Cybersecurity researchers have discovered weaknesses in Sonos smart speakers that could be used by an attacker to secretly eavesdrop on users.
The vulnerabilities “resulted in a complete breach of Sonos’ secure download process on a wide range of devices and the ability to remotely hack multiple devices over the air,” NCC Group security researchers Alex Plaskett and Robert Herrera noted. said.
Successful exploitation of one of these flaws could allow a remote attacker to secretly capture audio from Sonos devices via a wireless attack. They are affect all versions to Sonos S2 Release 15.9 and Sonos S1 Release 11.12, which shipped in October and November 2023.
The findings were presented at Black Hat USA 2024. The description of the two security flaws is as follows –
- CVE-2023-50809 – Vulnerability in the Wi-Fi stack of Sonos One Gen 2 does not allow the information element to be properly validated when negotiating a WPA2 four-way handshake, which could lead to remote code execution
- CVE-2023-50810 – A vulnerability in the U-Boot component of the Sonos Era-100 firmware that allows the persistent execution of arbitrary code with Linux kernel privileges
The NCC team, which engineered the boot process to achieve remote code execution on the Sonos Era-100 and Sonos One devices, said CVE-2023-50809 is the result of a memory corruption vulnerability in the Sonos One wireless driver, which is a third-party chipset manufactured by MediaTek.
“Out-of-bounds write possible in WLAN driver due to incorrect input validation,” — MediaTek said in the advisory for CVE-2024-20018. “This can lead to local privilege escalation without the need for additional execution privileges. No user interaction required for use.”
The initial access gained in this way paves the way for a series of post-exploitation steps that include obtaining a full shell on the device to gain full control of the smart speaker in the context of root, followed by the deployment of a new Rust implant capable of capturing sound from a microphone in close physical proximity to the speaker .
Another flaw, CVE-2023-50810, is related to a chain of vulnerabilities discovered in the secure boot process for cracking Era-100 devices, which effectively bypasses security controls to allow unsigned code execution in the context of the kernel.
This can then be combined with the privilege escalation disadvantage for N days for relief ARM EL3 level code execution and cryptographic secret extraction with hardware support.
“Overall, two important conclusions can be drawn from this study,” the researchers said. “First, OEM components must meet the same safety standards as domestic components. Vendors must also perform threat modeling for all external attack surfaces of their products and ensure that all remote vectors are properly tested.”
“In the case of secure boot vulnerabilities, it is important to check and test the boot chain to ensure that these vulnerabilities are not present. Both hardware and software attack vectors should be considered.”
The disclosure comes after firmware security company Binarly revealed that hundreds of UEFI products from nearly a dozen vendors are vulnerable to a critical issue in the firmware supply chain known as PKfail, which allows attackers to bypass secure boot and install malware.
In particular, it was established that hundreds of products use a test platform key generated by American Megatrends International (AMI) that was likely included in their reference implementation in the hope that it would be replaced by another securely generated key by downstream actors in the supply chain.
“The problem arises from a secure boot ‘master key’ known as Platform Key (PK) in UEFI terminology, which is not reliable because it is created by Independent BIOS Vendors (IBVs) and used by different vendors,” it said messages. saiddescribing it as a cross-silicon issue affecting both x86 and ARM architectures.
“This platform key (…) is often not replaced by OEMs or device vendors, resulting in devices being shipped with untrusted keys. An attacker with access to a private part of a PC can easily bypass secure boot by manipulating the exchange key keys (KEK), signature database (db) and forbidden signature database (dbx).”
As a result, PKfail allows attackers to run arbitrary code during the boot process, even with secure boot enabled, allowing them to sign malicious code and deliver a UEFI bootloader, e.g. Black Lotus.
“The first firmware vulnerable to PKfail was released back in May 2012, and the latest firmware was released in June 2024,” Binarli said. “Overall, this makes this supply chain issue one of the longest of its kind, spanning more than 12 years.”
