Prank warning: You do know your smart speaker's paired with Spotify over the internet, don't you?

I can't stop people playing music at me, says Reg reader

Got Tips? 72 Reg comments
Spotify

If you let your mates pair their Spotify accounts with your smart speakers, beware – the connection persists across the internet, not just across your home Wi-Fi network, as some assumed.

Spotify's Connect support page tells users to ensure that the two devices are on "the same Wi-Fi network", but as users discovered as far back as 2016, that isn't strictly necessary.

Reg reader Peter recently found that he was unable to remove Spotify Connect's access to his Marantz media player, prompting a journey of discovery for him.

"If you give your Wi-Fi password to a guest and they connect to one of your devices they can continue to control the devices when no longer on the LAN. They can remotely wake the devices up and play music," he told us, adding: "At no point does any authorisation the user is in control of happen, and there's no way to revoke it."

He also showed us a video he had made of the problem in action. Using a mobile phone on his domestic Wi-Fi, he connected to his speaker and played music over it. Having done that, he then turned off the phone's Wi-Fi, forcing it onto the local mobile network – and flawlessly streamed music to the speaker.

"The bizarre part is why does Spotify provide a feature to play music on devices you control over the internet?" asked Peter, who had, seemingly wrongly, assumed that the pairing was taking place across the local network that both his device and the speaker were on.

"The equivalent would be someone taking control of my Nest heating and me not be able to stop it," he said.

Spotify declined to make an on-the-record statement when we asked about this unusual behaviour. A spokesman, however, did explain that that users can unlink their Spotify accounts from what he described as a "partner service", such as Sonos's online management portal. This unlinking can be done from the Spotify user account area, we are told.

Spotify did not answer when we put Peter's specific scenario to its spokesperson. Peter was adamant that if he didn't have access to the device streaming to the speaker, there was nothing he could do to prevent it.

There's an old proverb about assumptions. Nonetheless, the design of the Spotify pairing process does seem a little counter-intuitive. ®

Sponsored: How to simplify data protection on Amazon Web Services

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020