My Question or Issue
I had a question/suggestion related to this: https://community.spotify.com/t5/Accounts/Security-hole-Remote-control-devices-on-other-networks-thr...
TL;DR: Spotify intentionally remembers all speakers it has played to, allowing you to keep connections to networks you aren't physically local to anymore.
I've recently become more security concious, and I also noticed that the implementation in the link above seems to me like it is a dangerous one. I would love to be told that this was all thought of and that there's no problem by someone who knows the implementation. I know Spotify is security minded (thank you). But I also know that no one is exempt from bugs and things being overlooked and exploited. Like Google Home which had an issue where a public facing api allowed anyone online to get the noise level from the speaker, allowing someone to potentially know if people are home or not. Which was not awesome.
Anyway, this connection that's made to the speaker:
Is it something where when I open Spotify, my local client then pings the server for a list of speakers to play on for Spotify Connect and then opens a connection to the speakers it has listed, even if I don't play anything on it? (hopefully not because I'm using it and their network now has a connection open that shouldn't be there)
Or does it not even open a connection to the speaker at all until I play on it? (best case scenario, because I actually want to use the speaker)
Or is the connection on the speakers open all the time even when I don't have any of my Spotify clients open? (worst case scenario, an always open port in a network with no connection to it is asking for trouble <-- I'm worried about this scenario happening)
-------------------------------------------------------------------------------------------
ALSO realated -> I'm worried that this feature is creating unintended possibly dangerous security problems because I think poeple only intend for others to play Spotify on their networks when they are actually local to their network. I know that I don't want my friends having a persistent connection to my speakers after they leave my house, but I do want them to play music when they are there.
Can we make at least an option to be available where people can only play music when they are on the local network, and don't keep that connection when they leave? Once they go home I really don't want my home wifi to be opening connections out that I don't know about to anyone who has played Spotify on my home wifi before.
------------------------------------------------------------------------------------------
I just want to make sure there's not open ports in networks that shouldn't be there waiting for connections. Because I trust Spotify way more than I do the speakers that are allowing the connections, so I want to make sure that the firmware/software on connected speakers can't be exploited because Spotify unintentionally left a connection open to my AVR, when my AVR probably doesn't have the same security mindedness that Spotify does and that in turn allows someone do something bad on my home network.
Staff / Moderator/ 3 years ago in Social & Random