The new big thing is internet connectivity for appliances and home electronics. The smart home is the wave of the future for today's tech-savvy families, but also a playground for innovative hackers trying to find any loophole they can to exploit for their nefarious exploits. In an ongoing effort to combat hackers, security companies are doing their own research, and it appears two popular models of internet-connected speakers are vulnerable.
Researchers at Trend Micro have found that the Sonos Play:1 and Bose SoundTouch systems can be commandeered to play any audio file a hacker might choose. Hackers can find the speakers online through an easy internet scan using tools like NMap and Shodan. A compromised device on the home network or connected through a server to the external internet is vulnerable.
"The unfortunate reality is that these devices assume the network they're sitting on is trusted, and we all should know better than that at this point," Trend Micro research director Mark Nunnikhoven told Wired. "Anyone can go in and start controlling your speaker sounds," if you have compromised devices, or even just a carelessly configured network.
The good news is that Trend Micro found only a few types of devices open to attack in their testing, but that does mean there is the potential for hundreds or thousands of devices to be breached. The bad news is that there have been some reports of customers experiencing weird and scary sounds coming from their speakers. And not just audio files can be played. Just imagine a hacker using the speaker to send voice commands to your Echo or Google Home devices.
"Now I can start to run through more devious scenarios and really start to access the smart devices in your home," Nunnikhoven said.
Trend Micro has already alerted Sonos, which immediately pushed out an update that limits access to the devices. Bose was also alerted, but has yet to respond.
While the possibilities are not a serious threat, they are just another example of manufacturers and developers being even more diligent in making sure any device that can connect to the internet is coded as secure as possible.