Volumio network security

After installing Volumio, is there anything I need to do in order to enhance its security, or is it ‘good enough’ out of the box?

I’m mostly interested in its network security and whether or not I need to undertake additional steps after installation.

It’s insecure by design - there’s a default password on user with sudo access and ssh is turned on from unsecured web access. You can maybe change the password - was some issues with that previously but not sure if that’s changed.

That’s somewhat worrying. Thanks for the reply.

Well, you should keep it behind your firewall regardless. So it’s as safe as your wifi…

While you’d wish it to be more secure I don’t find this very worrying.
We know the setup as we have access to the source, unlike what’s true for a lot of other devices in peoples homes. These devices could very much have the same type of system but it’s not documented and you don’t have access to the source. Bad faith actors can have this information. I find with Volumio you have the upper hand as you are not left in the dark.

You can backup your settings (using the plug-in) and re-image every few weeks to keep it safer. Volumio is not a widely used system on world basis, so I doubt anyone will bother with adding these to their bot-net hijacking systems.

SSH is off by default, you must explicity enable it…

While this is true it’s turned on through insecure web-access, so there’s nothing stoping an attacker.
Without this it would be more secure.

… while you can easily trun on SSH by the page
http://volumio.local/dev/
SSH off by default is not secure.

… while Volumio based on a distribution, witch have not the latest Upgrade/patchlevel
… while a default password on user with sudo access
… while unsecured web access
… while the /dev/ page is unprotected

and …

my opinion, this is a bad argument, Volumio based on well known distributions …

… my opinion, Volumio is an unsecure System.

You have to protect your network by firewall rules
… only allow connections to clients that you want to use Volumio
… access to a NAS with a only read user, only to the musicfiles
… only allow internet access to

pushupdates.volumio.org
updates.volumio.org
radio-directory.firebaseapp.com
opml.radiotime.com
*.ntp.org
… and the interet radiostations you use
… look at your network traffic

block access to

database.volumio.cloud (when you not use MyVolumio)
functions.volumio.cloud (when you not use MyVolumio)
*.google-analytics.com
… look at your network traffic

my opinion
reboot

There has been a long debate on how to make Volumio more secure by default without sacrificying usability and ability to troubleshoot it.
Reboot, I am really interested to know what you would do to improve security (without compromising usability)

Hi volumio :slight_smile:

… it is not an easy way

I use Pihole as DNS server, that is configure as the DNS server in my router

  • by the Pihole group management i have the groups
    – SmartMedia (with the most block to DNS queries) -> to Volumio, SmartTV, …
    – Workstations (with moderate DNS blocking) -> Notebooks, PC, …
    – SmartDevices (with DNS blocking trimmed to Smartphones) -> Smartphones, Tablets, …
    – Pe­ri­phe­rie (with high DNS blocking) -> Network Printer, NAS, …
    – Infratruktur (no DNS blocking) -> Firewall, Router, Switch, WiFi Access Points
    may you can make it simpler

I use the blocklists with PiHole:
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
-> that block the most known tracker, adware, …
and I add own blocking, depending on the network traffic
e.g.: (.|^)volumio.cloud$
to block DNS queries that depending special an the device (e.g. Volumio)
PiHole has good logs, you can see whats going on to DNS queries

I use an ubiquity Edge X Router

  • configure PiHole as DNS server
  • configure static IP maps in router to devices as Volumio, NAS, Network Printer, Notebooks, Tablets, Smartphone …
  • use the buildin firewall, to make a rule to the IP that uses Volumio:
    — give only access to the IPs from the Tablets, Smartphones, Notebooks, NAS which shall access to Volumio
    — give access to internet (to get Updates …) … when you get deeper, you can tune access or blocking internet IPs … what connections Volumio uses, you can see in the PiHole log, give only access to the IPs you want to, block all other.

I configure a “Volumio-User” on my NAS, the user have only read access only on the music folder.
When I configure souces on network devices, I only use this user.

I think it is a good way to start with the

  • NAS “Volumio-User”
    and
  • PiHole
    to get an understanding to your network.

Than use your router to make a firewall rule to the Volumio. Firewall rules are not easy to unterstand, but importend to have good security.

… my Volumio work fine, without compromising usability :slight_smile:

reboot

Hi volumio, thanks for the reply. My Pi-based Volumio is on my LAN. I have a broadband router supplied by my Internet provider that provides my LAN and access to the Internet. I checked and it has the firewall switched on, port scan detection enabled and IP flood detection enabled. I imagine that this is sufficient for normal levels of security protection.

I use the latest Safari browser on my iMac and my macOS has its own firewall enabled, in addition to the router’s firewall.

What I’d like to know is how my Safari browser was able to find http://volumio.local without me doing anything. I didn’t need to find the IP address of my Volumio device.

The name is published using mDNS - https://en.wikipedia.org/wiki/Multicast_DNS

1 Like

I suppose my concern would be: why are you worrying? If you have Volumio on an Internet-facing situation, then yes, you have a problem. But why would you? This is a music player, for use in people’s homes, so by default it’s inside your secure perimeter (or walls), it’s not a security appliance. If you have wired networking, then the router is the only available entry point, and you should be able to secure that. If wireless, then it’s still very possible to be secure against the common attacks. Obviously, if a hacking crew from Russia decided that your Volumio player was what they really, really wanted then you have a problem. If you have a smart TV, how protected is that? Volumio is not your problem, really…

2 Likes

Technically Volumio should only to connect to the internet to collect a music stream if you are using something like Qobuz or Spotify, but the risk there shouldnt be bigger than playing the same through your browser… I would still recommend though to switch off Volumio devices when you’re not using them…

I think many smart devices are much more of a risk, especially if you can conveniently control them from the outside. Since Volumio plays music on your speakers there is absolutely no need to control it from the outside (because you wouldn’t be able to hear the speakers :wink: )

If you want create access to your NAS with locally stored music you should probably search for a different solution.

For the most part I’ve got a micro-SD card with a USB adapter plugged into my Volumio Pi-based device that has all of my music on it. I don’t access any music over the Internet. On the whole I’m happy with Volumio. My question was just a general question as I’m interested in how secure things are.

I just have one issue which is importing playlists, which I’ve mentioned in another thread. I really need to get the playlist issue resolved to make Volumio the perfect solution for me.

IMO the only consern about lack of security on any non-internet-facing device would be local attacks, done from browser scripts or from other infected devices.

For me the issue is low enough that I don’t really care about it, and if I did I’d just use the backup addon and re-image weekly, or disable the /dev page. I’m not aware of any vulnerabilities in Jessie/Volumio that would allow remote code execution, but I’m not security expert either.

As for outside control, I’ve used MyVolumio remote once to turn OFF the music after I left from home, AFAIK this access is done through a reverse-ssh-tunnel set up from the device. Breaching it would require gaining control over the MyVolumio server it connects to. It’s probably an nice service if you have a segregated network at home where you keep all IoT device on a separate network, and don’t want any access between your devices and that network.

1 Like

Hello
What do you think, is it helpful if the password for WLAN hotspot is chosen randomly during setup and you have the opportunity to adjust it …?

regards
rust21A

I’d say no - it’s not helpfull with a random password for those that set up headless. You can allready set it to your own liking from settings after first boot.