LAS VEGAS — BLACK HAT USA 2024 — NCC Group researchers have disclosed vulnerabilities found in Sonos smart speakers, including a flaw that could have been exploited to eavesdrop on users.
One of the vulnerabilities, tracked as CVE-2023-50809, can be exploited by an attacker who is in Wi-Fi range of the targeted Sonos smart speaker for remote code execution.
The researchers demonstrated how an attacker targeting a Sonos One speaker could have used this vulnerability to take control of the device, covertly record audio, and then exfiltrate it to the attacker’s server.
Sonos informed customers about the vulnerability in an advisory published on August 1, but the actual patches were released last year. MediaTek, whose Wi-Fi SoC is used by the Sonos speaker, also released fixes, in March 2024.
According to Sonos, the vulnerability affected a wireless driver that failed to “properly validate an information element while negotiating a WPA2 four-way handshake”.
“A low-privileged, close-proximity attacker could exploit this vulnerability to remotely execute arbitrary code,” the vendor said.
In addition, the NCC researchers discovered flaws in the Sonos Era-100 secure boot implementation. By chaining them with a previously known privilege escalation flaw, the researchers were able to achieve persistent code execution with elevated privileges.
NCC Group has made available a whitepaper with technical details and a video showing its eavesdropping exploit in action.
Related: Internet-Connected Sonos Speakers Leak User Information
Related: Hackers Earn $350k on Second Day at Pwn2Own Toronto 2023
Related: New ‘LidarPhone’ Attack Uses Robot Vacuum Cleaners for Eavesdropping
