IRVING, Tex. – Trend Micro researchers have found that some models of Bose and Sonos speakers have a vulnerability that makes them open and easy for hijacking.
According to one of the reports by Wired, there are real coincidences that certain models of Bose and Sonos speakers are quite open for hijacking. They are accessible, and the speakers are often exploited by a lot of hackers who use them to play ghostly and spooky sounds. It also includes using the speakers for Alexa commands as well as Rick Astley tracks.
Fortunately, there is only a small percentage of the Bose and Sonos speakers that are affected by this issue. It includes some devices of the Sonos Play: 1 and the Sonos One. For the other company, the vulnerability of hijacking is for the Bose SoundTouch.
The hijacking process is tedious but definitely possible. It only takes having a particular speaker connected to or detected by a misconfigured network. It can be found using a very simple internet scan. Once the device was found through the scan, the API that the speaker uses to talk to specific applications can be utilized. The API can be used to tell the speaker to play music or any audio file that is hosted at a particular URL.
This news of Bose and Sonos speakers puts a negative impact on the two companies. For the Bose devices, there are about 400 to 500 models that Trend Micro found to be open to this kind of audio hacking. But Sonos devices are more vulnerable which have nearly 2,500 to 5,000 devices accessible to hijacking.
The Sonos company, however, has given their side of the news in their email to Wired. It said that they are already looking into the issue thoroughly. However, they also said that this matter is only pointing toward a misconfiguration when it comes to the network of the user. The email also stated that the problem only affects a small number of Sonos device users that, unfortunately, have exposed their speakers to a public network. According to them, they don’t recommend having this setup for their loyal customers.
Finding information such as IP addresses and IDs of several connected devices is possible. However, it is also unlikely since this kind of effort is considered as an elaborate hack. According to the notes from Wired, this type of hijacking of the speakers of both companies is more likely made for odd audio pranks. It is also what they found in the case of a woman whose Sonos speaker started to play a breaking glass sound and then a sound of a baby crying in the middle of the night.
Sonos devices feature an open API program, and this makes them vulnerable. It is also not the first time that the company faced this kind of glitch. In 2014, a particular developer made Ghostly which was an interactive hack that took some of the Sonos devices for a spooky ride.
While this issue affects only a tiny fraction of the Bose and Sonos speakers.