I’m not crazy. I’m not screaming the sky is falling. But I am sure of one thing: current AV Theater Receiver manufacturers are irresponsible to the IoT of products. Read on, and I explain why.
Scenario:
You let your friend, family or neighbor on your home wifi to access email or show you something from their FB or other account. Innocent enough. But months later, that same neighbor is going for a walk, and wants to listen to their Spotify. Launching the app on their phone, they see “Onkyo434b51…” and press that. Well, they hear nothing on their phone (duh! says I). But they can hear their music nearby. Its coming from, you guessed it, YOUR AV amp and its blaring country!
Well this neighbor was nice enough to call me and tell me the news. I go outside and sure enough, music is playing in my garage, where I have an Onkyo TX-NR656 receiver for playing my iTunes or future ATV and display (watch Youtube while making/repairing car…).
RTFM!
I can find nothing in the Onkyo PDF or manual to disable Spotify. I can unplug the power is all, for now. My neighbor comes over and laughs, “well, aren’t you glad its not 2am and I’m drunk, playing sad cowboy music?” Yes, I tell him. And now I worry. He was on LTE, not on my wifi. And my receiver is plugged into my LAN, not using wireless. So how did this happen?
Looking back, at one point, I think he was on my wifi as we could see it (he was a yard away) and couldn’t reach his network.
“Like a good neighbor, wifi is there!”
IIRC, I put my info in his phone to connect and allow him to put up stuff for all to watch. Well, that was last summer. I have since changed the wifi pwd. I don’t know how he connected.
Then I googled it and read that “once you use Spotify Connect to use a device it runs on, it remains in your Spotify account to connect to. Echo dot, AVreceiver, Speaker w/Spotify built in, phone, tablet. So somehow, it had the cable modem IP or MAC address and could connect from LTE to internet to my amp!
I search for how to block but came up that others, as far as 4 years ago, were having same issue without resolution. Some suggested to unplug the LAN (most connected for updating) but I needed it for internet radio, iTunes (remote and songs on home Mac) and BlueTooth for immediate audio from my iphone.
A solution!
Well, this was luck. Searching google with the obvious didn’t work with solution. But wording the search as “block Spotify connect tcp udp ports” resulting in a github page. But the page didn’t list this. The search did, however, and the ports you want to block TCP/UDP in and out are 57621 and 57622. There is a port 4070 mentioned, but I think that is the app (and it may also find 443 to get out). But that might be for Spotify users and not the Spotify Connect of the appliance set.
Also, I was able to turn off the NET feature (default on) of the Onkyo to disable internet power on when the receiver is in STANDBY mode. The caveat here is that I can’t just see the Onkyo from my home iTunes, and start playing. I need to actually turn the receiver on “physically” and then I can send music from my iTunes. (I Really wish that Apple didn’t discontinue The Airport Express and use that as I always did, or that they had a way for Home Pod to stream to a device). I could use an Apple TV but I need an HDMI cable(s) and display to do that. Optical out would suffice for audio. Saving this for Part 2.
No Port in a Spotify storm
I blocked those ports in my router (Orbi by Netgear…you can login with a browser and use the Advanced Security settings for ports. I selected ALL devices to test, but later will get the IP manually set for the receiver and only block that).
I had my neighbor over, and he could not see the device (and it was on). Success.
So I came to the conclusion, per the documents I had, that there is NO way to turn off the Spotify connect in the Onkyo Receiver. It also has Pandora, along with Google Chromecast and possibly another. I tried to contact Onkyo, as this could be done with a firmware patch to allow “enable/disable” of any of the internet apps. Ironically, it allows a password feature for Airplay! And Spotify’s only solution I could find was to get the user to reset their account of devices (not happening) or sign up for Spotify (DING! Pay? No!) Premium and take over the device (like a Block the Squatterfy!)
While I don’t understand how Spotify Connect works, I can see that someone could hack the service and get into ANY Spotify Connect device not associate with a premium account user. AV Receiver makers, wake up. IoT is here…and I can hear the lawsuits.