Skip to main content
Not to cause a panic but according to an article on CNet " Practically every modern processor is vulnerable" to the subject bad guys. To be clear INTEL, AMD and ARM chips were specially mentioned. Specific products were laptops, tablets and phones. No mention of smart speakers like Sonos.



Here's an excerpt from the article followed by a link:



A newly discovered exploit in most modern processors could make your computer or phone vulnerable to attacks. But chipmakers say they've got fixes ready to go.



Several researchers, including a member of Google's Project Zero team, found that a design technique used in chips from Intel, Arm and others could allow hackers to access data from the memory on your device. The problem impacts processors going back more than two decades and could let hackers access passwords, encryption keys or sensitive information open in applications.



The flaws, known by the names Spectre and Meltdown, aren't unique to one particular chipmaker or device. Instead, they impact everything from phones to PCs and servers.



"It's not really one vendor's problem," Steve Smith, head of Intel's data center engineering operations, said during a conference call Wednesday. "It's not an issue with our product. It's not an issue with someone else's product." It's a general design issue that impacts most modern chips, he said.




https://www.cnet.com/how-to/how-to-fix-meltdown-spectre-intel-amd-arm-windows-mac-android-ios/



I was wondering if some of the more knowledgeable Sonos folks could review the information and post a comment. Feel free to move this conversation to a more appropriate area.



Thanks and Cheers!
To quote from the article you quoted:



allow hackers to access data from the memory on your device



What data is stored on my Sonos that I'm concerned about hackers getting to?



From a Reuter's article:



The first, called Meltdown, affects Intel chips and lets hackers bypass the hardware barrier between applications run by users and the computer’s memory, potentially letting hackers read a computer’s memory and steal passwords. The second, called Spectre, affects chips from Intel, AMD and ARM and lets hackers potentially trick otherwise error-free applications into giving up secret information.



I'm certainly not an expert, but I don't think I'm running any applications other than Sonos on my speakers.



But if they can (and assuming there's space in the device to do so), I'd certainly expect that Sonos will at some point patch to update this. Some of my friends are indicating that this will cause applications (on Amazon Web Services) to be larger and run 15% slower than they have in the past, which will obviously be a boon for Amazon, since they charge by time.



But there really isn't that much stored on my Sonos speakers that I'm concerned about hackers "stealing". I certainly don't have any financial data stored in the app, and consequently on the speakers.



I'd be interested in your interpretation of the situation with regards to Sonos devices, and what exposure you think we might have due to this.
These are end of days scenarios and if they come about, listening to music on my Sonos will be a long way down in my things to do list.
Thanks for chiming in. My concern as you have said is not about information being mined from the Sonos speaker. My question is whether or not the vulnerabltiy (yet to be confirmed as affecting Sonos) could be exploited as a gateway. I keep my network locked down tightly and my anti-virus and malware definitions updated on a regular basis. However, nothing is 100% impenetrable although I doubt that I'm even a blip on anyone's radar to hack.



This just announced by Apple as I write...



All Mac systems and iOS devices are affected by two recently disclosed processor flaws called Spectre and Meltdown



Hmmm:?
And I thought I'd seen that Apple had already patched some of the vulnerability in IOS, just not all of it. But I'll admit I'm infinitely more worried about my iPhone, iPads, and Desktops of both Mac and PC varieties than I am in any way worried about Sonos devices. There's significantly more potential for those to be impacted than a simple Sonos speaker.



And I'm somewhat concerned about the number of people who might be reading these comments, and not understand the exposure risk. Sometimes these information release tend to be a bit overblown for the the amount of actual possible impact, not unlike the doom and gloom that was suggested around Y2K, if you're old enough to recall that.
Apple already patched one of the two vulnerabilities in MacOS 10.13.2... nothing said if they'll be backporting to earlier versions or not. Not sure if that also included iOS or not.



Microsoft has already updated Windows... 10 has an automatic update in Windows Update... 7 will need to be manually updated until the monthly "Patch Tuesday" update drops next week.



Linux and other Unix variants will likely be updated soon if not already done.



Also though... ARM has come out and said that not all of their processors are affected by the issue. Their CPUs that are often used in cell phones, small/low power PCs and the like are vulnerable, but some of their lower performance chips often used in IoT devices are not. Keep in mind that many routers use ARM processors, so look for an update to your router to become available soon too, if it uses a vulnerable chip.
Unlike a PC or a phone, there is no way to run external code on a Sonos player. In order to exploit such security vulnerabilities you would need to do that. Now if you could use the SMBv1 vulnerability to run code, then *maybe* you could try and find the usernames/passwords which is the only high-value PII on a device. This is overkill though: as passwords etc are not held in kernel memory, but user memory, using one of these exploits would be serious overkill on a Sonos device.
Now if you could use the SMBv1 vulnerability to run code...

Except that the SMBv1 vulnerabilities are usually on the server side, not the client side... and Sonos doesn't run an SMBv1 server.