Hackers can remotely hijack thousands of Sonos and Bose speakers to play mysterious ghostly sounds

Hackers can remotely hijack thousands of Sonos and Bose speakers to play mysterious ghostly sounds

One woman reported her Sonos speaker began playing breaking glass, creaking door and crying baby sounds in the middle of the night.

    

Trend Micro researchers have discovered some Sonos and Bose speakers can be exploited by hackers and intrusive pranksters

Security researchers have discovered that some models of Sonos and Bose speakers can be remotely hijacked by hackers to play creepy and unnerving ghostly sounds. Researchers at Trend Micro discovered a strange vulnerability that affects a small percentage of speakers by the two firms, including the Sonos Play:1, Sonos One, and Bose SoundTouch systems, Wired first reported.

The affected internet-connected models can be discovered by hackers or pranksters using simple internet scans like NMap and Shodan and remotely accessed to play an audio clip of their choosing, researchers said. Depending on the time of the scan, between 2000 and 5000 Sonos devices and about 400 to 500 Bose devices were spotted online and potentially vulnerable to hacking

"The unfortunate reality is that these devices assume the network they're sitting on is trusted, and we all should know better than that at this point," says Mark Nunnikhoven, a Trend Micro research director. "Anyone can go in and start controlling your speaker sounds," if you have a compromised devices, or even just a carelessly configured network.

These impacted devices allowed any device on the same WiFi network to access the APIs used to talk to apps such as Spotify or Pandora and play music without any user authentication. Hackers, however, could potentially target that API and tell the speaker to play an audio file hosted at a specific URL.

The researchers note that audio attack could even be used to speak commands from someone's Sonos or Bose speaker to their nearby Amazon Echo or Google Home. They went so far as to test out the attack on the Sonos One, which has Amazon's Alexa voice assistant integrated into its software. By triggering the speaker to speak commands, they could actually manipulate it into talking to itself, and then executing the commands it had spoken.

"If an attacker finds out what type of music or even an artist the user liked, it may provide an avenue for an attack. For example, the attacker could craft a spear-phishing email leveraging social engineering, or promising tickets to an upcoming gig of the target's favorite artist," Trend Micro said.

Given the elaborate nature of these attacks, researchers said they could be unlikely which makes audio pranks the more likely scenario. One woman reported earlier this year that her Sonos speaker began playing breaking glass, creaking door and crying baby sounds loudly in the middle of the night.

"It was really loud!" the user going by the name "Chryssy" wrote in a Sonos community forum. "It's starting to freak me out and I don't know how to stop it."

Trend Micro has notified Sonos and Bose regarding the security vulnerabilities.

After Trend Micro warned Sonos about its findings, the company pushed out an update to reduce that information leakage. But Bose has yet to respond to Trend Micro's warnings about its security vulnerabilities, and both companies' speakers remain vulnerable to the audio API attack when their speakers are left accessible on the internet. A Sonos spokesperson wrote in response to an inquiry from WIRED that the company is "looking into this more, but what you are referencing is a misconfiguration of a user’s network that impacts a very small number of customers that may have exposed their device to a public network. We do not recommend this type of set-up for our customers." Bose has yet responded to WIRED's request for comment on Trend Micro's research.

The company has also issued a patch to fix the issue as well. Bose has yet to publicly comment on the issue.

"With the popularity of IoT devices growing every day, it is very important to be knowledgeable of the built-in security of these devices that ultimately could affect the owner and make them a target of an attack," Trend Micro said. "While these devices are never supposed to be exposed on the internet, we have shown that they can and will find their way directly on the internet."

None of this adds up to much of a critical security threat for the average audiophile. But it does mean owners of internet-connected speakers should think twice about opening holes in their network designed to let external visitors into other servers. And if they do, they should at least keep an ear out for any evil commands their Sonos might be whispering to their Echo after dark