A major Sonos exploit was explained at Black Hat

{Hardware} exploits, in a really oversimplified sense, may be damaged down into two classes: These you must care about, and people you shouldn’t. And this one firmly sits within the class of exploits that you really want not lose sleep over. However on condition that it includes Sonos — and since Sonos has rightly been the topic of less-than-positive headlines of late — it’s at the very least value discussing.

So right here’s the deal: A presentation by NCC Group’s Robert Herrera and Alex Plaskett on the August Black Hat USA 2024 convention in Las Vegas confirmed how a Sonos One may very well be exploited to permit an attacker to seize audio in actual time without work the machine, because of a kernel vulnerability initiated by a flaw within the Wi-Fi stack. That, clearly, isn’t good. The Sonos One was the primary speaker from the corporate to make use of a microphone to permit for hands-free voice management.

When the Sonos One connects to a router, there’s a handshake that occurs earlier than you possibly can ship wi-fi visitors, Herrera defined in an interview with Dark Reading. One of many packets exchanged was not correctly validated, and that vulnerability is how an attacker might power their method into the machine, and from there entry the microphones.

“We deploy a technique of capturing all of the audio information — all of the microphone enter within the room, within the neighborhood of this Sonos machine,” Plaskett instructed Darkish Studying forward of his and Herrera’s presentation. An attacker is then “in a position to exfiltrate that information and play it again at a later date, and have the ability to play again all of the recorded conversations from the room.”

It’s a real-time factor, although. The attacker couldn’t hear what was mentioned earlier than the exploit was leveraged. “You would want to take advantage of the Sonos machine first to start out the seize,” Plasket mentioned. “After which when you begin the seize, you solely … have the information from inside that interval.”

However the proof of idea proven was not straightforward to implement and never the form of factor you’d have the ability to do with out really being close by somebody’s Sonos One. (Different units may very well be in danger, Plaskett and Herrera mentioned, however that was extra a operate of the Wi-Fi flaw.)

“If an attacker goes to that type of extent, they may compromise the units,” Plaskett mentioned. “And I believe individuals have been assuming that these units could also be safe. So with the ability to type of quantify the quantity of effort and what an attacker would want to really obtain the compromise is sort of an necessary understanding.”

Maybe most necessary is that the exploit was fastened inside a pair months of being reported, with an replace to the Sonos S2 system coming in October 2023, and an S1 replace a couple of month later. Sonos publicly acknowledged the distant code execution vulnerability in a bulletin — once more, practically a yr after really patching its personal units — on August 1, 2024. MediaTek — whose Wi-Fi stack was the foundation drawback right here — issued its own security advisory in March 2024.

“The safety posture of Sonos units is an effective normal. It’s been evolving over time,” Plaskett mentioned. “Each vendor has vulnerabilities, and mainly, it’s about the way you reply to these vulnerabilities. The way you patch these vulnerabilities. Sonos fastened these vulnerabilities inside two months. … Yeah, it’s an excellent patching course of, I’d say.”






Sensi Tech Hub
Logo