NAC272 hacked with Spotify

Posted by: Watson on 01 May 2017

There is a security issue if NAC272 is used with a Spotify account. Here is the whole story:

A fried of mine has used his Spotify account to replay his play list while being logged in my local network. That is OK and worked as designed.

Today he was miles away with no access to my network. He opened his Spotify account and has seen my NAC272 as a possible device for play back. He tried it out and it worked. He changed from radio to Spotify and played his song list. In addition he was able to control the volume!

Any hints how I can avoid it and whom to contact to solve this security issue.

Thanks in advance.

Posted on: 01 May 2017 by ray sheldon

That happened to me also. One day I was peacefully making something to eat in the kitchen when all of a sudden music came on quite loud. I must admit I temporarily shit myself. I flew into the lounge and turned down the volume and right before my eyes the volume went back up! I immediately turned the power off to the 272.

Shotly afterwards my niece called me explaining it was an accident, she launched Spotify on her phone and clicked other devices and so on....

She had visited some days before and I logged onto spotify using her phone. Needless to say, I changed my router password and that stopped that.

I'm not a user of spotify premium anymore and now have an NDX, I would be interested though to see how to prevent this in the future.

Posted on: 01 May 2017 by hungryhalibut

I imagine you just turn off the Spotify input. That's what I've done now that my son has returned to Uni after the Easter break. 

Posted on: 01 May 2017 by Kevin Richardson

Ditch Spotify and go with Tidal.

Posted on: 01 May 2017 by Dave***t

I consider it a feature - I was in Holland a few months ago and texted my girlfriend at home to make sure she was in the living room, then put Sex Bomb by Tom Jones/Mousse T on.

Whenever you come home you can have entrance music.

Posted on: 02 May 2017 by Claus-Thoegersen

Interesting but it is probably a spotify connect problem. I would report it to naim support.

Claus

Posted on: 02 May 2017 by Innocent Bystander

As an aside, it is worth being aware that any "smart" device connected to your network connected to the internet is a potential route for hackers to gain access to other devices, potentially for malicious purposes - and that includes smart electricity meters, central heating controllers etc , and it could easily be that the most trivial of these is the one that allows the back door entry. Whether any individual person is likely to be a target may be another matter, but it is worth being aware.

Posted on: 04 May 2017 by L_H

Need to close the port on your router, it used to be 4070, search Spotify forum and it'll be on there. 

Posted on: 05 May 2017 by Watson

To close this topic here, I have spoken to Spotify. It works as designed. So they do not see a security issue at all. I do not agree and I am disappointed how it is handled. They have dug a whole in my internal network without changing a rule im my firewall and without my knowledge.  It should work easily if someone who is in your network but it should not work if he is outside of it. 

Posted on: 06 May 2017 by robgr

I agree. Why on Earth would you design it like this? It's useless unless you're in the room. I'd like to see the design that captures this functionality. This is undoubtedly an issue and their response suggests they just can't be bothered to fix it. Security policy should always be about the minimum level of access required to perform only the task at hand and not to leave a great big hole as noted.