Hackers Can Remotely Control Some Sonos and Bose Speakers
It was recently learned that hackers can invade some units of Sonos and Bose speakers and remotely play sounds through the device.
Security researchers recently confirmed that hackers can attack certain speakers - including the Sonos Play:1, the Sonos One and the Bose SoundTouch - and play random sounds on the device without the need to be physically close or in contact with the hardware, according to a report from WIRED.
According to the report, speakers that logged on to a broken network can later be found by hackers through "simple internet scans." This will allow them to remotely play any sound or music of their choice that could be an effective way of pranking unsuspecting Sonos and Bose users.
Ten months ago, one Sonos user reported a similar incident in a community forum. The user said her speakers, which she had owned for seven months at the time, started making sounds like a door opening, breaking glass, and a crying baby for "a couple of nights."
Trend Micro researcher Mark Nunnikhoven told WIRED: "The unfortunate reality is that these devices assume the network they're sitting on is trusted, and we all should know better than that at this point. ... Anyone can go in and start controlling your speaker sounds."
Meanwhile, the same report said only "a small fraction" of the said Sonos and Bose smart speaker models were detectable through the internet scans that the researchers carried out to test the scope of the hack. In their experiment, they reportedly found 2,000 to 5,000 Sonos and around 500 Bose speakers in the network.
Once a speaker is found in the internet scan, hackers can then remotely work their way to the API used for the speakers' voice-activated functions. This, according to Trend Micro researchers, made the hack work with more than just playing a sound. Based on their experiment, a compromised speaker can be made to speak to itself with commands that the device can execute.
And since most the Alexa- and Google Assistant-powered speakers now control home locks and appliances, worse attacks might happen to anyone with a compromised speaker.
Sonos already responded to WIRED and Trend Micro's report and said they were still investigating the matter further. The company added: "But what you are referencing is a misconfiguration of a user's network that impacts a very small number of customers that may have exposed their device to a public network. We do not recommend this type of set-up for our customers."
Meanwhile, Bose has yet to release a statement.