Some Sonos and Bose Speakers Are Being Hijacked To Play Ghostly Sounds

An anonymous reader quotes a report from The Verge: Researchers at Trend Micro have found that certain models of Sonos and Bose speakers have vulnerabilities that leave them open to hijacking, as reported by Wired. The accessible speakers are being exploited by hackers that are using them to play spooky sounds, Alexa commands, and Rick Astley tracks. Only a small percentage of speakers by the two companies are actually affected, including some of the Sonos Play:1, the Sonos One, and the Bose SoundTouch. All it takes is for the speaker to be connected to a misconfigured network and a simple internet scan. Once the speaker is discovered via the scan, the API it uses to talk to apps can be utilized to tell the speakers to play any audio file hosted at a specific URL. Of all the models, between 2,500 to 5,000 Sonos devices and 400 to 500 Bose devices were found by Trend Micro to be open to audio hacking.

Hacked?

[nospam007]

It's just the ghost of Harald "Bluetooth" Gormsson, King of Denmark, who resents the use of his name, spooking the users of those damn speakers from beyond the grave.

Re:Hacked?

Bluetooth is not dead!
(yet)

Re:Hacked?

[RogueWarrior65]

A friend of mine has hearing-aids with Bluetooth. I really want to hack into them to gaslight the guy.

Re: Hacked?

With friends like you who needs enemies?

Re:Hacked?

Sonos doesn't use Bluetooth.

long time no see

"and Rick Astley tracks"

This /. is so distant from the one I dwelt almost two decades ago that even a stupid meme name such as rickrolling has been forgotten.

Re:long time no see

[Scarletdown]

Badgerbadgerbadgerbadger...

Re:long time no see

ALL YOUR BADGER ARE BELONG TO US

Filter error: Don't use so many caps. It's like YELLING.

Filter error: Don't use so many caps. It's like YELLING.

Filter error: Don't use so many caps. It's like YELLING.

Filter error: Don't use so many caps. It's like YELLING.

Re:long time no see

[ClickOnThis]

TFS quotes "Rick Astley tracks" from TFA, so blame Wired, not Slashdot.

Calling it rickrolling would have been slightly more hip, but perhaps the Wired editors didn't want to confuse the few readers who might not know what it is.

Re:long time no see

[ClickOnThis]

Oops, sorry: "sed -e s/Wired/The Verge/g". That is all.

Re:long time no see

[FatdogHaiku]

https://xkcd.com/351/
Don't forget the mouseover text...

Re:long time no see

[Hognoxious]

Excusable. It's not like you're confusing Dr.Dobb's with GQ.

never saw that coming

Shitty internet connected product is shitty, anyone who buys this stuff deserves whatever happens to them.

russians hacked ghosts?

[sittingnut]

this explains why there is zero independently verifiable evidence of any russian "election hacking".
russians must have hacked ghosts.

Re:russians hacked ghosts?

[Patent+Lover]

Well, according several large religions Ghosts are perfectly real.

Spooky Sounds?

No, they were saying "Boo-urns."

Factory Spirits

[mentil]

The speakers are actually haunted by the spirits of Chinese workers in the factory they were made in, who jumped off the roof for insurance money. Strange messages end up in fortune cookies for the same reason.

Practical uses

[Tablizer]

"Mr. President, this is God..."

Re:Practical uses

[mysidia]

What does god want with a starship?

Re:Practical uses

[deesine]

"...stop playing with yourself."

Re: Practical uses

Zhwooba...zhwooba....
who is this really?

Re:Practical uses

[ChatHuant]

It's been known to happen. Voice Of God Revealed To Be Cheney On Intercom.

Subliminal Messages

[Fly+Swatter]

What's to stop some questionable entity from playing subliminal messages while you sleep? They know you are asleep because they also made^H^H^HJ^Hhacked the voice controlled home assistant device that can hear you snoring. Sure just keep buying all this internet-connected-full-of-holes-crap because everyone needs more creepy in their life.

Okay, I'll admit it...

[Two99Point80]

I read the first two sentences of the story excerpt aloud to my husband. Our kitchen-table-top Echo Dot then cheerily announced through its external speakers: "Shuffling songs by Rick Astley!" So thanks to Amazon Prime I now know that Astley recorded more than just THE song...

Ooooooooo

Peter, those are Cheerios.

A bot please!

