Sonos and Bose smart speakers

Similar vulnerabilities affect some Sonos and Bose smart speakers that allow hackers to take over devices, collect data on users, and even make devices to play desired audio tracks.

The vulnerabilities can be exploited by attackers looking for an entry point into corporate networks, but also to play pranks on unsuspecting users.

Discovered by Stephen Hill, Senier Threat Researcher at Trend Micro, the flaws are detailed in depth in 47-page report the company released earlier today.

The flaws were confirmed in Sonos Play:1 and Bose SoundTouch smart speakers, but more models could be affected. Trend Micro notified both companies. Sonos rolled out a patch, while Bose has yet to respond to researchers.

Some Sonos speakers expose status page

In the case of Sonos devices, the issue appears to be a configuration page that's easily accessible without any kind of authentication and provides access to core device functions.

This page is accessible at the "http://[device_IP]:1400/status" URL and allows attackers the ability to collect information on the user, his device, his local network, and even trick the device into playing audio files hosted at remote URLs.

All Sonos devices left exposed online allow nosey intruders easy access to this status page and all its functions, so the best advice would be to not leave your Sonos speaker connected online, but only accessible in your local network.

There are various ways in which attackers can exploit this exposed control panel. For starters, attackers use the information disclosed by these devices to gather information on the local WiFi network and nearby devices. This could allow attackers to deliver exploits or phishing attacks that escalate access to other networked equipment, even if not directly connected to the Internet

More, attackers can collect data on the user's music preferences and use this information to fine-tune phishing attacks.

Currently, the only ones that appear to be exploiting this status page are pranksters, according to two customers who complained on the Sonos forum. Customers reported Sonos devices playing ghostly sounds and explosion effects, albeit it's unclear if the devices have been exploited remotely, or friends pranked the device owner from the local network.

Bose devices have similar flaw

For Bose devices, the flaw Trend Micro reported is of a similar nature, in the form of a similar status page and API that allow attackers to gather similar information on device owners.

The issues in the devices of both vendors appear to be just an overlooked design flaw, as both could be easily hidden behind a login panel and prevent attackers from having direct access to these functions, even when the device needs to be left online for legitimate reasons. But in many cases, such devices should not be left online.

Most people seem to have understood this issue, as there's a very small number of Sonos and Bose devices connected online. Currently, the number is around 4,000-5,000 Sonos speakers and around 500 Bose speakers.

Hill also recorded a video describing the flaws he found in the two products. The video is embedded below.