Researchers at Trend Micro have discovered a potential hack opening key speakers from Sonos and Bose to remote access. As first reported by Wired, the Sonos Play:1, Sonos One, and Bose SoundTouch systems can be located and taken over through an online scan, letting hackers play music through the system.
For now, the access appears to be largely prank-based. The researchers, naturally, used the vulnerability to play Rick Astley and mess with a nearby Alexa-enabled system with commands, a la South Park. Another slightly more ominous report from a Sonos forum was written by a user who was understandably freaked out when the sound of creaking doors, crying babies and breaking glass started playing through her system at top volumes.
On the upside, the number of vulnerable systems is relatively limited. The researchers found between 2,000 and 5,000 impacted Sonos system and less than 500 Bose speakers. A spokesperson for Sonos told TechCrunch, “We’re looking into this more, but what is being referenced is a misconfiguration of a user’s network that impacts a very small number of customers that may have exposed their device to a public network. We do not recommend this type of set-up for our customers. In the near term, anyone concerned about this issue should ensure their Sonos system is set-up on their secured internal network.”
Sonos has also issued a patch to help plug the hole. We’re still awaiting an official response from Bose.
Comments from Trend Micro echoed the sentiment to some degree, blaming the issue on network connections, along with the speakers’ default setting. “The unfortunate reality is that these devices assume the network they’re sitting on is trusted, and we all should know better than that at this point,” a research director for the company said. “Anyone can go in and start controlling your speaker sounds,”if you have compromised devices, or even just a carelessly configured network.”
The whole thing may not move beyond the silly prank stage, but it serves as an important reminder to keep all of the connected devices in your home secure — especially as we sacrifice more and more potential privacy concerns to smart devices with cameras and always-on microphones.