Cybersecurity researchers have discovered vulnerabilities in Sonos smart speakers that could be exploited by malicious actors to secretly listen in on users.
The vulnerabilities were found to “completely compromise the security of Sonos’s secure boot process on various devices, potentially allowing attackers to compromise multiple devices remotely,” according to NCC Group security researchers Alex Plaskett and Robert Herrera
reported.
If successfully exploited, one of these vulnerabilities could enable remote attackers to covertly capture audio from Sonos devices through an over-the-air attack. These issues
affect all versions before Sonos S2 release 15.9 and Sonos S1 release 11.12, released in October and November 2023.
At Black Hat USA 2024, the researchers detailed two security flaws:
- CVE-2023-50809 – A vulnerability in the Sonos One Gen 2 Wi-Fi stack that could lead to remote code execution during WPA2 four-way handshake negotiations.
- CVE-2023-50810 – A vulnerability in the U-Boot component of the Sonos Era-100 firmware that allows persistent arbitrary code execution with Linux kernel privileges.
The researchers at NCC Group managed to achieve remote code execution on Sonos Era-100 and Sonos One devices after reverse-engineering the boot process. They explained that CVE-2023-50809 stemmed from a memory corruption vulnerability in the wireless driver of Sonos One, utilizing a third-party MediaTek chipset.
A statement from MediaTek about CVE-2024-20018 highlighted a potential out-of-bounds write in the wlan driver, possibly leading to local privilege escalation without additional execution privileges.
The researchers further detailed the implications of the vulnerabilities, one of which could result in obtaining full control over the smart speaker through a novel Rust implant for audio capture.
Another flaw, CVE-2023-50810, exploited a series of vulnerabilities in the secure boot process of Era-100 devices, allowing for unsigned code execution in the kernel context.
This vulnerability could be combined with an N-day privilege escalation flaw to facilitate ARM EL3 level code execution and extract hardware-backed cryptographic secrets.
The researchers emphasized the importance of maintaining a consistent security standard across OEM and in-house components to prevent such vulnerabilities.
Additionally, the firmware security company Binarly flagged a critical firmware supply chain issue, PKfail, affecting hundreds of UEFI products from various vendors and spanning over a decade, allowing attackers to bypass Secure Boot and install malware.
To learn more about this issue and stay updated on cybersecurity news, follow us on Twitter and LinkedIn.