If you own an internet connected speaker made by Sonos or Bose you could have a compromised device in your possession. Yes, audio hijacking is now a thing.
Open to attack?
Whilst it is only some models of the speakers, Sonos One and Bose SoundTouch, that are potentially vulnerable, it’s worth checking your settings. You may have bought a compromised device and are innocently running it on your home network. Or if you’ve opened up your network to provide access to a server running to the external internet to share files etc, you may have left yourself open to attack.
Security experts at Trend Micro identified vulnerable devices by using scanning tools such as Nmap and Shodan. They tested both the brands of internet connected speakers and found that hackers would be able to hijack and control vulnerable systems due to certain flaws. It’s simply carried out by scanning the internet for vulnerable devices and using an API to gain access and hijack them. Hackers would be able to trigger the flaws to access the speakers and use them to play strange sounds or to issue Alexa commands.
Hackers had previously focused on hacking obvious devices like Amazon Echo and Google Home. But as IoT devices become more commonplace and integrated, there are more opportunities for attack.
What security experts are finding concerning is that this could be used for more than a silly prank with some spooky sounds. With the Sonos One, the Alexa voice assistant is built into the system. This means that false commands could be given – even tinkering with smart home features such as door locks and lighting control.
They’re not just innocent speakers anymore.