Skip to main content
Security vulnerabilities in Sonos products
https://techcrunch.com/2017/12/27/certain-sonos-and-bose-models-can-be-accessed-by-hackers-to-play-sound-remotely/ What is Sonos doing to address a security concern in their products?
More like "Stupid users who open up security vulnerabilities in their networks leave themselves wide open to hackers." In other words, water is wet, sky is blue, and tech magazines (TrendMicro, the originator of the story) purposefully disable security that is the default on 99.999% of the networks out there in order to manufacture click bait stories.



Nothing to see here, unless you make it a habit to enable outside access to your internet connected devices. In which case, you have far more at stake than spooky noises over your Sonos speakers.
Sonos released an update a week or two ago that addresses this issue.



https://www.engadget.com/2017/12/27/sonos-bose-speakers-vulnerable-to-hijacking/



According to the release notes on the iOS app store for 8.2.2 (which I can't find on this website), it says:



What's New: Version 8.2.2

This update delivers a couple of performance improvements, bug fixes and a security update for the WiFi WPA2 KRACK vulnerability.
Sonos released an update a week or two ago that addresses this issue.



https://www.engadget.com/2017/12/27/sonos-bose-speakers-vulnerable-to-hijacking/



According to the release notes on the iOS app store for 8.2.2 (which I can't find on this website), it says:



What's New: Version 8.2.2

This update delivers a couple of performance improvements, bug fixes and a security update for the WiFi WPA2 KRACK vulnerability.




Yup. It was also due to the fact users were setting their system up with public IP addresses and making them fully accessible to the outside. This was against all recommendations from Sonos.
Well, the article that the OP referenced stated: Sonos has also issued a patch to help plug the hole. We’re still awaiting an official response from Bose.' as did the Engadget article I referenced. I made the assumption it was part of the same release that included the KRACK fix.
Well, the article that the OP referenced stated: Sonos has also issued a patch to help plug the hole. We’re still awaiting an official response from Bose.' as did the Engadget article I referenced. I made the assumption it was part of the same release that included the KRACK fix.



Not sure about that. It may just be the author got the KRACK threat and this one mixed up. Now that I read it, it looks to be the case because a Sonos rep today stated that this is only possible when the user allows public access, which is not recommended.



Edit: I see now that Sonos supposedly put out a patch that limits the data that can be accessed through this hack. That may mean shutting off the port 1400:/status stuff. Maybe someone from Sonos can elaborate.
Yea, not sure about the "misconfigured" network statement. But generally speaking, Sonos responds to the few issues that have been raised. Perhaps not as quickly as we want, but they do. And I wanted to address the sense of "OMG, Sonos doesn't care" implication in the OP's post.
Yea, not sure about the "misconfigured" network statement. But generally speaking, Sonos responds to the few issues that have been raised. Perhaps not as quickly as we want, but they do. And I wanted to address the sense of "OMG, Sonos doesn't care" implication in the OP's post.



Meh. Nobody ever started out a rant with "Sonos cares! But I'm going to have a tantrum anyway!" It's as ubiquitous as "I'm going to dump this in the trash and buy Bose!" and about as accurate.
Laugh. Too true.



But I do hate the automatic jumping to a conclusion that isn't supported by the evidence provided. But I'm not a fan of tantrums, either. I gave them up at about age 7. Which was a damn long time ago 🙂
The local network can be penetrated by other vectors. It's important that IoT devices have solid security. If a IoT fridge has a vulnerability and runs a botnet, blaming the user is rich.



I am disappointed to see that the forums continue to be patrolled by ignorant trolls that believe that Sonos doesn't have a duty of care to ensure their devices are free of exploits.
The local network can be penetrated by other vectors. It's important that IoT devices have solid security. If a IoT fridge has a vulnerability and runs a botnet, blaming the user is rich.



I am disappointed to see that the forums continue to be patrolled by ignorant trolls that believe that Sonos doesn't have a duty of care to ensure their devices are free of exploits.




These 'ignorant trolls' as you call them, spend a lot of their time helping people on these forums! And they don't say that Sonos doesn't have a responsibility just that SOME stories are elaborated within SOME areas of the press to make a story.
TrendLabs provides valuable information to the public. In this case they showed that thousands of Sonos speakers were vulnerable thus providing a valuable service to Sonos customers.



