NEWS ANALYSIS: Yet another set of risks are revealed in connected devices, this time the flaw is in Sonos speakers.
Time and again over the course of 2017, security researchers have looked for and found, security flaws in Internet of Things (IoT) connected devices. The latest such research was reported on Dec. 27 by Trend Micro, which found multiple flaws in connected home speakers from Sonos and Bose.
Details on the flaws are discussed by Trend Micro in a 47-page report titled, “The Sound of a Targeted Attack”, which also provides insight into how attackers could potentially use the vulnerabilities to exploit users. The impacted systems include the Sonos Play:1, Sonos One, and Bose SoundTouch systems.
“With the popularity of IoT devices growing every day, it is very important to be knowledgeable of the built-in security of these devices that ultimately could affect the owner and make them a target of an attack,” Stephen Hilt, Senior Threat Researcher at Trend Micro wrote in the report. “While this research focused on Sonos speakers, we do not at all want to single them out as the only IoT device with security issues on the market today.”
Sonos has already responded to Trend Micro on the findings and has issued an update for its users. According to Trend Micro, it also reached out to Bose, but has not yet received a response to its findings. The Sonos flaws in particular, could have enabled an attacker to gain information about Sonos users as well as potentially enabling limited control of a device, to play songs. Trend Micro also found that there was an unauthenticated status site page being served by Sonos devices.
“This site, with no authentication, allows you to see information about the tracks currently being played, what music libraries it knows about, what devices have ever connected to it to control it, and down to personal information such as emails associated with specific audio streaming services like Spotify,” the report stated.
The Trend Micro researchers noted in the report that they could take the user information that was found on the status site pages and then cross-reference it with breached account database services, to find potentially associated usernames and passwords.
Additionally, there was functionality on the Sonos devices that could have enabled an un-authenticated remote attacker to ‘ping’ or query the network the device was attached to, in order to find other devices. The idea of using a weak device to pivot and attack other devices in a network, is a common attacker technique. As such, even though simply getting access to a vulnerable Sonos device, might initially just seem like a nuisance type of attack, there is the potential that the vulnerable device could become a launching point for a wider, more invasive attack.
Trend Micro reported that when it first conducted the research, it used the shodan.io search tool to find approximately 5,000 Sonos devices that were connected to the public internet and potentially at risk. On Dec. 28, eWEEK conducted a Shodan search with the same parameters and found 2,289 potentially exposed Sonos devices.
Root Cause
With the Sonos speakers, the root cause of the vulnerability is an unauthenticated SOAP XML interface, that leads to information leakage. SOAP (Simple Object Access Protocol) is a remote produce call technology that gives access into a given interface or device.
“While these devices are never supposed to be exposed on the internet, we have shown that they can and will find their way directly on the internet,” Hilt wrote. “We believe that the manufacturers should do whatever they can to make sure that their devices are secured enough that if it is placed on the internet, the likelihood of attack is really low.”
Hilt also suggests that end-users set up their Sonos systems on a secured internal network.
Fundamentally though, anytime there is any sort of administrative or monitoring capabilities available on a device, it should be protected, at the very least, with some form of basic authentication. What the new Trend Micro research reinforces is the notion that a motivated attacker can use even basic information to pivot into more meaningful attacks vectors.
No doubt, there are still many other IoT devices with similar kinds of issues, that could be exposing users to risk. The recommendation to put IoT devices on a separate secured network is a helpful one. That way, even if an attacker can get access to a vulnerable IoT device and then attempt to pivot to other devices or network assets, the attack surface may be reduced.
The simple and unfortunate truth of IoT connected devices at this point in time, is that they can represent a potential un-authorized entry point into a network, if not properly secured. If a device doesn’t need to be connected to the public internet, then perhaps it should only get access to the local network. By keeping IoT devices patched and segmented from other devices and networks, risk can be reduced, but not entirely eliminated.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
