Because Sonos wouldn't update the SMB stack for years I don't trust them re: other security issues. It simply doesn't seem to be a priority over there. I'd rather incur the 1-2W cost of a "disposable" spinner hanging off a AP than expose my song collection to them, especially since every Sonos component tries to connect to the mothership hundreds of times per day (even though metrics have been turned off). The Plex workaround does offer one major benefit, i.e. the ability to host song collections with more than 50k files or whatever the Sonos native SMB limit is.
To me, the company has gone through three major transitions re: software development:
- NAS-centric enjoyment of music (i.e. early years)
- Streaming of music (until about 2015-16)
- Voice-activated everything (present day)
Every time the company started chasing a new shiny object, anything related to the previous focus withered. Hence, no SMB2+ implementation despite users asking for it for years, Sonos getting a lot of flack in the press re: this issue, etc. I also contend that management was blindsided by the emergence of Echo, Alexa, Siri, etc. enabled smart speakers and is now scrambling to keep up. The big three (Google, Apple, Amazon) could afford to flood the market with cheap speakers, leverage the data center AI, muscling Sonos out of the niche it used to dominate.
Based on what I've seen come from the company, I suspect that Sonos management is setting the place up for a sale to one of the big three. Hence the latest trade-up / bricking program, whose biggest benefit is increasing the number of Sonos users who have voice-activated kit in their home. More voice-connected users = more value to one of the big three seeking market share. However, the user backlash seems to have chastened management somewhat and now they pledge to support "legacy" device alongside newer gear. This is a significant departure from the "one firmware for all" devices that Sonos used to strictly enforce.
As I understand it, a whole host of Sonos devices will be declared "legacy" (Zone player 80, 90, connect: AMP, CR200, etc.), brought to a certain firmware but no further and may even receive future security updates on occasion. However functional issues (such as new streaming services) will not be addressed for legacy devices. Basically, Sonos is adopting the Apple system of allowing older iPhones and other devices to continue to work alongside newer stuff, relying on functional obsolescence to force upgrades (elimination of 2G phone services, et. al).
Despite DNS-black-holing and port-blocking my Sonos gear for months re: Sonos.com and its sub-domains, I have had no issues with listening to live radio and podcasts. This is my workaround re: the firmware issue though I am one flash failure away from having to update the firmware site-wide and losing the CR100s in the process.
I'm also
not trying to put Bluesound on a pedestal, BTW. Because they are a much smaller company, the software side doesn't seem to be as polished as Sonos - App reviewers in the iOS store complain about the controller being unstable. Unlike Sonos, there is no third-party controller like Sonophone (which has worked great for me, does not require me to update the zone player firmware like the official Sonos App does, etc.).
However, one can download the current Bluesound component firmware, store it on a stick / HDD / whatever and upload it into the Bluesound gear via the external USB port whenever one wants / needs to (updates via internet are also possible). As I understand it, setting up Bluesound gear is independent of the company being a going concern or not. Without a internet connection to the Sonos mothership, it is not possible to set up a Sonos system, add a component, or even perform a firmware update. Until recently, you also had no choice re: firmware - only the latest was allowed and no backsliding.
This is also how Sonos enforces the bricking process on its latest "recycle to upgrade" scheme - the user contacts the mothership, which then remotely bricks their component, followed by the component being blacklisted at Sonos. Thus, even if you were able to locally un-brick the component (say, by copying the flash via JTAG from one unit to another), you'd never be able to re-register the component at Sonos and hence the component is permanently disabled. At least this time the company gave its user base a better heads-up and made a minimum effort prevent unauthorized users from bricking components. There still is way too much opportunity for abuse, however.
The Sonos mothership can, and has, mass-bricked functional Sonos components via poorly-documented firmware "updates" in the past (8.5 vs. the CR100). While some users got notice in advance that firmware 8.5 would brick their CR100's, many did not (see the forums). Given that Sonos has zero authorization built into their update process (any user on the network can initiate a site-wide update), that up-to-date Sonos apps refuse to work with older firmwares, etc. led to users either hardening their installations (to prevent their gear from contacting Sonos or its sub-domains) or acquiesce to having their CR100's bricked. That simply stinks.
I will live with my Sonos gear until it peters out - but only because I have blocked it from contacting Sonos. My CR100's feature new batteries and simply soldier on. After that, we'll see... I may even roll my own with a Pi and a small Amp.