back to article Prank warning: You do know your smart speaker's paired with Spotify over the internet, don't you?

If you let your mates pair their Spotify accounts with your smart speakers, beware – the connection persists across the internet, not just across your home Wi-Fi network, as some assumed. Spotify's Connect support page tells users to ensure that the two devices are on "the same Wi-Fi network", but as users discovered as far …

  1. Loyal Commenter Silver badge

    Once again I propose we rename IoT as IoV

    Internet of Vulnerabilities

    1. tony2heads

      Re: Once again I propose we rename IoT as IoV

      Until some vendor takes security seriously I don't want any IoT stuff.

      1. Steve Davies 3 Silver badge
        Childcatcher

        Re: Until some vendor takes security seriously...

        About 2030 then...?

        (or 8 years post CV-19 vaccine becoming available)

        1. sqlrob

          Re: Until some vendor takes security seriously...

          That soon? (and no, I'm not being sarcastic)

          1. Trigonoceps occipitalis

            Re: Until some vendor takes security seriously...

            Surely it will be when Linux is in the desktop?

            1. BrownishMonstr Bronze badge

              Re: Until some vendor takes security seriously...

              Wouldn't Linux power most of these anyway?

              1. Rattus
                Thumb Down

                Re: Until some vendor takes security seriously...

                Just because an IoT device might run Linux it doesn't mean it is secure (or can be secured).

                o Where in Linux is the ability to unpair a spotify account?

                o Where does Linux stop a web app from providing sending text passwords?

                o Where does Linux prevent an application from having hard coded back door passwords

                o Where does Linux prevent idiocy?

                s/Linux/Windows

                s/Windows/AnyOs

        2. Dave559

          Re: Until some vendor takes security seriously...

          Nah, I reckon they'll think they'll have everything sorted out by the start of 2038...

          And they'll feel really pleased about it, and make a big song and dance about it.

          For a couple of weeks, at least... ;-)

          1. Numen
            Mushroom

            Re: Until some vendor takes security seriously...

            Then they get hit with the epoch rollover and the dancing stops.

            1. Dave559

              Re: Until some vendor takes security seriously...

              I didn't think I needed to spell it out... ;-)

    2. big_D Silver badge

      Re: Once again I propose we rename IoT as IoV

      As ever, caveat emptor.

      Or in other words, the "S" in IoT standard for Security...

    3. newspuppy

      I propose we rename IoT as The IDIoT

      It should be referred to as the "Incredibly Disrupting Internet of Things". IDIoT.

      The pervasive lack of design when (not) thinking of security, and attempting to bolt on security as an afterthought results in a violation of the 7 Engineering P's*, with a resultant behavior.

      IDIoT's are not bad.. They just need to be managed and not put in situations where they can cause danger.

      * For those that may recall, the 7 Sacred P's are: "Proper Prior Planning Prevents Piss Poor Performance."

    4. Anonymous Coward
      Anonymous Coward

      Re: Once again I propose we rename IoT as IoV

      I tried this one day at work. I was back in my office, after visiting a different office. I had no idea if Barbie Girl was playing in the other office... to be certain I had to try a few more tracks too... ;)

  2. Chris G Silver badge

    IoV

    At minimum, countries need to have a set of standards at their borders, so that anything falling below the standard cannot enter and be sold.

    Beyond that, there is real need for a set of International privacy and security standards that are governed by a regulatory body that has teeth. Of course that will never happen in any meaningful way but if you can't get a certification that enables you to sell your goods, in theory you are going to try harder.

    1. phuzz Silver badge

      Re: IoV

      So basically add it as part of the CE/FCC/Kitemark* certification process?

      * or whatever the UK starts using if/when we finally brexit.

      1. BenM 29

        Re: IoV

        Probably Kitemark - B (rotated) S V for British Standard Verification... or, knowing the shower in power, they will abolish standards altogether as an unnecessary burden on business.

        1. Version 1.0 Silver badge

          Re: IoV

          Have you been joining Boris's Zoom conferences on Internet security again?

