Skip to main content

A major Sonos exploit was explained at Black Hat — but you needn’t worry

A Sonos One speaker sitting on an outdoor table.
This aging Sonos One looks like it's seen a thing or two — but it's also continued to see security updates. Phil Nickinson / Digital Trends

Hardware exploits, in a very oversimplified sense, can be broken down into two categories: Those you should care about, and those you shouldn’t. And this one firmly sits in the category of exploits that you really need not lose sleep over. But given that it involves Sonos — and because Sonos has rightly been the subject of less-than-positive headlines of late — it’s at least worth discussing.

So here’s the deal: A presentation by NCC Group’s Robert Herrera and Alex Plaskett at the August Black Hat USA 2024 conference in Las Vegas showed how a Sonos One could be exploited to allow an attacker to capture audio in real time off the device, thanks to a kernel vulnerability initiated by a flaw in the Wi-Fi stack. That, obviously, is not good. The Sonos One was the first speaker from the company to use a microphone to allow for hands-free voice control.

When the Sonos One connects to a router, there’s a handshake that happens before you can send wireless traffic, Herrera explained in an interview with Dark Reading. One of the packets exchanged was not properly validated, and that vulnerability is how an attacker could force their way into the device, and from there access the microphones.

“We deploy a method of capturing all the audio data — all the microphone input in the room, in the vicinity of this Sonos device,” Plaskett told Dark Reading ahead of his and Herrera’s presentation. An attacker is then “able to exfiltrate that data and play it back at a later date, and be able to play back all the recorded conversations from the room.”

It’s a real-time thing, though. The attacker couldn’t hear what was said before the exploit was leveraged. “You would need to exploit the Sonos device first to start the capture,” Plasket said. “And then once you start the capture, you only … have the data from within that period.”

But the proof of concept shown was not easy to implement and not the sort of thing you’d be able to do without actually being nearby someone’s Sonos One. (Other devices could be at risk, Plaskett and Herrera said, but that was more a function of the Wi-Fi flaw.)

“If an attacker goes to that kind of extent, they could compromise the devices,” Plaskett said. “And I think people have been assuming that these devices may be secure. So being able to kind of quantify the amount of effort and what an attacker would need to actually achieve the compromise is quite an important understanding.”

Perhaps most important is that the exploit was fixed within a couple months of being reported, with an update to the Sonos S2 system coming in October 2023, and an S1 update about a month later. Sonos publicly acknowledged the remote code execution vulnerability in a bulletin — again, nearly a year after actually patching its own devices — on August 1, 2024. MediaTek — whose Wi-Fi stack was the root problem here — issued its own security advisory in March 2024.

“The security posture of Sonos devices is a good standard. It’s been evolving over time,” Plaskett said. “Every vendor has vulnerabilities, and basically, it’s about how you respond to those vulnerabilities. How you patch those vulnerabilities. Sonos fixed these vulnerabilities within two months. … Yeah, it’s a good patching process, I would say.”

Phil Nickinson
Phil spent the 2000s making newspapers with the Pensacola (Fla.) News Journal, the 2010s with Android Central and then the…
The Sonos Era speakers solve a major problem for Android users
Sonos TruePlay settings.

The new Sonos Era 100 and Era 300 usher in a new generation of wireless speakers for the company, and our first impressions were pretty good. They also close a gaping hole that has plagued a pretty large segment of users. Android users no longer are left out of the Trueplay feature.

Custom tuning of speakers for their environments isn’t particularly new. Google has done it with its Nest Hub Max. Apple does it with the HomePod. But Sonos has always required a phone to do the listening for ambient sound and fine-tuning the speakers. And to date, that phone always has had to be an iPhone (unless you have a portable Sonos Move, but that's almost a different product category at this point. Stay with us here).

Read more
C’mon, Apple — if Sonos can admit it was wrong about Bluetooth, so can you
Handoff between Apple iPhone and Apple HomePod second-gen.

For years, Sonos has relentlessly championed the benefits of Wi-Fi audio. The company even ran a cheeky (and hilarious) campaign showing how annoying it can be to use Bluetooth, featuring pinging notifications and phone calls routinely interrupting what should have otherwise been enjoyable music-listening sessions. Times have changed, however, and not only has Sonos added Bluetooth to its two portable speakers (the Move and the Roam), but recent leaks suggest that it’s considering expanding support for Bluetooth into its main portfolio of powered speakers too, starting with the new Sonos Era 100 and Sonos Era 300.

This amounts to a tacit acknowledgment that Sonos may have been too zealous in its past refusal to adopt Bluetooth audio, and I can’t help but think that it might be time for another company to rethink its rejection of Bluetooth: Apple.

Read more
Why aren’t sports in 4K and HDR? It’s harder than you think
Fox Sports Camera

I don’t know if we can pinpoint a moment at which 4K content became normalized -- it sort of snuck up on us -- but today 4K and 4K HDR content is not hard to come by. Netflix, Amazon, Disney +, HBO Max – they all have it, and plenty of it. So we’re starting to get used to it. We’re hungry for 4K and we expect it on our plate. This has a lot of folks wondering: Why is it so hard to get sports in 4K?

Three years ago, I was fortunate enough to fly down to Florida to go behind the scenes with Fox Sports as it delivered the first-ever 4K HDR Super Bowl broadcast. Not only did I get to watch the Fox team do its live daytime broadcasts from South Beach, but I also got to go to roam around Hard Rock Stadium, where I had totally unfettered access to the stadium and all the cameras in it – as well as a massive broadcast compound. I got to go in every production truck, I saw every step of the production, from the cameras to the outbound feeds, and I got every question I asked answered by some of the top video production pros in the business. I learned so much while I was there.

Read more