Sonos Smart Speakers Vulnerabilities Allow Unauthorized Eavesdropping

Aug 09, 2024Ravie LakshmananIoT Security / Wireless Security

A recent discovery by cybersecurity experts has revealed vulnerabilities in Sonos smart speakers that could be abused by unauthorized individuals to secretly listen in on users.

The identified weaknesses created a significant breach in the security protocols of Sonos devices, allowing for remote exploitation of multiple devices through various means, as pointed out by NCC Group security researchers Alex Plaskett and Robert Herrera in a recent statement.

By leveraging these vulnerabilities, a malicious attacker could potentially tap into audio feeds from Sonos devices through wireless attacks, affecting all editions predating the Sonos S2 release 15.9 and Sonos S1 release 11.12 launched in October and November 2023, respectively.

These new findings were disclosed during Black Hat USA 2024. The following are brief descriptions of the identified security issues:

• CVE-2023-50809 – Identified in the Sonos One Gen 2 Wi-Fi stack, this flaw fails to authenticate certain elements during WPA2 handshake negotiations, leading to remote code execution.

• CVE-2023-50810 – This vulnerability detected in the U-Boot component of the Sonos Era-100 firmware allows for persistent execution of arbitrary code with Linux kernel privileges.

After reverse-engineering the boot process to achieve code execution on Sonos Era-100 and Sonos One devices, NCC Group explained that CVE-2023-50809 arose due to a memory corruption flaw within the Sonos One’s wireless driver, which is produced by MediaTek, a third-party chipset manufacturer.

According to an advisory by MediaTek for CVE-2024-20018, “The wlan driver potentially allows an out-of-bounds write due to improper input validation, leading to local privilege escalation without requiring additional execution privileges or user interaction for exploitation.”

Following the initial breach achieved in this manner, attackers can escalate their access, gaining full root control over the device and deploying a newly developed Rust implant that can capture audio through the device’s microphone located near the speaker.

Concerning the second flaw, CVE-2023-50810, it is related to a series of vulnerabilities found in the secure boot system of Era-100 products, granting the ability to bypass security mechanisms and execute unsigned code within the kernel.

This compromise, when coupled with an N-day privilege escalation vulnerability, facilitates ARM EL3 level code execution, enabling access to retrieve hardware-based cryptographic keys.

Stressing the importance of the research, the experts emphasized two key takeaways: “Firstly, external components must adhere to similar security standards as internal ones. Secondly, vendors are urged to conduct thorough threat modeling on all potential attack surfaces and validate every remote entry point adequately.”

“In case of security vulnerabilities in the secure boot mechanism, rigorous testing and validation of the boot chain are vital to prevent the introduction of such weaknesses. Both hardware and software attack paths should be meticulously examined,” the researchers added.

Amidst these revelations, Binarly, a firmware security firm, disclosed that numerous UEFI products from various vendors are vulnerable to a critical firmware supply chain issue called PKfail, allowing threat actors to exploit Secure Boot and insert malicious code.

Specifically, investigations revealed that hundreds of devices utilize a test Platform Key developed by American Megatrends International (AMI), which was likely integrated in the initial implementation and anticipated to be replaced with a secure key further down the supply chain.

Detailing the issue, Binarly explained, “The root problem lies in the ‘master key’ utilized in Secure Boot, known as the Platform Key (PK) in UEFI terminology, which cannot be trusted due to its generation by Independent BIOS Vendors (IBVs) and sharing across various vendors,” making it a widespread challenge impacting both x86 and ARM architectures.

“Since original equipment manufacturers and device vendors often do not replace this Platform Key, devices end up using untrustworthy keys. Manipulating the Key Exchange Key (KEK) database, Signature Database (db), and Forbidden Signature Database (dbx) becomes a straightforward task for malicious actors having access to the private PK, allowing them to bypass Secure Boot and inject harmful code,” Binarly reiterated.

Consequently, PKfail enables attackers to run malicious code during system startup, even with Secure Boot enabled, granting them the potential to sign and deploy hazardous code like the BlackLotus UEFI bootkit.

“The earliest firmware affected by PKfail was released in May 2012, while the most recent case was observed in June 2024,” Binarly noted, underlining the persistent nature of this supply chain issue extending over a span of more than 12 years.