like

While we are on the subject, user profile security should be there too. By default any additional user should be defaulted read only privileges at add time, and an admin user should be in overall control with at the very minimum a strong secure password.


Everyone hates passwords. We all agree on that.

This said, you are very wrong here (and a little shortsighted as well).

Roon is moving to allow remote accessibility. This means there’s going to have to be a hole in your firewall, to allow for you to access RoonServer from outside your network. I’ll trust RoonLabs to do it with a lot of care, but it isn’t a trivial change.

There are thousands of unpatched bugs in Linux (those who have doubts on how bad the garbage fire is, and know a little bit about computers, can watch this if they think I’m exaggerating. Here’s an example of what happened when one of those bugs was exploited), Roon is used by a demographic that’s not necessarily computer-savvy, and one that also happens to be on the wealthier side of the spectrum. In other words, a nice, juicy target for bad people.

@Sean_Schwoerer is totally right to point out that even government agencies are getting pwned, but ransomware on audio libraries would be the last of my concerns in a case like this: I wouldn’t worry about my music being ransom’ed, I’d worry about the rest of my data being exploited, moreso for users who’re running their core on their NAS, and not being extremely vigilant with what they put there. Always remember that bad guys aren’t stupid. They’re bad. And often, they’re much, much more savvy than either you, or me.

1 Like

@brian announced it was on the roadmap more than 3 years ago. I don’t know how RoonLabs is implementing it, and am not qualified to judge how safe it’d be. I am also not a beta tester. Given how long they’ve been looking into it, I do feel confident they’re being mindful about it. I would also be surprised they’d force you to enable remote access.

1 Like

There should be a password.

I use as a password manager. It is easy to use, free, and afaik safe. But who knows.
Anyway, better than no password, or myname+dateofbirth or password123

1 Like

Two different scenarios. You could park an unlocked car in a locked garage. If your garage security is compromised, then your car is at risk.

Likewise, if your home network security is compromised, then your data are at risk. Other products and services are designed to protect the home network.

Yes, Roon could do more with user profiles, but I see this being very similar to Netflix where I have one password protected account with multiple profiles. I don’t lock away my CDs and vinyl so why would I want to lock away my Roon library?

1 Like