Did Santa deliver you a Sonos or Bose smart speaker? Better check hackers have not compromised it
The security of IoT devices is once again being questioned, after researchers spotted a vulnerability with certain Sonos and Bose speakers.
The flaw could even allow hackers to play sounds or music remotely, according to Trend Micro, if the hackers conducted an online scan for the vulnerable devices.
Sonos has reported reacted quickly and patched the offending systems, but Bose has yet to respond says Trend Micro.
The Bose and Sonos models affected include the Sonos Play:1, the newer Sonos One, and Bose SoundTouch systems.
The researchers in a blog posting revealed how they had found between 2,000 and 5,000 impacted Sonos system and less than 500 Bose speakers, a small number of the total number of these devices sold.
However, the hackers can pinpoint these devices using simple internet scans, and can then accessed them remotely, and command them with sraightforward tricks to play any audio file the attacker chooses.
Some Sonos users for example has previously reported on forums that their speakers were playing unexpected sounds, such a door opening, a baby crying, or glass breaking.
“The unfortunate reality is that these devices assume the network they’re sitting on is trusted, and we all should know better than that at this point,” Mark Nunnikhoven, a Trend Micro research director told Wired. “Anyone can go in and start controlling your speaker sounds,” if you have a compromised devices, or even just a carelessly configured network.”
It seems the Trend Micro researchers were able to utilise scanning tools like NMap and Shodan to spot the exposed speakers. The researchers discovered that the vulnerable models allow any device on the same network to access the APIs they use to interface with apps like Spotify or Pandora without any sort of authentication.
Thus if a hacker were able to gain access to a person’s network, they could simply ask the speakers to play an audio file hosted at any URL they chose, and the speakers would obey.
Although the hack sounds like it would be used mostly for pranks, the implications are potentially more serious, as the researchers found they could use the vulnerable speaker to issue commands to voice assistant devices such as Amazon Echo or Google Home, which often control smart home features such as door locks or lighting.
The discovery of the flaw comes amid a wider debate about the security of IoT connected devices.
In the Autumn, a Vodafone survey downplayed fears about IoT security, claiming just seven percent of organisations with 10,000 or more connecting things are concerned about such threats.
The United States Senate meanwhile has introduced a bill to create a set of minimum security standards for a range of Internet of Thing (IoT) devices purchased by the US government.
In 2016 the security threat posed by IoT was starkly illustrated when researchers at security firm Sucuri uncovered an unusual botnet made up entirely of Internet-connected CCTV cameras.
That incident recalled a similar case in 2015 when a security firm found a botnet made up of 900 CCTV cameras was launching an attack on an unnamed cloud services provider.
What do you know about the Internet of Things? Take our quiz!