          1. Warm Braw Silver badge

            Re: IoV

            Personally, I found the pole to be a distraction from its educational content.

            1. John Brown (no body) Silver badge

              Re: IoV

              " I found the pole to be a distraction

              Were you irresistibly attracted to dancing around it?

    2. Anonymous Coward
      Anonymous Coward

      Re: IoV

      Seriously? "International privacy and security standard"? You really want Russia & China determining your privacy & security?

      1. Yet Another Hierachial Anonynmous Coward

        Re: IoV

        You really want GOOGLE and FACEBOOK determining your privacy and security?

        1. quxinot Silver badge

          Re: IoV

          I'll cast my vote to the Chinese and Russians, given those choices.

      2. Anonymous Coward
        Anonymous Coward

        Re: IoV

        Russia and China are full members of the IEC and the ITU. They have been for years. Russia (as USSR) joined the IAEA in 1957, China in 1984.

        Next question?

    3. EBG

      Yup

      Internationally set standards have enabled the avoidance of effective regulation.

  3. LeoP

    Cloudy days ...

    ... for anyone thinking he actually owns that expensive gadget he shelled out for.

    And a briiliant burglery reconnaissence tool: If after the 17th loop of "Last Christmas" (or any title in the 1000 volume collestion "Songs I'd have hoped to never hear again") nobody is running out of the house with blood dropping from the ears, the target can safely be assumed as empty.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cloudy days ...

      ... for anyone thinking he actually owns that expensive gadget he shelled out for.

      Oh, you mean that always connected and phoning home Tesla that is sitting on your driveway?

      The one that can have features added and taken away on the whim of Elon Musk...

      Who really owns the vehicle? You or Tesla and all you are paying for is a license to use it?

      {ex Model S owner here}

    2. Drew Scriver Bronze badge

      Re: Cloudy days ... and a new business opportunity

      In the olden days some burglars would have accomplishes lurking around airports to read the name/address tags on the luggage of outbound travelers.

      How long before you can drop $5 to purchase the address of a vacant home on some Russian version of eBay? Getting an alert when the residents are on their way home would cost extra, of course.

      It already works like that for credit card numbers - why not for home addresses?

      1. Rattus
        Big Brother

        Re: Cloudy days ... and a new business opportunity

        why Russia?

        Just look at the logs of those sheepeople using a ring doorbell or other cloud based home automation widget

    3. Anonymous Coward
      Anonymous Coward

      Re: Cloudy days ...

      Sure, if the target has a Spotify Connect enabled device and an insecure LAN, your plan will work a treat. Then again, if the only goal is to find out whether anyone is home, it might be easier - and leave far fewer tracks - for them to simply ring the regular, non-smart doorbell.

      I dimly recall a time when commentards on El Reg understood the technologies they were clumsily taking the piss out of. It's a brave new world.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cloudy days ...

        The point is that it could be done remotely - once a device is linked to an account, someone in another country can control it, or use it to determine if someone is home. Imagine a housebreaker buying the logs for a target's smart thermostat for the past week - for a couple bucks, they know when the target was home and when they weren't, thus having a high probability of burglarizing a house hours before the resident returns home.

        1. Anonymous Coward
          Anonymous Coward

          Re: Cloudy days ...

          I think you're overestimating the recon and investment that goes into your average housebreaking. Those kinds of thieves are usually opportunists, not Ocean's Whatever Number You Like. If you've got priceless artefacts likely to be targeted by that kind of professional crook, you'll probably also have a security system more than capable of mitigating any not-quite-vulnerabilities in your smart speaker.

  4. Velv Silver badge
    Flame

    Excuse my ignorance, but do these speakers not come with a control app that lets you manage who is or can connect? Delete pairings? Or do they need a factory reset to clear authorisations? Or do the connections persist a reset? Don't get me wrong, the Spotify over the Internet connection is a concern, but devices you cannot manage have to take some of the blame.

