Sonos and Bose smart speakers left exposed

It is often the case that the less reputable brands of smart devices can be expected to have lax security, and conversely that we collectively expect the more established makers to have their act together. Unfortunately the major brands can, and do, slip up. A common refrain in the cyber security industry is that ‘Security is hard’. 

It has been my experience that companies that live and die by the success of their smart products have a greater focus on security and privacy than those whose primary business lies elsewhere. Sonos would qualify in that group, and it is sad to see them drop the ball in the obvious way that Trend Micro researchers found just before the new year.

Essentially, a range of Sonos devices were discovered to have a web server open which offered not only the ability to control the speakers playback, but exposed a wealth of information about the host network, devices and even music service account information. 

Bose has a smart speaker product which was found very similarly exposed. While still of equal concern, I’m less surprised by this given that Bose is not a smart device company, and thus is less likely to be up with device security practices.

With more Sonos devices exposed, and being a more popular smart speaker brand, the focus of the research was centered there. The nature of the exposure is curious, as it’s not inherently vulnerable on a properly configured network. The vulnerability is simply the unsecured web server running on the devices. The curious part is why several thousand of these devices are exposed to the public internet in the first place. 

Image: Trend Micro

Image: Trend Micro

Once the published ports were known, the researchers used the Shodan search engine to find any exposed devices and correlated the results in the above graph. For those devices exposed to the internet the issues can be summarized into three key groups:

Information Leakage

Both Sonos and Bose speakers exposed information about the devices used to connect to them, SSIDs of nearby WiFi access points, and email addresses associated with music services configured on the speakers. The Bose speaker was somewhat less permissive in this regard, only providing SSIDs of wifi that it had used. The Sonos helpfully offered up all access points in range, along with their channel, bssid, and signal strength. The Trend researchers demonstrated how the bssid can be used to locate the access point, and mapped the captured data on Google Maps to provide a likely location of the Sonos device. Conversely, the Bose device provided not only music service email address, but account name as well. 

The Sonos web interface actually offers a wide range of useful pages, including a helpful network troubleshooting toolset. Having this available via an externally accessible web interface is problematic, as it provides an easy means for a potential attacker to probe and map the devices on your local network. This would, in turn, provide a list of other potentiall targets which known exploits could be attempted against.

 Denial of Service Attack

Both brands devices offer an web api that allows for control of playback remotely. A hex encoded command string can be sent via the web interface to, for example, skip to the next track in the current list. The researchers found that by inserting non-ASCII characters into the command string, the Sonos devices could be reliably made to crash. An attacker repeatedly sending such a command would render the device unusable.

Trend Micro used a python script to send API commands

Trend Micro used a python script to send API commands

Trolling Attack

The web api also allows for playback of arbitrary sound files. It was found that the speakers could be directed to the URL of a sound file for playback. This can be abused by playing, seemingly randomly, irritating or offensive sounds. There is some evidence of this being used in the wild, as a Sonos customer post on their support forums claims to have experienced ‘spooky’ sounds playing unexpectedly from their device. 

This features could also be exploited against personal assistants, and the researchers demonstrated that playback of a recorded Alexa command successfully triggered a nearby Echo device. 

The Good

Sonos has responded promptly to the notification of these issues, and has already deployed patches to reduce the information leakage. The number of pages available through the web interface has been significantly reduced, and music service information has been obfuscated. The Denial of Service vulnerability has also been resolved.  

The Bad

Bose has not been so responsive. Nothing has been heard from Bose regarding these issues as yet. 

The question remains, for me, as to how thousands of home smart speakers came to be exposed to the internet in the first place. I can only assume poorly configured home routers, or perhaps people attempting to set up remote access to devices for their own convenience. The real onus, however, is on device makers to ensure that interfaces intended only for use on the local network cannot be abused over the internet.