Researchers at Trend Micro have found that certain models of Sonos and Bose speakers have vulnerabilities that leave them open to hijacking, as reported by Wired. The accessible speakers are being exploited by hackers that are using them to play spooky sounds, Alexa commands, and… Rick Astley tracks.
Only a small percentage of speakers by the two companies are actually affected, including some of the Sonos Play:1, the Sonos One, and the Bose SoundTouch. All it takes is for the speaker to be connected to a misconfigured network and a simple internet scan. Once the speaker is discovered via the scan, the API it uses to talk to apps can be utilized to tell the speakers to play any audio file hosted at a specific URL. Of all the models, between 2,500 to 5,000 Sonos devices and 400 to 500 Bose devices were found by Trend Micro to be open to audio hacking.
Sonos told Wired in an email that it is “looking into this more, but what you are referencing is a misconfiguration of a user’s network that impacts a very small number of customers that may have exposed their device to a public network. We do not recommend this type of set-up for our customers.”
Though it would be possible for someone to glean information like IP addresses and the IDs of other connected devices, it’s unlikely due to the elaborate nature of the hack. As Wired notes, it’s much more likely to be used for odd audio pranks, like one woman whose Sonos started playing breaking glass and crying baby sounds in the middle of the night. Because Sonos has an open API program, this isn’t even the first occurrence of its speakers being taken for a spooky ride. Back in 2014, a developer made an interactive hack named Ghosty that essentially did the same thing.
While this vulnerability affects only a tiny portion of Sonos and Bose owners, and is likely to be relatively benign if exploited at all, it’s still worth double checking the security of the network they’re connected to.