Thanks in advance for any help...
My computer systems have been under a surgical cyber attack for 2 months now with BIOS and Firmware modification techniques that identify this as a sophisticated bad actor. Therefore, a firmware modification to a SONOS speaker is easily in the realms of probability here.
Anyway, either an update screwed up (which I doubt) or the hacker appears to have modified a PLAY:1 as either a backdoor to tunnel back into the network or as a malware infection point. When doing a network scan, the compromised PLAY:1 does not OS fingerprint in the same manner as the other SONOS devices. The compromised PLAY:1 DNS Cache has a number of URL's and IP addresses in it that may or may not be legitimate (while the other SONOS device's DNS cache's are empty) and UPnP is turned off (but enabled on all the other SONOS devices).
So, (if nothing less than to eliminate it from the compromised device list) is there a way to reset / reimage the firmware on the PLAY:1 or force an update? I believe UPnP may have been turned off by the attacker to avoid updates, etc. - so while it reports the latest version, there is no way to confirm if it really is what it says it is.
Appreciate any feedback or responses...
Answered
Play:1 Possibly Hacked - Reimage / Flash Required
Best answer by Airgetlam
As far as I know, there's no way for you to reflash/reimage the firmware, or force an upgrade (until Sonos releases a new version of the software).
Your best bet at this point is to contact Sonos directly, they may have better answers than I do.
Contact Sonos
Your best bet at this point is to contact Sonos directly, they may have better answers than I do.
Contact Sonos
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.
A factory reset would do what you want. You’d lose any data stored on the speaker, including playlists, account data etc.
@Airgetlam
Thanks for the suggestion. I performed the factory reset and the DNS entries are still there. As I mentioned before, this is a very sophisticated hacker that modified my PC's CMOS / UEFI BIOS / GPU BIOS and SSD Firmware at the hardware level. I will probably need to reflash / reimage the firmware / force an upgrade. How do I go about doing that?
The DNS entries are listed below. The DNS entries only appear in this one unit - other SONOS devices do not have any DNS entries. Is there a single speaker that maintains the DNS Cache? If so, why are the entries not moved to another device when the compromised PLAY:1 is removed from the network?
Hostname Address
lechmere-v1.sslauth.sonos.com 104.96.97.148
conn-i-0e34ba384793f148a-us-east-1.lechmere.prod.ws.sonos.com 18.207.186.61
service-catalog.ws.sonos.com 54.165.126.223
config.ws.sonos.com 104.86.192.202
update-timezone.sonos.com 184.27.110.68
update.sonos.com 184.27.110.68
msmetrics.ws.sonos.com 52.70.4.196
registration.ws.sonos.com 104.86.192.202
Even if these IP's are verifiable as legitimate, nefarious IP's could be hard coded into the firmware to point somewhere else. Hence, a firmware reflash -and not a factory reset - is required.
Thanks.
Thanks for the suggestion. I performed the factory reset and the DNS entries are still there. As I mentioned before, this is a very sophisticated hacker that modified my PC's CMOS / UEFI BIOS / GPU BIOS and SSD Firmware at the hardware level. I will probably need to reflash / reimage the firmware / force an upgrade. How do I go about doing that?
The DNS entries are listed below. The DNS entries only appear in this one unit - other SONOS devices do not have any DNS entries. Is there a single speaker that maintains the DNS Cache? If so, why are the entries not moved to another device when the compromised PLAY:1 is removed from the network?
Hostname Address
lechmere-v1.sslauth.sonos.com 104.96.97.148
conn-i-0e34ba384793f148a-us-east-1.lechmere.prod.ws.sonos.com 18.207.186.61
service-catalog.ws.sonos.com 54.165.126.223
config.ws.sonos.com 104.86.192.202
update-timezone.sonos.com 184.27.110.68
update.sonos.com 184.27.110.68
msmetrics.ws.sonos.com 52.70.4.196
registration.ws.sonos.com 104.86.192.202
Even if these IP's are verifiable as legitimate, nefarious IP's could be hard coded into the firmware to point somewhere else. Hence, a firmware reflash -and not a factory reset - is required.
Thanks.
As far as I know, there's no way for you to reflash/reimage the firmware, or force an upgrade (until Sonos releases a new version of the software).
Your best bet at this point is to contact Sonos directly, they may have better answers than I do.
Contact Sonos
Your best bet at this point is to contact Sonos directly, they may have better answers than I do.
Contact Sonos
Just as a follow up - spoke to Sonos Support and they confirmed that you cannot rewrite the firmware or force an upgrade until the next release - other than signing up for the Beta program and upgrading that way. Thanks for the help Airgetlam!
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.