First reported by Wired, the exploit targets several well-known models of internet-connected speakers including the Bose SoundTouch, Sonos Play:1, and newly released Sonos One. The affected models can be discovered by hackers using simple scanning tools and are easy to break into if their owners leave their home Wi-Fi misconfigured.
Once a hacker discovers the speaker, they can transmit an audio file hosted from any URL, be it Rick Astley’s “Never Gonna Give You Up” or those inappropriate things Amazon Alexa likes telling little children. It appears one user’s speaker started playing breaking glass and crying baby sounds in the middle of the night.
Hackers could also potentially take control of smart speakers like Amazon Echo or Google Home. It’s possible, though unlikely, that an infected Sonos speaker could give commands to nearby personal assistants like Alexa or Siri. For example, the speaker could tell Amazon’s Alexa to open a smart garage door. Again, this is theoretical, but it could have major consequences.
The good news is that only a small percentage of these devices are vulnerable. Trend Micro discovered between 2,500 and 5,000 Sonos speakers and around 500 Bose models to be vulnerable to the audio attack.
“The unfortunate reality is that these devices assume the network they’re sitting on is trusted, and we all should know better than that at this point,” Mark Nunnikhoven, a researcher at Trend Micro, told Wired. “Anyone can go in and start controlling your speaker sounds.”
Sonos pushed out an update to fix some of the problems, but when approached by Wired, it said it would be “looking into this more.”
“What you are referencing is a misconfiguration of a user’s network that impacts a very small number of customers that may have exposed their device to a public network,” Sonos told Wired. “We do not recommend this type of set-up for our customers.”
The vulnerability affecting these devices is certainly unnerving, but it isn’t a critical threat—and it only applies to a handful of devices. Still, if you own a Sonos or Bose speaker, you may want to check your router settings or start looking for a good Bluetooth speaker.