    1. Anonymous Coward
      Anonymous Coward

      Exactly what I came to the comments page to say. The responsibility isn't with Spotify - they did what an authorized user asked, and that user can remove that device. "Only play music over a local speaker" is just a nicety. The "smart speaker", on the other hand, needs the capability to disconnect from services. A malicious guest could teach the "smart speaker" to pair to a malicious service and listen in to everything it hears, even after the malicious guest no longer has access to the wifi. With no way of removing that "skill", the only way to stop it at the device would be a hard reset. Preferably with a sledgehammer.

      As another poster put it, the S in IoT stands for Security...

      1. itpeter

        I think the responsibility lies with Spotify *and* the manufacturers. Also just because someone has the WiFi password does mean they are authorised to run off with the permission to blare music out of a speaker at

        4am.

    2. itpeter

      No reset functionality I can find. Yes connection persist after a restart.

  5. Mr Dogshit

    Serves him right for being a hipster.

    1. coolsausage69
      FAIL

      Not a proper one.

      Nah man, not a proper hipster, a real one wouldn't have this issue. If he was he'd be using an old Rotel RX402 stereo receiver and a knackered old marantz record player he'd nicked from his mum. The only issue he'd have is the dodgy bloody power cable that needs setting _just right_ to not lose power and the feeling that the needle probably needs replacing but he doesn't know how long they last anyway and if it's even damaging the precious copy of Rio - Duran Duran or not.

  6. Robert Helpmann?? Silver badge
    Childcatcher

    No Way Out

    "At no point does any authorisation the user is in control of happen, and there's no way to revoke it."

    Use a router to block traffic from Spotify to your speaker home network. This will have the happy side effect of forcing you to move on to a more responsibly run service. Two birds, one stone.

    1. itpeter

      Re: No Way Out

      The connections are initiated from the media player not Spotify servers. The only way to prevent remote control is to block outbound connections from the media player using the MAC address which is hardly user friendly for most.

  7. IGotOut Silver badge

    FFS.

    20 year old amp with £15 Bluetooth dongle connected to the tape input (fuck off hipsters before you comment).

    Runs anything I want from phone or tablet.

    Job done.

    Fraction of cost.

    Better quality

    More Control

    No internet connection required.

    1. Anonymous Coward
      Anonymous Coward

      Re: FFS.

      25 yr old amp here, still works perfectly. Care to name your £15 Bluetooth dongle please, assume you're really happy with it?

    2. Anonymous Coward
      Anonymous Coward

      Re: FFS.

      You can also get AirPlay wifi adapters called the AudioCast M5 for about £20 that will do the same job. And it supports Spotify Connect too, even over the internet.

    3. JakeMS
      Thumb Up

      Re: FFS.

      Yeah that's one way to go

      Personally I've just got an amp connected directly to my PC with optical as source of audio. On that computer is MPC which I can control with a computer program (gmpc) or from my phone with M.A.L.P (vpn connection between them).

      So full collection of music, not Internet dependent, plus remote control plus local music management. All win for me.

      And not going to be hacked so easily.

      (Although, saying that I did just setup a Bluetooth lightbulb today.. but that's not connected to wifi at all, Bluetooth only, using for dimmable bedside light.)

    4. Simon Harris Silver badge

      Re: FFS.

      A while ago SWMBO got a sound-bar for the TV with wired, optical and Bluetooth inputs.

      We went for the wired input, but from time to time we'd get blasts of Bulgarian music through it - it seems if it detects a Bluetooth connection it will automatically switch to that, and the neighbours would occasionally accidentally connect to it - it's one of those devices with a preset pairing code that really doesn't care what it connects to.

      The sound bar is now relegated to a box somewhere and TV sound is piped through the purely analogue hifi amp.

  8. Brian Miller Silver badge

    Spotify declined to make an on-the-record statement...

    No, really? After all, this isn't a vulnerability, and it's not a bug. It's a global feature that just everybody on the planet wants! Yes, everybody wants to play music to a speaker that they can't possibly hear.

