ironware exploits , in a very oversimplified sense , can be recrudesce down into two categories : Those you should care about , and those you should n’t . And this one hard sit down in the category of exploits that you really need not lose sleep over . But given that it require Sonos — and because Sonos has justly been the subject ofless - than - positive headline of late — it ’s at least deserving discussing .
So here ’s the deal : A presentationby NCC Group ’s Robert Herrera and Alex Plaskett at the August Black Hat USA 2024 conference in Las Vegas testify how aSonos Onecould be exploit to allow an aggressor to fascinate sound in real prison term off the gadget , thanks to a kernel exposure originate by a flaw in the Wi - Fi stack . That , obviously , is not good . The Sonos One was the first speaker from the company to use a microphone to allow for work force - gratis phonation control .
When the Sonos One relate to a router , there ’s a handshake that bump before you may send wireless traffic , Herrera explicate inan consultation with Dark Reading . One of the packets exchanged was not properly validated , and that exposure is how an attacker could force their way into the twist , and from there enter the microphones .
“ We deploy a method acting of capturing all the audio datum — all the microphone input in the room , in the vicinity of this Sonos gadget , ” Plaskett told Dark Reading ahead of his and Herrera ’s presentation . An assailant is then “ able-bodied to exfiltrate that data and play it back at a late day of the month , and be able to play back all the recorded conversation from the room . ”
It ’s a substantial - prison term affair , though . The attacker could n’t hear what was said before the effort was leveraged . “ You would need to tap the Sonos gimmick first to start the seizure , ” Plasket said . “ And then once you start the seizure , you only … have the data from within that period . ”
But the proof of concept prove was not wanton to enforce and not the sort of thing you ’d be able to do without really being nearby someone ’s Sonos One . ( Other devices could be at hazard , Plaskett and Herrera state , but that was more a mathematical function of the Wi - Fi defect . )
“ If an attacker goes to that kind of extent , they could compromise the devices , ” Plaskett suppose . “ And I think people have been assuming that these devices may be unattackable . So being able to kind of quantify the amount of exploit and what an attacker would demand to actually achieve the compromise is quite an important apprehension . ”
Perhaps most important is that the exploit was fixed within a couple calendar month of being reported , with an update to the Sonos S2 organisation come in October 2023 , and an S1 update about a month later . Sonos publically acknowledged the distant codification murder vulnerabilityin a bulletin — again , virtually a class after actually patching its own devices — on August 1 , 2024 . MediaTek — whose Wi - Fi push-down stack was the root problem here — issued its own protection advisoryin March 2024 .
“ The security measures strength of Sonos twist is a good criterion . It ’s been evolving over meter , ” Plaskett said . “ Every vendor has vulnerabilities , and fundamentally , it ’s about how you react to those vulnerability . How you piece those vulnerabilities . Sonos fixed these vulnerabilities within two months . … Yeah , it ’s a good patching unconscious process , I would say . ”
