Sonos and Bose Speakers Hacked

Technology > Security

Photo by: Rwxrwxrwx via Wikimedia Commons

 

Have you ever heard strange sounds coming from your Sonos or Bose Speakers? They could be sounds like ghostly creaks and moans, or some Rick Astley tunes, or Alexa commands in another voice. If yes, then you are not alone. And don't worry -  you are not losing your mind as this has been the recent experience of several thousand of Sonos and Bose owners whose speakers are internet connected. 

Trend Micro researchers have found out that the speakers, which include the Sonos Play:1 and the more recent Sonos One, and the Bose SoundTouch systems can easily be picked online by hackers and made to play tricks which a hacker can command into the system.

The researchers say that opening up one's network to have direct access to a server through the internet makes their fancy speaker vulnerable to the prank.The problem is owners assume that the network is trusted but "anyone can go in and start controlling your speaker sounds," says Trend Micro Research Director Mark Nunnikhoven.

Trend Micro found out that the NMap and Shodan scanning tools were able to identify from 2000 to 5000 Sonos devices online and another 400 to 500 Bose open devices. The exposed speakers allow devices on the same network to tap the API's used to interface with Spotify and Pandora without the need for authentification and then make the speakers play any audio file from any URL. 

The researchers say that the speakers could be made to give commands to Amazon Echo or Google Home and with Amazon's Alexa voice assistant already integrated into the program, the speakers could easily be manipulated.

One Customer on a Sonos forum has reported that her speaker had begun making eerie sounds like that of creaking doors, crying babies and breaking glasses saying "It's starting to freak me out and I don't know how to stop it."

On a deeper level, the hacker not only can play sounds on the speakers but can also find detailed information such as IP addresses and device IDs. They have sounded out their concerns to the audio speaker manufacturers and Sonos is giving an update to reduce the "leakage" but Bose hasn't made any response yet. It may not be much of a threat to the average audiophile but it is important that buyers know they may be are giving an opening to hackers when they buy internet-connected speakers.