Hackers Targeting Connected Speakers from Sonos and Bose

This creepy connected speaker hack is the latest IoT security risk

The affected internet-connected models can be discovered by hackers or pranksters using simple internet scans like NMap and Shodan and remotely accessed to play an audio clip of their choosing, researchers said.

"This site, with no authentication, allows you to see information about the tracks now being played, what music libraries it knows about, what devices have ever connected to it to control it, and down to personal information such as emails associated with specific audio streaming services like Spotify", the report stated.

As well as playing any sound or voice command at will, the speakers also revealed the name of the Wi-Fi network they were connected to, and the owner's Spotify and Pandora username. Only a small fraction of Sonos and Bose speakers are vulnerable, but it's certainly a odd exploit to keep an eye out for. Since home assistants have access to several other internet connected devices, including door locks, this could pose serious security concerns to people who have turned their place into an internet connected, smart home.

For example, the researchers point out, if there's a smart speaker nearby, they could use their access to trigger commands.

Trend Micro has notified Sonos and Bose regarding the security vulnerabilities.


The researchers discovered a security vulnerability in a small proportion of speakers made by Bose and Sonos including the Sonos Play:1, Sonos One, and Bose SoundTouch products, according to a report in International Business Times.

The problem, it appears, is down to how straightforward connected speaker companies try to make setting up their devices.

If there's a poorly secured external network connection - such as hosting files accessible over the internet from a network-attached storage device, or running a game server - or a compromised IoT device already connected to that network, that combination could allow the hack. Trend Micro also found that there was an unauthenticated status site page being served by Sonos devices. She resorted to unplugging her speaker; you might just need to ensure that your network is properly protected, with no compromised devices or routers running default admin passwords.

A Sonos representative told Wired in an email that it is looking into the hacking more but stated this specific instance references a misconfiguration of a user's network and impacts a very small number of users. The Sonos flaws, in particular, could have enabled an attacker to gain information about Sonos users as well as potentially enabling limited control of a device to play songs. Did you receive any smart speakers over the past weekend? Another was access to a list of devices as well as shared folders that were on the same network as the test device.

All the same, this microcosm attack on certain speakers is likely to just be the tip of the IoT security iceberg. As such, even though simply getting access to a vulnerable Sonos device might initially just seem like a nuisance type of attack, there is the potential that the vulnerable device could become a launching point for a wider, more invasive attack. Moreover, in their eagerness to minimize installation headaches in order to maximize IoT adoption, manufacturers may be inadvertently leaving users' networks at risk.

Related:

Comments

Latest news

Hot Tickers: Endo International plc (ENDP), Taiwan Semiconductor Manufacturing Company Limited (TSM)
Moreover, Holt Ltd Liability Dba Holt Prns Lp has 0.42% invested in General Electric Company (NYSE:GE) for 53,700 shares. Intercontinental Exchange, Inc. (ICE ) finished the Wednesday at closing price of $70.27 after traded 3 million shares.

Unitedhealth Grp (UNH) Holder Prudential Plc Cut Its Stake as Shares Rose
The stock has a market capitalization of $212,610.00, a price-to-earnings ratio of 25.05, a PEG ratio of 1.63 and a beta of 0.66. Stockholders of record on Friday, December 1st were issued a $0.75 dividend. 75 funds opened positions while 346 raised stakes.

First responders in the Ozarks excited about new communications network
Follow our news on Twitter at @ATT, on Facebook at facebook.com/att and on YouTube at youtube.com/att . For more about the value FirstNet will bring to public safety, please go to FirstNet.com .

Army carries out cross-border raid, kills 3 Pakistan soldiers
There has been a significant increase in CFV this year along the LoC with over 800 incidents reported compared with 228 last year. One Pakistani soldier was also wounded.

'She just saw beauty': Phoenix mother fatally shot on Christmas identified
The 45-year-old man did not appear to be injured. "I've never seen anything like this before", said Kristen Alexander . An officer was injured in the exchange, but it's not clear whether he suffered a gunshot wound or was hit by shrapnel.

Other news