Prank warning: You do know your smart speaker's paired with Spotify over the internet, don't you? If you let your mates pair their Spotify accounts with your smart speakers, beware – the connection persists across the internet, not just across your home Wi-Fi network, as some assumed. Spotify's Connect support page tells users to ensure that the two devices are on "the same Wi-Fi network", but as users discovered as far …
Just because an IoT device might run Linux it doesn't mean it is secure (or can be secured).
o Where in Linux is the ability to unpair a spotify account?
o Where does Linux stop a web app from providing sending text passwords?
o Where does Linux prevent an application from having hard coded back door passwords
o Where does Linux prevent idiocy?
s/Linux/Windows
s/Windows/AnyOs
It should be referred to as the "Incredibly Disrupting Internet of Things". IDIoT.
The pervasive lack of design when (not) thinking of security, and attempting to bolt on security as an afterthought results in a violation of the 7 Engineering P's*, with a resultant behavior.
IDIoT's are not bad.. They just need to be managed and not put in situations where they can cause danger.
* For those that may recall, the 7 Sacred P's are: "Proper Prior Planning Prevents Piss Poor Performance."
At minimum, countries need to have a set of standards at their borders, so that anything falling below the standard cannot enter and be sold.
Beyond that, there is real need for a set of International privacy and security standards that are governed by a regulatory body that has teeth. Of course that will never happen in any meaningful way but if you can't get a certification that enables you to sell your goods, in theory you are going to try harder.
... for anyone thinking he actually owns that expensive gadget he shelled out for.
And a briiliant burglery reconnaissence tool: If after the 17th loop of "Last Christmas" (or any title in the 1000 volume collestion "Songs I'd have hoped to never hear again") nobody is running out of the house with blood dropping from the ears, the target can safely be assumed as empty.
... for anyone thinking he actually owns that expensive gadget he shelled out for.
Oh, you mean that always connected and phoning home Tesla that is sitting on your driveway?
The one that can have features added and taken away on the whim of Elon Musk...
Who really owns the vehicle? You or Tesla and all you are paying for is a license to use it?
{ex Model S owner here}
In the olden days some burglars would have accomplishes lurking around airports to read the name/address tags on the luggage of outbound travelers.
How long before you can drop $5 to purchase the address of a vacant home on some Russian version of eBay? Getting an alert when the residents are on their way home would cost extra, of course.
It already works like that for credit card numbers - why not for home addresses?
Sure, if the target has a Spotify Connect enabled device and an insecure LAN, your plan will work a treat. Then again, if the only goal is to find out whether anyone is home, it might be easier - and leave far fewer tracks - for them to simply ring the regular, non-smart doorbell.
I dimly recall a time when commentards on El Reg understood the technologies they were clumsily taking the piss out of. It's a brave new world.
The point is that it could be done remotely - once a device is linked to an account, someone in another country can control it, or use it to determine if someone is home. Imagine a housebreaker buying the logs for a target's smart thermostat for the past week - for a couple bucks, they know when the target was home and when they weren't, thus having a high probability of burglarizing a house hours before the resident returns home.
I think you're overestimating the recon and investment that goes into your average housebreaking. Those kinds of thieves are usually opportunists, not Ocean's Whatever Number You Like. If you've got priceless artefacts likely to be targeted by that kind of professional crook, you'll probably also have a security system more than capable of mitigating any not-quite-vulnerabilities in your smart speaker.
Excuse my ignorance, but do these speakers not come with a control app that lets you manage who is or can connect? Delete pairings? Or do they need a factory reset to clear authorisations? Or do the connections persist a reset? Don't get me wrong, the Spotify over the Internet connection is a concern, but devices you cannot manage have to take some of the blame.
Exactly what I came to the comments page to say. The responsibility isn't with Spotify - they did what an authorized user asked, and that user can remove that device. "Only play music over a local speaker" is just a nicety. The "smart speaker", on the other hand, needs the capability to disconnect from services. A malicious guest could teach the "smart speaker" to pair to a malicious service and listen in to everything it hears, even after the malicious guest no longer has access to the wifi. With no way of removing that "skill", the only way to stop it at the device would be a hard reset. Preferably with a sledgehammer.
As another poster put it, the S in IoT stands for Security...
Nah man, not a proper hipster, a real one wouldn't have this issue. If he was he'd be using an old Rotel RX402 stereo receiver and a knackered old marantz record player he'd nicked from his mum. The only issue he'd have is the dodgy bloody power cable that needs setting _just right_ to not lose power and the feeling that the needle probably needs replacing but he doesn't know how long they last anyway and if it's even damaging the precious copy of Rio - Duran Duran or not.
"At no point does any authorisation the user is in control of happen, and there's no way to revoke it."
Use a router to block traffic from Spotify to your speaker home network. This will have the happy side effect of forcing you to move on to a more responsibly run service. Two birds, one stone.
Yeah that's one way to go
Personally I've just got an amp connected directly to my PC with optical as source of audio. On that computer is MPC which I can control with a computer program (gmpc) or from my phone with M.A.L.P (vpn connection between them).
