Now that ROCK is installed with an open port on so many home networks, and our firewalls are seeing Russian-based (and other) hackers doing probes and port scans, may I ask again whether Roon has a tough enough approach to security?
earlier requests for a hardened, red-team tested version of ROCK have not been picked up by Roon. Surely that would be good practice?
Roon does not have certifications which show independent verification of security (for example in the UK, “Cyber Essentials Plus” would be one option, independently certified compliance with ISO/IEC27001 would be another helpful contribution)
Roon does not have a disclosure policy / bug bounty scheme. This is generally regarded as good practice for a software product based in client homes
Roon has made no statements about the level of monitoring and controls which they apply at their end (for example, to prevent nefarious software updates being pushed out to client machines).
Cybersecurity is a difficult topic to get right - how much is “enough”? - but the greatest danger can be complacency: there haven’t been any issues, so we don’t need to be too worried.
This is a timely post. My router firewall has generated three warning messages regarding Russian IP Reputation attacks. While I look at my system to figure out what I can do about it, something I have no real clue about, I wonder if Roon has a plan for this?
You will always get Russian (and other) attacks when you have a port open to the internet. The question is whether the attackers can get anywhere. And that’s where we have to rely on Roon.
My view is that Roon need to up their game and provide independent certifications, bug bounty etc in order to protect their customers properly. Just asserting that “our platform is fine” no longer cuts it in the current world of heightened cybersecurity threat,
I’m not an expert here. But do the other devices you (or at least I and many others who use Roon) have in our homes - Alexa, Ring, Ropieee, ecobee/Nest, Xbox/nintendo, Oculus, alarm panels, etc, meet this standard? I’m not arguing that there shouldn’t be much more security consciousness in the world. There should. But to go after Roon for not meeting a standard that far larger companies are not meeting seems like it’s asking them to be a little holier than thou. Maybe I’m not aware and there’s an industry standard for these things, and all the devices I listed are part of it, and that satisfies you. But they’re a team of dozens not hundreds. Many of those who are security conscious seem to have moved to using a VPN instead of an open port to access ARC, and it’s generally working fine for them. I’m no Roon defender at all costs - they certainly need to up their game substantially on support and on regression on basic functionality like gapless playback - but this feels a bit like a canard (at least with the strength with which you’ve stated your “what would be good enough”).
Some of those devices do adopt good practice, others less so. In general, the Internet of Things is an ugly and messy area for cybersecurity. I agree that many other manufacturers are being careless (at great cost in some cases) but this should not be a reason to be so silent on security as Roon has been.
There are two important differences between the examples you gave and Roon/ROCK:
(1) most of those devices do NOT open a port to the outside world. They make an outbound connection only - and in that sense they are as much risk as any other device in your home. However ARC opens a port which can be accessed from outside.
(2) many of the devices you have listed are single-purpose devices (eg alarms, doorbells, cameras) and can be inhibited from having any other local network access. Conversely, ROCK is a Unix platform which requires access to our file server (for the local music library) and players around the house (which are typically on trusted internal networks so we can control them with phones etc). Again, its broader internal connectivity is a reason for the vendor to have good security.
I have some 60 Internet of Things devices on our home network, ranging from cars to washing machines to lawnmower robots. Roon/ROCK is the only one that requires a port to be opened through our firewall. With that, comes additional obligations for the vendor to have appropriately strong security.
Some of the things on the “basics” list (eg independent peer review, bug bounty) do not need to cost a lot of money or require staff beyond what it takes to build and operate a well-maintained system.
This has been discussed ad nauseam here.
Having an open port is not a security risk per se.
In an already compromised system having an open port might make it marginally easier for a hacker to take control of your system but whether or not ports are opened, or upnp is enabled or not, isn’t going to matter to anyone with even basic skill.
It seems to me that people are thinking having open ports is like having an unlocked door in your home:
That thieves are roaming the neighbourhood looking for unlocked doors and if they find one there will be a robbery.
That’s not how this works.
What was discussed (indeed ad nauseam as you say) was whether Roon should use upnp to tell the owner’s router to open a port. I’m not reopening that discussion here.
However once a port is opened, there is a heightened risk to the device behind that port. To use your analogy, my house has only one door to the street and it is securely locked, impact-proof, alarmed and monitored. Roon installs a second door which goes directly to their ROCK device. That’s OK with me but I’d like to know whether it is made of cardboard or hardwood.