heise PlusAbo
Anzeige

Security researchers turn Sonos One speakers into bugs

Attackers can record conversations via the built-in microphone of Sonos One speakers. The security problem has now been solved.

listen Print view
Trojan horse made of zeros and ones

(Image: Skorzewiak/Shutterstock.com)

3 min. read
Security
By
  • Uli Ries
Contents

According to security researchers, they have discovered a now closed vulnerability in the Sonos One speaker. This allowed them to turn the speaker into a bug.

In their presentation at Black Hat 2024, the security researchers from the NCC Group show how much effort they had to put into discovering the vulnerability in the firmware of the Sonos One speaker. To do this, they soldered a cable to the exposed UART pins on the speaker's board in order to evaluate kernel panic messages, among other things. By disassembling the firmware, the researchers found a buffer overflow in the kernel module responsible for the WLAN implementation.

Videos by heise

Exploit via WLAN package

According to the researchers, since Sonos does not use Kernel Address Space Layout Randomization (KASLR) or Stack Canaries to warn of buffer overflows, they were able to reliably exploit the bug in the WLAN module.

To trigger the memory error, they used the Linux tool wpa_supplicant to simulate an access point (AP). The AP sets up a WLAN with the same name and password as the speaker expects.

A single de-authentication packet and the AP's stronger radio signal are sufficient for the speaker to connect to the AP. At the end of the WPA handshake between the speaker and the AP, wpa_supplicant sends an appropriately modified packet to the Sonos One, triggering the buffer overflow.

A total of around 2300 bytes fit into an 802.11 packet, so the researchers did not have much memory left to accommodate their entire exploit. Using tricks, they managed to load a shell script into the handshake packet. Once executed, the script downloads busybox from the researchers' laptop, giving them a larger selection of command line tools.

After taking control of the speaker, they added an implant written in Rust. It allows the attackers to unmute the microphone built into the speaker via a web interface and then start a recording - turning the speaker into a bug that can be completely controlled from the outside.

Because Sonos speakers are usually supplied with the latest firmware through automatic updates, there are probably comparatively few Sonos One models that are still vulnerable to the attack. It is not clear from the researchers' report which firmware is specifically targeted.

(dahe)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten