Perhaps you've been hearing strange sounds in your home—ghostly creaks and moans, random Rick Astley tunes, Alexa commands issued in someone else's voice.
If so, you haven't necessarily lost your mind. Instead, if you own one of a few models of internet-connected speaker and you've been careless with your network settings, you might be one of thousands of people whose Sonos or Bose devices have been left wide open to audio hijacking by hackers around the world.
Researchers at Trend Micro have found that some models of Sonos and Bose speakers—including the Sonos Play:1, the newer Sonos One, and Bose SoundTouch systems—can be pinpointed online with simple internet scans, accessed remotely, and then commandeered with straightforward tricks to play any audio file that a hacker chooses. Only a small fraction of the total number of Bose and Sonos speakers were found to be accessible in their scans.
But the researchers warn that anyone with a compromised device on their home network, or who has opened up their network to provide direct access to a server they're running to the external internet—say, to host a game server or share files—has potentially left their fancy speakers vulnerable to an epic aural prank.
"The unfortunate reality is that these devices assume the network they're sitting on is trusted, and we all should know better than that at this point," says Mark Nunnikhoven, a Trend Micro research director. "Anyone can go in and start controlling your speaker sounds," if you have a compromised devices, or even just a carelessly configured network.
Trend's researchers found that scanning tools like NMap and Shodan can easily spot those exposed speakers. They identified between 2,000 and 5,000 Sonos devices online, depending on the timing of their scans, and between 400 and 500 Bose devices. The impacted models allow any device on the same network to access the APIs they use to interface with apps like Spotify or Pandora without any sort of authentication. Tapping into that API, the researchers could simply ask the speakers to play an audio file hosted at any URL they chose, and the speakers would obey.
The researchers note that audio attack could even be used to speak commands from someone's Sonos or Bose speaker to their nearby Amazon Echo or Google Home. They went so far as to test out the attack on the Sonos One, which has Amazon's Alexa voice assistant integrated into its software. By triggering the speaker to speak commands, they could actually manipulate it into talking to itself, and then executing the commands it had spoken.
Given that those voice assistant devices often control smart home features from lighting to door locks, Trend Micro's Nunnikhoven argues that they could be exploited for attacks that go beyond mere pranks. "Now I can start to run through more devious scenarios and really start to access the smart devices in your home," he says.
Given the complexity of those voice assistant attacks, however, pranks are far more likely. And the audio-hacker haunting Trend Micro warns about may have already actually happened in the wild. The company's researchers point to one posting from a customer on a Sonos forum who reported earlier this year that her speaker had begun randomly playing sounds like door creaks, baby cries, and glass breaking. "It was really loud!" she wrote. "It's starting to freak me out and I don't know how to stop it." She eventually resorted to unplugging the speaker.
Beyond merely playing sounds through a victim's device, a hacker could also determine information like what file a vulnerable speaker is currently playing, the name of someone's accounts on services like Spotify and Pandora, and the name of their Wi-Fi network. In testing devices running an older version of Sonos software, they even found that they could identify more detailed information, like the IP addresses and device IDs of gadgets that had connected to the speaker.
After Trend Micro warned Sonos about its findings, the company pushed out an update to reduce that information leakage. But Bose has yet to respond to Trend Micro's warnings about its security vulnerabilities, and both companies' speakers remain vulnerable to the audio API attack when their speakers are left accessible on the internet. A Sonos spokesperson wrote in response to an inquiry that the company is "looking into this more, but what you are referencing is a misconfiguration of a user’s network that impacts a very small number of customers that may have exposed their device to a public network. We do not recommend this type of set-up for our customers." Bose has yet responded to request for comment on Trend Micro's research.
None of this adds up to much of a critical security threat for the average audiophile. But it does mean owners of internet-connected speakers should think twice about opening holes in their network designed to let external visitors into other servers. And if they do, they should at least keep an ear out for any evil commands their Sonos might be whispering to their Echo after dark.