Security with Roon ARC / Roon 2.0

You’d have some interesting conversations conversation with the thousands of Deadbolt ransomware victims who had their NAS exposed to the internet via UPnP enabled routers.

Aside from that article being over six years old, if you read the follow up comments it is comprehensively ripped to pieces by the commenters.

Don’t enable UPnP, kids.

5 Likes

A way please to disable the ARC features on the Roon Core because the port is opened by default with UPnP on the router. Too dangerous. ARC must be opt out and not opt in. You open a door to the entire internet when doing so.

2 Likes

If you don’t want ports opened by default, you should disable UPnP on the router. I do agree that users should be able to turn off ARC support in core.

6 Likes

Or, go into your router settings and remove those pinholes for Roon ARC.

Sadly my router seems to not offer it :frowning: only disable UPnP entirely

When you have the option to. I would like to use UPnP for local usage too and not to have to disabled it to disabled Roon ARC feature.

It must be done by Roon Core and let user to not open the port and not configure the router.

1 Like

Yes, the problem is not really malware inside the LAN, it’s bugs and security holes in non-malware, as with the NAS incursions.

2 Likes

I agree. I run my Roon Core on a QNAP TS-473 that needed a complete reformat in January thanks to the Qlocker ransomware attack. I restricted access to my QNAP to the UK only, which will presumably block Roon Mobile were I to download it and use it outside of the UK (I am currently in Italy).

I will not be downloading 2.0 unless ARC can be disabled and access to my server protected. It contains a lot of other important business data besides Roon Core.

My music library is on an Innuos server that I do not use with Roon as the sound quality with Innuos Sense seems better. There was no mention of sound quality in the 2.0 note.

That doesn’t make sense. What’s the use case here?

ARC works on the local subnet (broadcast domain) of your Core without any port forwarding / UPnP.

You need UPnP to be enabled on the router to have ARC work. So bad choice.

For the use case, i mean DLNA, not UPnP sorry.

Roon will never support UPnP/DLNA streaming. You can search history on the community and Roon Labs has explained this many times. I agree with their assessment as well.

Just type in 0 for the manual port forward config. It’ll disable it.

4 Likes

Software engineer who works in security here - Danny’s answers are good and extremely reasonable. I’m pretty satisfied Roon is doing everything Roon is able to do here.

There is no way to expose your home network to the internet without increasing security risk at least a little bit. Period. That’s not a Roon thing, that’s a life thing.

If increasing that risk by any amount is unacceptable to you, you need to airgap your home network, and you can’t run Roon or anything else remotely. Period. Also you might be the president, you’re at risk from major state-level actors, and the Secret Service is making you use a Blackberry.

What Roon is doing here is very standard, and well-thought out, and presents a very minimal risk increase for a large benefit - working much like e.g. Plex. If I was going to do this and follow best security practices, I would do it the way it has been done.

19 Likes

Thanks Danny. Good to know, although a switch would be far more intuitive.

2 Likes

And yes, and avoid testing every time you click on Roon ARC. And switch off by default will avoid people to have the port opened by mistake with UPnP. Roon ARC must be disabled by default even if UPnP is used or not.
It’s the user who can choose if the port must be open or not, not Roon.

Great, thanks!

Can I suggest perhaps some small font text with this nugget in the settings window? Then whoever wants to disable it can do so without raising a support request.

5 Likes

Can’t say this works for me. I bounced the Linux host MediaServer also. It assigned a higher port.

Blockquote
xxxxxx@cator113:~$ sudo nmap -p1-60000 mediaserver
Starting Nmap 7.80 ( https://nmap.org ) at 2022-09-20 13:07 EDT
Nmap scan report for mediaserver (192.168.0.155)
Host is up (0.00015s latency).
Not shown: 59993 closed ports
PORT STATE SERVICE
22/tcp open ssh
9150/tcp open unknown
9200/tcp open wap-wsp
9330/tcp open unknown
9331/tcp open unknown
9332/tcp open unknown
55002/tcp open unknown
MAC Address: 88:AE:DD:02:F5:BD (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1.65 seconds

Are you seeing it punch a hole via UPnP? You shouldn’t be.

That open HTTP port is used for more than just remote (outside the home) connectivity.

Hi. If I understand the question correctly, no UPnP is enabled in my environment. This is a port scan against the Roon server on the local ethernet.

I interpreted the previous posting as setting the ARC port to zero would disable the ARC component listener. It is still available but on port 55002 from the previous 55000 default.