Adrian Johnson
TLDR:
- Sonos released a security advisory to fix vulnerabilities in Sonos One and Sonos Era-100 Bluetooth speakers
- The vulnerabilities could allow threat actors to record microphone and compromise the device to capture audio within range
In the beginning of August 2024, Sonos addressed security vulnerabilities associated with Remote Code Execution in their Sonos One and Sonos Era-100 Bluetooth speakers. The vulnerabilities, assigned CVE-2023-50810 and CVE-2023-50809, allowed threat actors to record the microphone and capture audio within range by compromising the kernel over the air. These vulnerabilities were presented at the Black Hat USA 2024 conference.
The vulnerabilities were identified in the WPA2 handshake process and design patterns within the code path that handled and parsed WPA key material. By chaining vulnerabilities related to improper input validation and unchecked maximum length, threat actors could trigger a stack buffer overflow and gain control over the Sonos device.
Once Remote Code Execution was achieved, researchers were able to pivot their access to gain additional permissions and capabilities over the compromised device. By adjusting stack pointers and executing code in the kernel, they were able to covertly capture audio from the device’s proximity and execute shellcode.
Additionally, the Sonos Era-100 U-Boot had vulnerabilities related to Secure Boot Bypass due to three issues in the U-Boot implementation. By loading and validating the kernel improperly, threat actors could gain shell access in the context of the device’s root.
Overall, these vulnerabilities in Sonos smart speakers highlight the importance of addressing security flaws in IoT devices to prevent malicious actors from executing remote code and compromising user privacy.
