An odd Sonos and Bose glitch could allow hackers to remotely play audio through their speakers, or even trigger smart home commands. The security loophole – a fairly unusual combination of network settings and connected speaker architecture intended to make configuration easier – is the latest illustration of how fairly innocuous decisions around the Internet of Things can have unforeseen consequences.
The issue was identified by researchers at security firm Trend Micro, investigating the network configuration of select models from Sonos and Bose. At fault, they explain to Wired, is a tendency of those connected speakers to over-trust whatever is on the user’s network, and a certain network configuration which may have been established for other internet services to work correctly.
The speakers in question – which includes the Sonos PLAY:1, Sonos One with Alexa, and the Bose SoundTouch range – can be identified remotely as being vulnerable to the hack. If a potential victim is spotted, hackers can use an insufficiently secured API the speakers provide to play an audio file of their choosing. That could be as innocuous – but creepy – as ominous voices or wailing ghosts, or have more nefarious intent.
For example, the researchers point out, if there’s a smart speaker nearby, they could use their access to trigger commands. Considering an Amazon Echo or Google Home might have been granted access to the owner’s lights, connected locks, or online shopping accounts, the potential for pranks gets a whole lot more seriously. With the Sonos One, which has Alexa onboard and will gain Google Assistant support in the new year, the researchers were even able to trigger Amazon’s agent through issuing audio files to the speaker itself, effectively making the device talk to itself.
According to Trend Micro, only a minority of speakers are actually impacted, since they depend on a combination of factors to be vulnerable. However, in their scans, they saw anything up to 5,000 Sonos speakers that could be used, and up to 500 Bose speakers, depending on what time they scanned. In addition to playing audio through them, the hackers were also able to extract details like Spotify and Pandora account usernames and emails, WiFi network names, and more.
The problem, it appears, is down to how straightforward connected speaker companies try to make setting up their devices. The affected Sonos and Bose speakers effectively broadcast their availability across the home network they’re connected to, allowing other devices access to their streaming APIs and more without requiring authentication first. That makes it easy to connect your new smartphone running the Sonos or Bose app to your existing speakers, but it also presents a security risk that could be exploited.
If there’s a poorly secured external network connection – such as hosting files accessible over the internet from a network-attached storage device, or running a game server – or a compromised IoT device already connected to that network, that combination could allow the hack. “The unfortunate reality is that these devices assume the network they’re sitting on is trusted,” Trend Micro researcher Mark Nunnikhoven told Wired, “and we all should know better than that at this point.”
Only a small percentage of the overall install base of Sonos and Bose connected speakers are likely to fall into this particular Venn diagram of compromised security. Sonos has already pushed out firmware updates which minimizes what personal information the researchers were able to extract, too. It’s also looking into the network configuration side of the exploit, though pointed out to Wired that it would be considered “a misconfiguration of a user’s network that impacts a very small number of customers that may have exposed their device to a public network” and that it would not recommend such a configuration.
Trend Micro, meanwhile, recommends going through your router settings to make sure anything that is giving access to devices or files on the network is either turned off or locked down. Of course, your router’s admin pages shouldn’t be using the default password, and it – and anything connected to it, like a smart speaker – should be running the most recent firmware for maximum protection. Sites like WhatsMyIP can flag any open ports you might want to address.
All the same, this microcosm attack on certain speakers is likely to just be the tip of the IoT security iceberg. As more and more devices, from a broad range of different manufacturers, all begin to not only proliferate on users’ networks but attempt to interact, the potential for loopholes that hackers could exploit rises significantly. Moreover, in their eagerness to minimize installation headaches in order to maximize IoT adoption, manufacturers may be inadvertently leaving users’ networks at risk.
MORE Trend Micro