Sonos speaker hacked at Pwn2Own Austin

  • 10 November 2021
  • 11 replies
  • 1263 views

Userlevel 1
Badge +4

See the report here: https://www.grc.com/sn/SN-844-Notes.pdf pages 3-5.

.


This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

11 replies

Userlevel 7

Events like this only help to make our devices more secure. I’m sure Sonos will look into this and patch the vulnerability. They have 120 days before the methodologies are disclosed to the public.

Userlevel 7
Badge +22

I can’t find much information about the security breach, not even enough to evaluate the threat level. Sonos may be told soon, the rest of us as was said are in the dark for 120 days.

 

Was it done from the local network or from the Internet? If from the Internet it is a serious issue, from the local network not so much.

What could they accomplish with the breached Sonos? Probably mess with your Sonos settings and devices. If it was an Internet based attack then they’d have gained a compromised system inside your firewall which is not good, if from a local attack they really gained nothing else.

Was it a breach of the Sonos code or of their old-multiply patched kernel code? Hard to guess which one would be harder to patch, they likely know their own code better but there is probably a kernel patch that can be back-ported if it was at that level.

 

Without real information being available these articles amount to little more than click-bait. Good for scaring the end user that doesn’t have the knowledge to translate them to real-world risk.

Userlevel 7
Badge +23

Details can be found at https://www.synacktiv.com/en/publications/dumping-the-sonos-one-smart-speaker.html

 

Userlevel 7
Badge +23

One very interesting data point from this hack is that the Sonos One runs Armv8 in 64-bit mode but the One SL runs Armv7 in 32-bit mode. So there is much more of a difference than just the mic between these two devices, and less horsepower is required if voice support is not required.

Userlevel 7
Badge +23

This is a DMA based hack, so for the moment no risk to users as you need to dismantle the speaker and add some special hardware to dig into it. Their idea is to extract the firmware in the clear, and use that to find an attack surface that might allow something bad over the local network. They have managed to run arbitrary code on there, which is impressive, but again it requires DMA hardware to be connected to do that.

One very interesting data point from this hack is that the Sonos One runs Armv8 in 64-bit mode but the One SL runs Armv7 in 32-bit mode. So there is much more of a difference than just the mic between these two devices, and less horsepower is required if voice support is not required.

 

I believe Sonos One initially was 32 bit, but they released a Gen 2 that was 64 bit later on.  I don’t recall if Sonos One SL went through a similar upgrade  Point being, the One to One SL comparison might not be a fully accurate comparison. 

Userlevel 7
Badge +22

That https://www.synacktiv.com/en/publications/dumping-the-sonos-one-smart-speaker.html is from the 2020 round, it is a hardware attack and is outside the 120 day embargo on releasing results.

In November 2020, the contest was held in Vancouver and on-line. We already published an article on our success on TP-Link AC1750 Smart Wifi Router, but this wasn't the only device we focused on.

This article presents the first step of our vulnerability research on the Sonos One Gen 2 smart speaker. Sonos speakers use encrypted firmware so the first thing to do for a software security research is to get the cleartext firmware.

Sonos One uses a PCI express WiFi card that can be removed from the board to get access to the PCI-e bus. We use this bus to make a DMA attack, and got root shell access to the device and its cleartext firmware.

 

The 2021 round is still under embargo and was apparently a network based attack.

Userlevel 7
Badge +15

Read about this a week or so back.

I think this was the article I read.

https://www.bleepingcomputer.com/news/security/sonos-hp-and-canon-devices-hacked-at-pwn2own-austin-2021/

Big money to be made..

one can only hope that Sonos has a Patch Tuesday :grin:

 
Userlevel 7
Badge +22

Sonos does updates on an “as needed” basis, new features, new hardware or security.

There is usually not much made of them aside from a notice they are available and mentions of the new features. I think there is a change list that gets posted around here but I usually don’t look for it.

The change list that is posted is only for “new” features, and never describe specific fixes. If it’s a “bug fix” release, we often get nothing posted at all, and the stores just show the “bug fixes” moniker.