Hardware exploits, in a very oversimplified sense, can be broken down into two categories: Those you should care about, and those you shouldn’t. And this one firmly sits in the category of exploits that you really need not lose sleep over. But given that it involves Sonos — and because Sonos has rightly been the subject of less-than-positive headlines of late — it’s at least worth discussing.
So here’s the deal: A presentation by NCC Group’s Robert Herrera and Alex Plaskett at the August Black Hat USA 2024 conference in Las Vegas showed how a Sonos One could be exploited to allow an attacker to capture audio in real time off the device, thanks to a kernel vulnerability initiated by a flaw in the Wi-Fi stack. That, obviously, is not good. The Sonos One was the first speaker from the company to use a microphone to allow for hands-free voice control.
When the Sonos One connects to a router, there’s a handshake that happens before you can send wireless traffic, Herrera explained in an interview with Dark Reading. One of the packets exchanged was not properly validated, and that vulnerability is how an attacker could force their way into the device, and from there access the microphones.
“We deploy a method of capturing all the audio data — all the microphone input in the room, in the vicinity of this Sonos device,” Plaskett told Dark Reading ahead of his and Herrera’s presentation. An attacker is then “able to exfiltrate that data and play it back at a later date, and be able to play back all the recorded conversations from the room.”
It’s a real-time thing, though. The attacker couldn’t hear what was said before the exploit was leveraged. “You would need to exploit the Sonos device first to start the capture,” Plasket said. “And then once you start the capture, you only … have the data from within that period.”
But the proof of concept shown was not easy to implement and not the sort of thing you’d be able to do without actually being nearby someone’s Sonos One. (Other devices could be at risk, Plaskett and Herrera said, but that was more a function of the Wi-Fi flaw.)
“If an attacker goes to that kind of extent, they could compromise the devices,” Plaskett said. “And I think people have been assuming that these devices may be secure. So being able to kind of quantify the amount of effort and what an attacker would need to actually achieve the compromise is quite an important understanding.”
Perhaps most important is that the exploit was fixed within a couple months of being reported, with an update to the Sonos S2 system coming in October 2023, and an S1 update about a month later. Sonos publicly acknowledged the remote code execution vulnerability in a bulletin — again, nearly a year after actually patching its own devices — on August 1, 2024. MediaTek — whose Wi-Fi stack was the root problem here — issued its own security advisory in March 2024.
“The security posture of Sonos devices is a good standard. It’s been evolving over time,” Plaskett said. “Every vendor has vulnerabilities, and basically, it’s about how you respond to those vulnerabilities. How you patch those vulnerabilities. Sonos fixed these vulnerabilities within two months. … Yeah, it’s a good patching process, I would say.”
