PIN only for devices brought to market after 1.Aug.2025

Function ROSE OS
#21

@Ben
You have two things to consider…
(Three if you include forgetting Boris)

  1. Does the device store PII information?
  2. Vectors of attack and a threat assessment of the risk.

While many here have never had to deal with CISO issues. A lot of this goes over their head.

The intention of the PIN was to stop attackers from changing the device settings… which AFAIK requires physical access. The wi-fi or ethernet attack vectors are going to be difficult because the device is on a local network only and gets to the internet via NAT at the router.

So in theory, the issue is that someone compromises your router or AP and they are now inside your firewall. Any device that has an internet connection could in theory be used to attack other sites. And I say in theory because the attacker would have to know those devices and how to use them to create such an attack. (e.g. a DDoS attack)

The probability of the risk is low but still greater than 0.

Then there’s the issue of protecting PII information Your smart devices store account information and this could include some PII information. (Its not just audio, but include TVs and ‘smurt’ [sic] appliances)

Yes, I agree with you that consumer grade routers are the issue. ( I switched my home network to using a Meraki years ago after my consumer grade router / AP got hacked while I was in the UK for work ) Its a bit of the Nanny state taking this route and then having Rose err on the side of caution.

There are things Rose could have done with their implementation that would allow them to comply and to make it less of an issue. Like when you register your device, Rose knows your region. So they could implement the lock only for those regions requiring a pin. (Or allow you to disable it outside those regions.)

And in past lives, I’ve been a Unix sysadmin / Linux sysadmin, and exec in a global fortune 500 company responsible for managing and securing data.

And Boris… before you say something stupid… do you remember where you were when the Morris worm hit the internet? (I do.)

#22

And a PIN in the UI is going to prevent hackers already on the internal network from abusing the Rose box exactly how? Oh, right, it’s not going to do one damn thing useful.

Intention of Rose in adding a PIN is still unknown (security theater to pretend they are compliant with local regulations, mostly). Directive requires something different thogh.

:rofl: Mopping the floor is not usually considered an executive role

Seriously? You do? Weren’t you already senile by then? Oh, wait, you were born like that!

Myself, I was coding some slightly more complicated stuff back then. Not that you would understand.

#23

Dear Ben, please take this and don’t lose it again.
Screenshot 2025-12-06 at 20.07.30

2 Likes
#24

What do you want to tell me?

#25

Hello
thank you for your interesting read. It sounds familiar to me because of my previous job. I think we have a common understanding in this regard which is nice as well.

There have been enough cases of wide open router/firewall/port configurations around and they have not been fixed with a firmware update or change of configuration leaving the home networks wide open. It is easy then to scan the home network for available devices and security holes to exploit like perhaps logons/passwords of streaming services or even deletion of user data.

Yet, the 8 digit PIN is a discomfort.

#26

Perhaps he also delivered the mail or poured coffee. :rofl:

Do you mean he mopped it up?

Not that it’s an unimportant task.

Everything always has to be nice and clean so the real IT specialists can fully utilize their valuable minds.

Oh Mikey, sorry…:blush:

#27

Poured it on someone’s lap, more likely.

Amusingly, on Roon forums, if someone complains that “I got this fancy stereo, installed Roon on my phone, and now it just says “looking for server” without doing anything; your software is crap” there’s a 90% chance that it is a Rose user :rofl:

#28

Hi Boris

That’s even better. That’s probably how it was, and that was it…:joy: with a kick in the face to the company door.

Well, that’s not bad either…:rofl:

The app on my phone is enough :laughing:, why pay so much money?

“I don’t need a core,” he said, and complained in the Roon forum. Sounds familiar, because I’ve read something similar, or maybe even the same thing.

Maybe Mikey will get back to us and tell us what really happened.

But if he does tell us, he’ll have to be completely honest :laughing:.

Unlike Anatoly, who’s really good at what he does.
Check out some of the ads or videos.

Monkeys are as strong as the Stay Puft Marshmallows, impressed when ANATOLY shows them its limits. :muscle:t2: :+1:t2:

:v:t2:

#29

:rofl:

Good one!

I keep checking my BLuOS controller app. I am quite sure that Bluesound and NAD (and Dali etc.) sell their wares in Europe just fine. Nope… still no PIN. And it reindexes my music collection in minutes, too.

#30

Yes, I believe you.

I haven’t had a PIN request (3400) to this day, even though it streams, manages hard drives, and is connected to the network.

Hmm, that’s strange, since it’s a European device.

Last update (May…Cobuz Connect) is still up to date.

:v:t2:

#31

Amazing, isn’t it? I wonder how they do it :rofl:

1 Like
#32

Hi Boris,

Yes, amazing… I just don’t want any “let sleeping dogs lie”, otherwise I’d write to Lyngdorf and ask why their devices don’t require a PIN. :wink:

:v:t2:

1 Like