So full collection of music, not Internet dependent, plus remote control plus local music management. All win for me.
And not going to be hacked so easily.
(Although, saying that I did just setup a Bluetooth lightbulb today.. but that's not connected to wifi at all, Bluetooth only, using for dimmable bedside light.)
A while ago SWMBO got a sound-bar for the TV with wired, optical and Bluetooth inputs.
We went for the wired input, but from time to time we'd get blasts of Bulgarian music through it - it seems if it detects a Bluetooth connection it will automatically switch to that, and the neighbours would occasionally accidentally connect to it - it's one of those devices with a preset pairing code that really doesn't care what it connects to.
The sound bar is now relegated to a box somewhere and TV sound is piped through the purely analogue hifi amp.
No, really? After all, this isn't a vulnerability, and it's not a bug. It's a global feature that just everybody on the planet wants! Yes, everybody wants to play music to a speaker that they can't possibly hear.
Really, the speaker should have some kind of control to revoke who accesses the thing. Maybe a factory reset will do the trick. Use the button activated by a sledgehammer.
> everybody wants to play music to a speaker that they can't possibly hear
True, like everybody wants to make a cup of coffee/tea at a place they aren't, or change the temperature of their homes when they are away.
Be careful, you are questioning the very foundations of IoT here.
I'm in 2 minds about heating - there are times when I decide after work to go for a booze up without going home and want to turn my heating off.
I've never invested in one because I doubt it would pay back over those times, but I think there is a use case for that.
Also in the depths of winter I could up the heating before I got out of bed if it was too cold. Nothing like laziness to spur the pounds to leave your wallet.
Subject says it all.
OK, (semi-) real content.
I recall a magazine article from the 1950s on how to implement "warm the house up until I can stand to get out of bed" that involved a coal-fired furnace, banked just right before retiring, and an old-school spring-wound alarm clock. When the alarm sounded, a string wound around the alarm winding key tugged on a "trigger" that allowed a weight to open the damper. As far as I could tell, this was dead serious.
I used to live in a place with IoT heating, and it was indeed very handy to be able to adjust the heating when I was out of the house - when I wasn't going to be home at the normal time, or I'd gone away for a few days and forgotten to change the timer.
The only bug I see is not being able to un-link other users from the smart speaker.
And I think that may be partly to blame on the OEM, and partly on Spotify.
The assumption was probably that if someone has LAN/WiFi access, they want it to just work.
I have a home media receiver (Onkyo TX-NR636) with the Spotify Connect stuff built in, and early on noticed that I could have my phone on cellular data and still see it.
There's a setting in the Spotify app settings menu (Android, not certain on ios), under Devices for "Show local devices only", so the ability is intentional.
Any instance of the player that your account is logged into will also show as a device to be controlled remotely.
And I find no issues there, it works perfectly fine for my use case of playing music on the phone in my pocket and controlling it from the desktop Spotify player on the work laptop (and other way round).
Phone stays on cellular, work laptop stays on work network, and IT department is happy that they're segregated. It also allows for controlling the home system when I'm on the work VPN through the home DMZ (virtual access point with network segregation).
I have also noticed previously connected devices will drop off the list periodically, but the timeframe is erratic.
Spotify could rectify the issue with the smart speakers by having a "claim your device" dashboard showing any authorized connections and revoke options, or the OEM's integrating the functionality could have a "Hold power button for three seconds, then follow voice menu to delete authorized users" or some such. Likely both parties would have to change things slightly.
TLDR;
It's a feature with a small bug, and in my case the pro outweighs the con.
I remember back a few years ago, I was listening to some relaxing Beethoven on the way to work and suddenly it starts playing some 'Gangsta Rap' with some rather unrepeatable lyrics. This would happen every day for a week until I realised that I'd put Spotify on my teenage daughter's phone and she worked out that she could prank me by forcing her 'music' through my phone in the car. She had worked out exactly which music I'd least prefer to listen to.
"it starts playing some 'Gangsta Crap' with some rather unrepeatable lyrics."
This would happen every day for a week until I realised that I'd put Spotify on my teenage daughter's phone and she worked out that she could prank me by forcing her "crap' through my phone in the car.
FTFY - No Charge, now go & install then hide Cerberus on her phone & set it do to all sorts of shit in retalation,
Icon - She had worked out exactly which "music" I'd least prefer to listen to. - This does not strike as requiring a Moriarty genius level intellect.
It's not streaming from his phone, it's streaming directly from Spotify. The device is using his account to access music directly and his phone is acting like a remote control for it. Unless I'm very much mistaken, there can only be one account attached to a speaker like this at a time (unless the speaker is engaged in some shenanigans), so as long as his account is the one paired with the speaker, there shouldn't be a problem. The real story here is someone not understanding how Spotify Connect works.
But hey, didn't you just feel sooo good when they turned up and you could show them how cool you are with all these hi-tech gizmos? Ah, that "natural" feeling when not wearing a condom, because you never knew, or cared, about consequences? That phone call later...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
