{"id":166823,"date":"2024-08-10T00:00:55","date_gmt":"2024-08-10T00:00:55","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=166823"},"modified":"2024-08-10T00:00:57","modified_gmt":"2024-08-10T00:00:57","slug":"sonos-smart-speakers-flaw","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/166823\/hacking\/sonos-smart-speakers-flaw.html","title":{"rendered":"Sonos smart speakers flaw allowed to eavesdrop on users"},"content":{"rendered":"
<\/div>\n

NCC Group discovered vulnerabilities in Sonos smart speakers, including a flaw that could have allowed to eavesdrop on users.<\/h2>\n\n\n\n

Researchers from NCC Group have discovered multiple vulnerabilities in Sonos smart speakers, including a flaw, tracked as CVE-2023-50809, that could have allowed eavesdropping on users.<\/p>\n\n\n\n

The researchers have disclosed the vulnerabilities during the BLACK HAT USA 2024 conference.<\/p>\n\n\n\n

The vulnerability CVE-2023-50809 can be exploited by an attacker who is in the Wi-Fi range of the targeted Sonos smart speaker to achieve remote code execution and take over the device.<\/p>\n\n\n\n

The flaw resides in the device’s wireless driver which fails to properly validate an information element while negotiating a WPA2 four-way handshake.<\/p>\n\n\n\n

Successfully exploiting this flaw can allow attackers to record audio and exfiltrate it to the attacker\u2019s server.<\/p>\n\n\n\n

“A vulnerability exists in the affected devices wireless driver that does not properly validate an information element while negotiating a WPA2 four-way handshake.” reads the advisory<\/a>. “A low-privileged, close-proximity attacker could exploit this vulnerability to remotely execute arbitrary code.”<\/em><\/p>\n\n\n

\n
\"Sonos<\/a><\/figure><\/div>\n\n\n

<\/gwmw><\/gwmw>The vendor addressed the vulnerability with the release of Sonos S2 release 15.9, it also informed customers that no workarounds are available.
<\/gwmw><\/p>\n\n\n\n

MediaTek, who manufactures Wi-Fi SoC for Sonos speaker, released a security advisory<\/a> in March 2024 (CVE-2024-20018). <\/p>\n\n\n\n

NCC Group also published a whitepaper<\/a> that provides details about the reverse engineering process and exploitation techniques that its experts used to achieve arbitrary code execution on both the Sonos Era-100 and the Sonos One devices.<\/p>\n\n\n\n

“The paper is then split into two major sections, the first covering a memory corruption vulnerability which was identified within the WPA2 handshake process of the device\u2019s wireless driver of the Sonos One. The driver itself was a third-party chipset by MediaTek who has now the associated patch with the March 2024 Security Bulletin (CVE-2024-20018). Within this section, we discuss the vulnerability itself and the steps necessary to exploit the issue as well as a detailed listing of techniques used to achieve code execution (such as an in-depth return orientated programming payload).” states NCC Group<\/a>.<\/em><\/gwmw><\/p>\n\n\n\n

“After this, we describe the post-exploitation process of obtaining a full shell on the device and describe a novel implant which we developed for capturing audio from the device\u2019s microphone. The other major section of the whitepaper is dedicated towards the Sonos Era-100 device. NCC Group previously identified weaknesses within the secure boot process on the device.”<\/em><\/gwmw><\/p>\n\n\n\n

Below is a video PoC of the attack exploring the flaw to eavesdrop on users.<\/gwmw><\/gwmw><\/gwmw><\/gwmw><\/p>\n\n\n\n