Sonos and Bose speakers can be remotely taken over by hackers

Cory Doctorow 8:34 am Wed Dec 27, 2017

Sonos and Bose speakers assume that any device on the same network segment can be trusted to send them audio without any further authentication; if these speakers are on a network whose owner has opened a hole in their firewalls (to run a game-server, say, or because another device on the network has been compromised), they can have data sent to them by anyone on the internet.

This is a pretty minor vulnerability on its face, but it's easy to imagine how it might be leveraged for more intense attacks, for example to command voice-control systems like Alexa, which can effect significant changes in your home, including unlocking your front door.

Sonos partially mitigated the vulnerability when security researchers from Trend Micro revealed it to them. Bose did not. Sonos dismisses the error as "a misconfiguration of a user's network that impacts a very small number of customers."

After Trend Micro warned Sonos about its findings, the company pushed out an update to reduce that information leakage. But Bose has yet to respond to Trend Micro's warnings about its security vulnerabilities, and both companies' speakers remain vulnerable to the audio API attack when their speakers are left accessible on the internet. A Sonos spokesperson wrote in response to an inquiry from WIRED that the company is "looking into this more, but what you are referencing is a misconfiguration of a user's network that impacts a very small number of customers that may have exposed their device to a public network. We do not recommend this type of set-up for our customers." Bose has yet responded to WIRED's request for comment on Trend Micro's research.

None of this adds up to much of a critical security threat for the average audiophile. But it does mean owners of internet-connected speakers should think twice about opening holes in their network designed to let external visitors into other servers. And if they do, they should at least keep an ear out for any evil commands their Sonos might be whispering to their Echo after dark.

The Need for Better Built-in Security in IoT Devices
[Stephen Hill/Trend Micro]

Hackers Can Rickroll Thousands of Sonos and Bose Speakers Over the Internet [Andy Greenberg/Wired]

This sci-fi author had a secret life as psychological warfare mastermind

A celebrated science fiction author who spun wild tales of subversive cat women and psychic sex parties led a shocking double life — as the military mastermind behind America's psychological… READ THE REST
New York City's AI chatbot advises businesses to steal tips from workers

In October, New York City set up a chatbot that uses the wondrous, labor-saving power of Artificial Intelligence to provide information to business owners in the city. But the Microsoft-powered… READ THE REST
Fitness guru Richard Simmons: "I have a gift for you"

Fitness guru Richard Simmons just took to his Facebook page to post an absolutely mind-blowing song he recorded with Chris and Kathy Phillips. He explains: I have a gift for you. I… READ THE REST
Save $169 on a lifetime license to Microsoft Windows 11 Pro and never look back

TL;DR: Revamp your digital world with this incredible lifetime license to Microsoft Windows 11 Pro, with its seamless interface and top-notch security, for only $29.97 (Reg. $199) until 11:59 PM on 1/07.… READ THE REST
Upgrade your tech for the new year with this refurbished iPad Pro, less than half price right now

TL;DR: Save over $350 on a refurbished Apple iPad Pro 10.5" 256GB, plus a free accessories bundle, with this sweet deal on sale for just $315.99 right now. Tech fans, it's time… READ THE REST
Make your rockstar dreams a reality for only $15.97 with this Guitar Lessons Training Bundle

TL;DR: The perfect last-minute holiday gift for an aspiring rocker, the 2024 Guitar Lessons Training Bundle is only $15.97 (Reg. $480) until 11:59 PM on 12/25. It's really never too late to make… READ THE REST