Here is the original research report:



https://blog.trendmicro.com/trendlabs-security-intelligence/iot-devices-need-better-builtin-security/



"Exposed device — As shown in our research on hacking industrial robots and exposed devices in U.S. and Western European cities, an attacker can look for exposed devices over the internet through search engines like Shodan. At the time of the study, we were able to see around 4,000 to 5,000 exposed Sonos speakers."
7 month old thread. It was due to idiots who purposefully opened themselves up to hacking, and it is already patched, along with DNS rebinding vulnerability on the same port. Do try to keep up (or read the entire thread).



From the original article linked by the OP:



https://techcrunch.com/2017/12/27/certain-sonos-and-bose-models-can-be-accessed-by-hackers-to-play-sound-remotely/



Sonos has also issued a patch to help plug the hole. We’re still awaiting an official response from Bose.




https://www.bleepingcomputer.com/news/security/google-roku-sonos-to-fix-dns-rebinding-attack-vector/



Unlike Google and Roku, Sonos was far more responsive, and acknowledged the issue right away, promising a fix for mid-July as well.




https://www.wired.com/story/chromecast-roku-sonos-dns-rebinding-vulnerability/



Google, Roku, and Sonos have all patched or are in the process of patching

TrendLabs provides valuable information to the public. In this case they showed that thousands of Sonos speakers were vulnerable thus providing a valuable service to Sonos customers.





Old news, patched long ago. What is your motivation? Why do you keep digging up outdated information? As a “software developer“, you surely must know that software is constantly being patched as vulnerabilities are found. Windows at least monthly, Oracle at least quarterly, iOS and Android apps constantly. It’s totally normal, Sonos, like every other reputable company, has a security team that is fully aware of any vulnerabilities. They really don’t need any noise from trolls like you.
It’s totally normal, Sonos, like every other reputable company, has a security team that is fully aware of any vulnerabilitiew.



Best practices for the IoT says to secure devices with authentication. That is missing on our devices. Why?
It was also due to the fact users were setting their system up with public IP addresses and making them fully accessible to the outside. This was against all recommendations from Sonos.



Any network connected to the internet can be breached by intruders. That is why networked devices should have the option of an authentication feature to access their services.
If you’re really this paranoid, perhaps it’s best you go back to spinning records on an old non-networked HiFi. 😃




Any network connected to the internet can be breached by intruders. That is why networked devices should have the option of an authentication feature to access their services.




Not to mention the coincidental fact that your preferred method of authentication also allows you to curb your children's wayward habits. How convenient for you. :8
But does it? Because if they're using Airplay, that's Apple's ballgame... and if Apple doesn't have a way to require a password before sending audio via Airplay, requiring authentication in the Sonos app won't do much to change that.
But does it? Because if they're using Airplay, that's Apple's ballgame... and if Apple doesn't have a way to require a password before sending audio via Airplay, requiring authentication in the Sonos app won't do much to change that.



Of course it doesn't. Nor does it prevent anyone from sending raw UPnP commands to take over the system.



But you know what would do it? Requiring handshake authentication for every command, with a time stamp to allow for time-based encryption on the authentication that changes the handshake every call. That would lock it up tight, even if someone slaps a packet sniffer on the network, and would require just a little more overhead. This may even be what Sonos is doing now, hence the need for every system to verify their account/password across all services.



But all that would eliminate the need for this poster's pet wish, and thus is not being considered. He just assumes Sonos is wide open, and he's not considering the fact they simply do not wish to talk about their security measures, for good reason.
Sonos is wide open, at the UPnP level. Try it: install, say, UPnP Spy, and send random commands to any player. It all works as expected. Over the years Sonos has tightened up music service username/passwords, which used to be exposed completely in the clear, and fixed some lower-level security issues like dns spoofing. However they have never attempted to lock anyone out of the basic UPnP command set, and likely with good reason. And for that obviously I am grateful.
Sonos is wide open, at the UPnP level. Try it: install, say, UPnP Spy, and send random commands to any player. It all works as expected. Over the years Sonos has tightened up music service username/passwords, which used to be exposed completely in the clear, and fixed some lower-level security issues like dns spoofing. However they have never attempted to lock anyone out of the basic UPnP command set, and likely with good reason. And for that obviously I am grateful.



So in reality, passwords at the app level are useless when it comes to security.
So in reality, passwords at the app level are useless when it comes to security.



Absolutely. Simply encrypting the calls is only as secure as the key (and we know how well that worked for Sonos in the past), and a certificate based https-style solution would then you have the problem of keeping the certificates hidden, not to mention the huge Support pain of users who forget their passwords or can't set their systems up due to mismatches. Actual https isn't feasible on a local network either.