SuperUniti major bug? Someone can control my SuperUniti from another network

hah!  Well enjoy the DJ-ing anyway, and don’t upset her, otherwise it might be heavy metal at 3 am some night!

Hahaha there is a big ON/OFF button on the back.

But still, this is strange and I really don't think this should be possible at all.

That's a Spotify feature. I can control Spotify even running on work desktop sitting at home.

Yes, I believe it is a Spotify feature and there have been posts where guests have later played music on someone's Spotify enabled device remotely  - potentially useful but does seem as though there ought to be more granularity for control options, say only from the LAN, and ability to allow/exclude others from using remotely over WAN.

yep - this is a Spotify and caching issue.  However, the North Koreans are observing you through your connected toaster.

The thread entitled “Turning inputs off in Muso QB” explains how this happens and how it can be resolved.

rgds

I know how Spotify Connect works and also know a bit of networks and internet (I'm a network specialist).

The problem is that I don't get why an external IP is used or it must be Spotify that does this. in that case the Naim software should reject external IP addresses.

domenico posted:

Hi,

Today I was a bit shocked. All of a sudden my music was changing and Spotify started to play a song and the music went louder.

I was stunned. Then a girlfriend of mine sent me a WhatsApp message asking me "Can I control your music from here?". She said that my SuperUniti was still available (from the last time she was here) in Spotify and then she chooses that one and it worked. Now she is DJ-ing for me from 90KM away which is kinda nice but I don't think this is supposed to happen. There is no proxy or whatsoever, she is using wifi from her parents house. 

Not so bad if ‘a girlfriend’ is the only one and current. It might be a bit more challenging if you are not monogamous or if said GF were to become an ex - at the very least you’d have to disconnect the internet or turn off at night...

It’s just the way Spotify works. If Naim want to offer Spotify they have to implement it to Spotify’s standards and have it certified. You can always disable the Spotify input, then it can’t happen. 

Sounds like a security hole to me open to be exploited  if this is the case. It should not work outside  your own home network what purpose does it serve for it to do this?

As YNWA mentioned above - it's worth reading this thread to understand what is happening. David Hendon summarises it nicely -

https://forums.naimaudio.com/to...nputs-off-on-muso-qb

SimonPeterArnold posted:

Sounds like a security hole to me open to be exploited  if this is the case. It should not work outside  your own home network what purpose does it serve for it to do this?

It's just the way Spotify works. You talk to your account on their servers with your phone and you send the streamed signal to whichever of your devices you choose. If someone has added your Naim as a device on their account then they can choose that again whenever they like. It's a feature not a bug (and nothing Naim can avoid, as HH says above).

best

David

SimonPeterArnold posted:

Sounds like a security hole to me open to be exploited  if this is the case. It should not work outside  your own home network what purpose does it serve for it to do this?

If you mean other than to let exes get their revenge:  how about to make burglars think someone’s home? or neighbours turn down the volume or choose music they prefer when they’re in? Or to help jealous neighbours seeking to make you dump your kit in the bin in a fit of disgust after being unable to find the fault ...to be collected by them?

domenico posted:

I know how Spotify Connect works and also know a bit of networks and internet (I'm a network specialist).

The problem is that I don't get why an external IP is used or it must be Spotify that does this. in that case the Naim software should reject external IP addresses.

But for this to work if you are using PAT/NAT on your router, then unless your router is supporting UPnP forwarding address or similar then there is no way your external address can initiate a contact with your internal private address unless you have set up a forwarding address on your router. So one suggestion is to switch off UPnP and the Apple equivalent on your router.... if this makes no affect then it won’t be an external address initiating this but another service that would have to be initiated from within your private network. I am sure you know what I am referring to if you are a specialist (as indeed am I )

David Hendon posted:

SimonPeterArnold posted:

Sounds like a security hole to me open to be exploited  if this is the case. It should not work outside  your own home network what purpose does it serve for it to do this?

It's just the way Spotify works. You talk to your account on their servers with your phone and you send the streamed signal to whichever of your devices you choose. If someone has added your Naim as a device on their account then they can choose that again whenever they like. It's a feature not a bug (and nothing Naim can avoid, as HH says above).

best

David

Yes, I know but only when they are connected to your network! It seems the SuperUniti device was cached, together with my external IP. That is absolutely not necessary and shouldn't happen. 

Simon-in-Suffolk posted:

domenico posted:

I know how Spotify Connect works and also know a bit of networks and internet (I'm a network specialist).

The problem is that I don't get why an external IP is used or it must be Spotify that does this. in that case the Naim software should reject external IP addresses.

But for this to work if you are using PAT/NAT on your router, then unless your router is supporting UPnP forwarding address or similar then there is no way your external address can initiate a contact with your internal private address unless you have set up a forwarding address on your router. So one suggestion is to switch off UPnP and the Apple equivalent on your router.... if this makes no affect then it won’t be an external address initiating this but another service that would have to be initiated from within your private network. I am sure you know what I am referring to if you are a specialist (as indeed am I )

Of course, I addressed this 'problem' right away so for me it's not a problem anymore but that is not what I'm saying. This shouldn't be possible in the first place.

Spotify Connect should only work on private networks (LAN). I think this is a serious or better, stupid design flaw. 

Though, I liked the private remote DJ set. 

Innocent Bystander posted:

SimonPeterArnold posted:

Sounds like a security hole to me open to be exploited  if this is the case. It should not work outside  your own home network what purpose does it serve for it to do this?

If you mean other than to let exes get their revenge:  how about to make burglars think someone’s home? or neighbours turn down the volume or choose music they prefer when they’re in? Or to help jealous neighbours seeking to make you dump your kit in the bin in a fit of disgust after being unable to find the fault ...to be collected by them?

I don't think you understand what has happened. When you go to Spotify you should only see the current device on the network you are connected to. Not all the devices that you connected to the past year.

domenico posted:

Innocent Bystander posted:

SimonPeterArnold posted:

Sounds like a security hole to me open to be exploited  if this is the case. It should not work outside  your own home network what purpose does it serve for it to do this?

If you mean other than to let exes get their revenge:  how about to make burglars think someone’s home? or neighbours turn down the volume or choose music they prefer when they’re in? Or to help jealous neighbours seeking to make you dump your kit in the bin in a fit of disgust after being unable to find the fault ...to be collected by them?

I don't think you understand what has happened. When you go to Spotify you should only see the current device on the network you are connected to. Not all the devices that you connected to the past year.

Spotify doesn't work that way. You could be on a different network (for example a mobile cellular network). But you still would want to be able to connect to your devices which might be on your wifi in the same building.

Anyway Spotify know what choices they have made for their customers.

best

David