Sonos and Bose speakers assume that any device on the same network segment can be trusted to send them audio without any further authentication; if these speakers are on a network whose owner has opened a hole in their firewalls (to run a game-server, say, or because another device on the network has been compromised), they can have data sent to them by anyone on the internet.
This is a pretty minor vulnerability on its face, but it's easy to imagine how it might be leveraged for more intense attacks, for example to command voice-control systems like Alexa, which can effect significant changes in your home, including unlocking your front door.
Sonos partially mitigated the vulnerability when security researchers from Trend Micro revealed it to them. Bose did not. Sonos dismisses the error as "a misconfiguration of a user’s network that impacts a very small number of customers."
After Trend Micro warned Sonos about its findings, the company pushed out an update to reduce that information leakage. But Bose has yet to respond to Trend Micro's warnings about its security vulnerabilities, and both companies' speakers remain vulnerable to the audio API attack when their speakers are left accessible on the internet. A Sonos spokesperson wrote in response to an inquiry from WIRED that the company is "looking into this more, but what you are referencing is a misconfiguration of a user’s network that impacts a very small number of customers that may have exposed their device to a public network. We do not recommend this type of set-up for our customers." Bose has yet responded to WIRED's request for comment on Trend Micro's research.
None of this adds up to much of a critical security threat for the average audiophile. But it does mean owners of internet-connected speakers should think twice about opening holes in their network designed to let external visitors into other servers. And if they do, they should at least keep an ear out for any evil commands their Sonos might be whispering to their Echo after dark.
The Need for Better Built-in Security in IoT Devices [Stephen Hill/Trend Micro]
Hackers Can Rickroll Thousands of Sonos and Bose Speakers Over the Internet [Andy Greenberg/Wired]