Skip to main content

A major Sonos exploit was explained at Black Hat — but you needn’t worry

A Sonos One speaker sitting on an outdoor table.
This aging Sonos One looks like it's seen a thing or two — but it's also continued to see security updates. Phil Nickinson / Digital Trends

Hardware exploits, in a very oversimplified sense, can be broken down into two categories: Those you should care about, and those you shouldn’t. And this one firmly sits in the category of exploits that you really need not lose sleep over. But given that it involves Sonos — and because Sonos has rightly been the subject of less-than-positive headlines of late — it’s at least worth discussing.

So here’s the deal: A presentation by NCC Group’s Robert Herrera and Alex Plaskett at the August Black Hat USA 2024 conference in Las Vegas showed how a Sonos One could be exploited to allow an attacker to capture audio in real time off the device, thanks to a kernel vulnerability initiated by a flaw in the Wi-Fi stack. That, obviously, is not good. The Sonos One was the first speaker from the company to use a microphone to allow for hands-free voice control.

Recommended Videos

When the Sonos One connects to a router, there’s a handshake that happens before you can send wireless traffic, Herrera explained in an interview with Dark Reading. One of the packets exchanged was not properly validated, and that vulnerability is how an attacker could force their way into the device, and from there access the microphones.

Please enable Javascript to view this content

“We deploy a method of capturing all the audio data — all the microphone input in the room, in the vicinity of this Sonos device,” Plaskett told Dark Reading ahead of his and Herrera’s presentation. An attacker is then “able to exfiltrate that data and play it back at a later date, and be able to play back all the recorded conversations from the room.”

It’s a real-time thing, though. The attacker couldn’t hear what was said before the exploit was leveraged. “You would need to exploit the Sonos device first to start the capture,” Plasket said. “And then once you start the capture, you only … have the data from within that period.”

But the proof of concept shown was not easy to implement and not the sort of thing you’d be able to do without actually being nearby someone’s Sonos One. (Other devices could be at risk, Plaskett and Herrera said, but that was more a function of the Wi-Fi flaw.)

“If an attacker goes to that kind of extent, they could compromise the devices,” Plaskett said. “And I think people have been assuming that these devices may be secure. So being able to kind of quantify the amount of effort and what an attacker would need to actually achieve the compromise is quite an important understanding.”

Perhaps most important is that the exploit was fixed within a couple months of being reported, with an update to the Sonos S2 system coming in October 2023, and an S1 update about a month later. Sonos publicly acknowledged the remote code execution vulnerability in a bulletin — again, nearly a year after actually patching its own devices — on August 1, 2024. MediaTek — whose Wi-Fi stack was the root problem here — issued its own security advisory in March 2024.

“The security posture of Sonos devices is a good standard. It’s been evolving over time,” Plaskett said. “Every vendor has vulnerabilities, and basically, it’s about how you respond to those vulnerabilities. How you patch those vulnerabilities. Sonos fixed these vulnerabilities within two months. … Yeah, it’s a good patching process, I would say.”

Phil Nickinson
Former Digital Trends Contributor
Phil spent the 2000s making newspapers with the Pensacola (Fla.) News Journal, the 2010s with Android Central and then the…
What is Sonos? What you need to know about the wireless music system
Sonos Roadm in three colors.

When you think about wireless music, one name comes to mind. Sonos. And unless you’re a diehard analog music fan who shuns anything digital, you’ve likely encountered the Sonos brand. It effectively pioneered and normalized the idea of multi-room, digital wireless audio, and it’s still the gold standard to beat.

Curious about what exactly Sonos does, and how it works in the same world that already includes Apple, Spotify, and even your old Technics turntable? Is Sonos right for you? Let's dig into it.
What is Sonos?

Read more
The Sonos Era speakers solve a major problem for Android users
Sonos TruePlay settings.

The new Sonos Era 100 and Era 300 usher in a new generation of wireless speakers for the company, and our first impressions were pretty good. They also close a gaping hole that has plagued a pretty large segment of users. Android users no longer are left out of the Trueplay feature.

Custom tuning of speakers for their environments isn’t particularly new. Google has done it with its Nest Hub Max. Apple does it with the HomePod. But Sonos has always required a phone to do the listening for ambient sound and fine-tuning the speakers. And to date, that phone always has had to be an iPhone (unless you have a portable Sonos Move, but that's almost a different product category at this point. Stay with us here).

Read more
C’mon, Apple — if Sonos can admit it was wrong about Bluetooth, so can you
Handoff between Apple iPhone and Apple HomePod second-gen.

For years, Sonos has relentlessly championed the benefits of Wi-Fi audio. The company even ran a cheeky (and hilarious) campaign showing how annoying it can be to use Bluetooth, featuring pinging notifications and phone calls routinely interrupting what should have otherwise been enjoyable music-listening sessions. Times have changed, however, and not only has Sonos added Bluetooth to its two portable speakers (the Move and the Roam), but recent leaks suggest that it’s considering expanding support for Bluetooth into its main portfolio of powered speakers too, starting with the new Sonos Era 100 and Sonos Era 300.

This amounts to a tacit acknowledgment that Sonos may have been too zealous in its past refusal to adopt Bluetooth audio, and I can’t help but think that it might be time for another company to rethink its rejection of Bluetooth: Apple.

Read more