Cyber security news for all

More

    New Vulnerabilities in Sonos Smart Speakers Enable Eavesdropping

    Cybersecurity experts have identified significant flaws in Sonos smart speakers that could be exploited by attackers to secretly listen in on users.

    The vulnerabilities “resulted in a total breach of Sonos’s secure boot process across various devices and allowed remote compromise of several devices wirelessly,” noted NCC Group security researchers Alex Plaskett and Robert Herrera.

    Exploiting these flaws could permit a remote attacker to clandestinely capture audio from Sonos devices through an over-the-air attack. These vulnerabilities affect all versions prior to Sonos S2 release 15.9 and Sonos S1 release 11.12, which were released in October and November 2023.

    The findings were disclosed at Black Hat USA 2024. The details of the two security issues are:

    • CVE-2023-50809: This vulnerability in the Sonos One Gen 2 Wi-Fi stack fails to properly validate an information element during a WPA2 four-way handshake, which can lead to remote code execution.
    • CVE-2023-50810: This issue is found in the U-Boot component of the Sonos Era-100 firmware and allows for persistent arbitrary code execution with Linux kernel privileges.

    NCC Group, which reverse-engineered the boot process to achieve remote code execution on Sonos Era-100 and Sonos One devices, revealed that CVE-2023-50809 stems from a memory corruption vulnerability in the wireless driver of the Sonos One, which uses a MediaTek chipset.

    According to MediaTek, “In the wlan driver, there is a possible out-of-bounds write due to improper input validation,” as stated in an advisory for CVE-2024-20018. “This could lead to local privilege escalation without requiring additional execution privileges. Exploitation does not necessitate user interaction.”

    Initial access obtained through this vulnerability could lead to further exploitation steps, including gaining full control over the device, and deploying a new Rust implant to capture audio from the microphone if in close proximity to the speaker.

    The other flaw, CVE-2023-50810, involves a series of vulnerabilities in the secure boot process that affects Era-100 devices, enabling attackers to bypass security measures and run unsigned code within the kernel’s context.

    This could be combined with an N-day privilege escalation flaw to execute ARM EL3 level code and extract hardware-backed cryptographic secrets.

    “Overall, two critical lessons emerge from this research,” the researchers stated. “Firstly, OEM components must meet the same security standards as in-house components. Vendors should also conduct thorough threat modeling of all external attack surfaces and ensure that remote vectors are properly validated.”

    “Regarding secure boot weaknesses, it is crucial to validate and test the boot chain to prevent such vulnerabilities. Both hardware and software-based attack vectors need to be addressed.”

    This revelation comes as firmware security firm Binarly disclosed that hundreds of UEFI products from nearly a dozen vendors are vulnerable to a serious firmware supply chain issue known as PKfail. This flaw allows attackers to bypass Secure Boot and install malware.

    Binarly found that hundreds of products use a test Platform Key from American Megatrends International (AMI), which was intended to be replaced with a secure key by downstream entities.

    “The issue stems from the Secure Boot ‘master key,’ or Platform Key (PK) in UEFI terms, which is unreliable as it is generated by Independent BIOS Vendors (IBVs) and shared among different vendors,” Binarly explained. This is a cross-silicon problem affecting both x86 and ARM architectures.

    “This Platform Key […] is often not replaced by OEMs or device vendors, resulting in devices being shipped with untrusted keys. An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key (KEK) database, the Signature Database (db), and the Forbidden Signature Database (dbx).”

    As a result, PKfail enables attackers to run arbitrary code during the boot process, even with Secure Boot enabled, allowing them to sign malicious code and deploy UEFI bootkits like BlackLotus.

    “PKfail vulnerabilities date back to May 2012, with the most recent instance in June 2024,” Binarly noted. “This makes it one of the longest-standing supply chain issues, spanning over 12 years.”

    Recent Articles

    Related Stories