    Really, the speaker should have some kind of control to revoke who accesses the thing. Maybe a factory reset will do the trick. Use the button activated by a sledgehammer.

    1. ThatOne Silver badge
      Devil

      Re: Spotify declined to make an on-the-record statement...

      > everybody wants to play music to a speaker that they can't possibly hear

      True, like everybody wants to make a cup of coffee/tea at a place they aren't, or change the temperature of their homes when they are away.

      Be careful, you are questioning the very foundations of IoT here.

      1. vilemeister

        Re: Spotify declined to make an on-the-record statement...

        I'm in 2 minds about heating - there are times when I decide after work to go for a booze up without going home and want to turn my heating off.

        I've never invested in one because I doubt it would pay back over those times, but I think there is a use case for that.

        Also in the depths of winter I could up the heating before I got out of bed if it was too cold. Nothing like laziness to spur the pounds to leave your wallet.

        1. The Oncoming Scorn Silver badge
          Mushroom

          Re: Spotify declined to make an on-the-record statement...

          The ability to mutter Alexa, from the comforting depths of a duvet & get her to up the thermostat temperature when the temperature plummets from -15C to -28C overnight can't be lauded enough.

          Icon - Toasty!

          1. Anonymous Coward
            Anonymous Coward

            Re: Spotify declined to make an on-the-record statement...

            How much does this personal assistant cost, and can they also do the vacuuming?

        2. Emir Al Weeq

          Re: Spotify declined to make an on-the-record statement...

          You could just buy a thermostat with a basic scheduler. No internet needed, no recording devices, you don't even need to be awake.

      2. Anonymous Coward
        Anonymous Coward

        Re: make a cup of coffee/tea at a place they aren't // the very foundations of IoT

        Aha! An Internet of Tea!

        1. Mike 16 Silver badge

          418 I'm a teapot

          Subject says it all.

          OK, (semi-) real content.

          I recall a magazine article from the 1950s on how to implement "warm the house up until I can stand to get out of bed" that involved a coal-fired furnace, banked just right before retiring, and an old-school spring-wound alarm clock. When the alarm sounded, a string wound around the alarm winding key tugged on a "trigger" that allowed a weight to open the damper. As far as I could tell, this was dead serious.

      3. 96percentchimp

        Re: Spotify declined to make an on-the-record statement...

        I used to live in a place with IoT heating, and it was indeed very handy to be able to adjust the heating when I was out of the house - when I wasn't going to be home at the normal time, or I'd gone away for a few days and forgotten to change the timer.

    2. Drew Scriver Bronze badge

      Re: Spotify declined to make an on-the-record statement...

      What are the chances that Spotify staff were running bets on how long it would take for someone to finally discover this 'feature'?

  9. Zarno Bronze badge

    The only bug I see...

    The only bug I see is not being able to un-link other users from the smart speaker.

    And I think that may be partly to blame on the OEM, and partly on Spotify.

    The assumption was probably that if someone has LAN/WiFi access, they want it to just work.

    I have a home media receiver (Onkyo TX-NR636) with the Spotify Connect stuff built in, and early on noticed that I could have my phone on cellular data and still see it.

    There's a setting in the Spotify app settings menu (Android, not certain on ios), under Devices for "Show local devices only", so the ability is intentional.

    Any instance of the player that your account is logged into will also show as a device to be controlled remotely.

    And I find no issues there, it works perfectly fine for my use case of playing music on the phone in my pocket and controlling it from the desktop Spotify player on the work laptop (and other way round).

    Phone stays on cellular, work laptop stays on work network, and IT department is happy that they're segregated. It also allows for controlling the home system when I'm on the work VPN through the home DMZ (virtual access point with network segregation).

    I have also noticed previously connected devices will drop off the list periodically, but the timeframe is erratic.

    Spotify could rectify the issue with the smart speakers by having a "claim your device" dashboard showing any authorized connections and revoke options, or the OEM's integrating the functionality could have a "Hold power button for three seconds, then follow voice menu to delete authorized users" or some such. Likely both parties would have to change things slightly.

