Hackers choose the music

Researchers at Trend Micro discovered vulnerabilities of the Sonos and Bose smart speakers. They potentially allow hackers to conduct a wide range of malicious actions from penetrating local networks to playing scary sounds and tracks users don’t like. Detailed description of the problem prepared by the Senior Threat Researcher at Trend Micro Stephen Hill took 47 pages. In a nutshell, it’s very simple: online configuration pages for the devices are not protected by any kind of authentication. Therefore, anyone including criminals can get access to them, which opens a wide range of possibilities in for them.

For example, hackers can get information on users, their local networks and devices connected to them. In the future, it allows widening the attack by infecting devices with different malware. In addition, knowing music preferences of the user can be useful when organizing targeted phishing attacks. Finally, it’s very easily to make smart speakers play something different from what the owner wants. By the way, these cases have been recorded already: at least two people on the Sonos user forum complained that their speakers played ghostly sounds and explosion effects.

The problem could have been easily avoided if the developers protected access to the settings pages with an authentication panel. Experts also recommend connecting smart speakers only to the local network and not the Internet. Vulnerabilities were discovered in models Sonos Play:1 and Bose SoundTouch, however, they could affect other speakers models as well. Both manufacturers were notified about the problems and Sonos has already released a security update.