[VeryFluffyBunny]

Somebody write a bot. Somebody write a bot. Somebody write a bot. Somebody write a bot... Can we please have Rick Astley on all Bose and Sonos IoT speakers? Actually, on everything IoT. Someone's got to put and end to this IoT nonsense and Rick Astley might just be the guy to do it :)))

Sounds of the Internet

So this is what Internet sounds. Attach one on a public square as an art project and wait for the eventual Mao and Hitler speeches fill the air.

Obligatory Onion article

[ClickOnThis]

This refers to Alexa but it's close enough.

I guess ok for background music

[stabiesoft]

but does anyone use these things for serious listening? Just tonite I heard a piece of Saint Saens Symphony #3 on the radio. It was just not satisfying, so I pulled my CD of it. The organ pedal part of this piece is just not the same unless it envelops you, and I just don't see these speakers doing it.

Re: I guess ok for background music

Are you asking if hq audio can be streamed over a network?

Re:I guess ok for background music

but does anyone use these things for serious listening? Just tonite I heard a piece of Saint Saens Symphony #3 on the radio. It was just not satisfying, so I pulled my CD of it. The organ pedal part of this piece is just not the same unless it envelops you, and I just don't see these speakers doing it.

Sonos speakers are decent 'bookshelf' quality speakers. They fill a functional need for an easy to set up, decent sounding wireless system that could serve multi-room functions and be easy to control for the average consumer. Most use for casual listening. The quality of sound output is dependent on the input. If you stream an internet radio station, its not going to sound as good as listening to a local FLAC file (which will sound the same as your CD). Of course, a nice audio system with larger-better speakers will sound better than a Sonos. There is a Sonos product that can connect to your hifi system and you could get equivalent sound quality as playing a CD. Chromecast Audio does this now as well.

Sonos is a bit pricey, but it seems people who purchase them speak highly of them. I use Chromecast Audios for my casual whole house streaming. Much cheaper, can sound as good or better depending on your amp and speakers.

Re:I guess ok for background music

[Gojira+Shipi-Taro]

I don't think that the market made of people who listen to things like "Saint Saens Symphony #3 " is part of their target demo. The quality is very very good for casual listening/ filling the house with music. It's not $1200/speaker high-end audiophile gear.

Re:I guess ok for background music

[Doctor+Memory]

LOL, you realize the vast majority of the audio-buying public is satisfied with listening to lossy MP3s through mono speakers with a 150Hz-15KHz range, right? As long as they can connect to their phone via BT they're happy. Compared to the mass-market crap that sells the most, these things might as well be B&Ws or Vandersteens.

Nothing to see here

Watching the YouTube video it seems that you need either Port 1400 for sonus or 8090 for Bose open to the public internet, these devices require no ports open to function correctly so either people are putting these devices in the dmz or they are directly connections it to the internet with no firewall, I mean even shit firewalls wouldn't have that port open by default. So yes if you put a device on the web with random ports exposed the device is vulnerable. Not that it isn't a cleaver exploit but can someone explain to me how 5000 of these devices have public ips without a firewall in front of it?

Re:Nothing to see here

A quick google search; Sonos tells people to forward that port if they want to control from cell phone over itnernet ; https://en.community.sonos.com/controllers-software-228995/port-forwarding-controlling-sonos-through-a-firewall-6570931

  " I called Sonos and was told to forward port 1400, both TCP and UDP as well. "

Hmm...

I'm wondering if this can something to do with what happened in the American embassy in Cuba...

Good old IoT devices

So glad we decided to invite all these devices into our homes attached to the internet. Itâ(TM)s like inviting roadents into your home just waiting to find a way into your stuff. None of these companies seem to have any clue how to protect them, and make them dummy accessible at the same time.

There's only one fix:

[MtViewGuy]

And that is to incorporate malware protection literally at the router level. Problem is, the only devices I know that can do that are the Norton Core router and the eero mesh routers running their subscription malware protection service.

Re:There's only one fix:

And that is to incorporate malware protection literally at the router level. Problem is, the only devices I know that can do that are the Norton Core router and the eero mesh routers running their subscription malware protection service.

TP Link's Deco M5 mesh devices ($99/each, $220/three) include a 3 year subscription to "HomeCare" which includes some ability to detect and quarantine local devices whose network traffic shows them to be infected with malware ("Intrusion Prevention System" and "Infected Device Quarantine" -- http://www.tp-link.com/us/home-networking/deco/).

Insecurely Designed Internet Of Things == IDIOT

[knorthern+knight]

An appropriate acronym, don't you think?