    TLDR;

    It's a feature with a small bug, and in my case the pro outweighs the con.

    1. Zarno Bronze badge

      Re: The only bug I see...

      At the risk of getting more, can someone give feedback on why they downvoted?

      Genuinely would like to know why they're there.

  10. anthonyhegedus Silver badge

    Happened to me

    I remember back a few years ago, I was listening to some relaxing Beethoven on the way to work and suddenly it starts playing some 'Gangsta Rap' with some rather unrepeatable lyrics. This would happen every day for a week until I realised that I'd put Spotify on my teenage daughter's phone and she worked out that she could prank me by forcing her 'music' through my phone in the car. She had worked out exactly which music I'd least prefer to listen to.

    1. The Oncoming Scorn Silver badge
      Holmes

      Re: Happened to me

      "it starts playing some 'Gangsta Crap' with some rather unrepeatable lyrics."

      This would happen every day for a week until I realised that I'd put Spotify on my teenage daughter's phone and she worked out that she could prank me by forcing her "crap' through my phone in the car.

      FTFY - No Charge, now go & install then hide Cerberus on her phone & set it do to all sorts of shit in retalation,

      Icon - She had worked out exactly which "music" I'd least prefer to listen to. - This does not strike as requiring a Moriarty genius level intellect.

    2. Anonymous Coward
      Anonymous Coward

      Re: Happened to me

      Ah, the Gangsta Raps. Yes, they're great, I've got all their albums.

    3. AVee
      Trollface

      Re: Happened to me

      I'd do that. I changed jobs moths ago and still have access to the Sonos in my old office.

      An you know, once I've got access to someones speakers my motto is "Never gonna give you up..."

  11. Graham Dawson Silver badge

    It's not streaming from his phone, it's streaming directly from Spotify. The device is using his account to access music directly and his phone is acting like a remote control for it. Unless I'm very much mistaken, there can only be one account attached to a speaker like this at a time (unless the speaker is engaged in some shenanigans), so as long as his account is the one paired with the speaker, there shouldn't be a problem. The real story here is someone not understanding how Spotify Connect works.

    1. Anonymous Coward
      Anonymous Coward

      Exactly my thoughts. It does not depend on your local device to stream. I also thought that working over the internet was expected behaviour.

    2. itpeter

      I roughly understand how it works. However I dont have a premium account and therefore are unable to pair with the speaker and effectively revoke access to the existing device which has access.

  12. Blackjack

    Hey using smart devices is quite dumb!

    To think that hacking a toaster, a fridge or an oven USED to be a joke.

  13. Anonymous Coward
    Anonymous Coward

    If all devices around you are smart

    then who is the dumb one ?

  14. Anonymous Coward
    Anonymous Coward

    "If you give your Wi-Fi password to a guest

    But hey, didn't you just feel sooo good when they turned up and you could show them how cool you are with all these hi-tech gizmos? Ah, that "natural" feeling when not wearing a condom, because you never knew, or cared, about consequences? That phone call later...

    1. Intractable Potsherd Silver badge

      Re: "If you give your Wi-Fi password to a guest

      You are a sad, strange little man to conflate speakers with sex.

      1. Intractable Potsherd Silver badge
        Pint

        Re: "If you give your Wi-Fi password to a guest

        Sorry, folks - that was meant to be humour, but the exclamation mark went missing(!) Apologies foremost to the OP - - - >

  15. Anonymous Coward
    Anonymous Coward

    And this is why...

    a "guest-only" wifi channel is a really good idea. (In my case, our phones are using it too, since they don't need access to the real computers.)

    1. itpeter

      Re: And this is why...

      Hindsight is a wonderful thing :-)

  16. Simon Harris Silver badge
    Devil

    Rickrolling...

    'Spotify, play "Never gonna give you up" on my mate's smart speakers!'

    1. Anonymous Coward

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020