Security researchers have warned that newly discovered flaws in internet-connected speakers could allow attackers to locate entry points into enterprise networks.
Trend Micro senior threat researcher, Stephen Hilt, explained that the firm managed to find 4-5000 Sonos speakers and hundreds of Bose speakers exposed to the public-facing internet through a simple Shodan search.
“The first glaring finding was access to email addresses that are linked to music streaming services synced with the device. Another was access to a list of devices as well as shared folders that were on the same network as the test device”, he continued.
“We also got BSSID information that, paired with an existing API that queries specific BSSIDs, gave us the approximate location of access points used by the test unit. And lastly, we were able to see the device’s activities, such as current songs being played, control the device remotely, as well as play music through URI paths.”
In practice, this means that attackers could do much more than take control of the device itself — they could even access information on devices on the same network as the speakers.
“In a workplace scenario, an exposed device which identifies and lists down other IoT devices connected to the same network can give an attacker plenty of information to work on,” said Hilt. “Bad actors could find machines such as printers with existing vulnerabilities and use that to gather further information or as an entry point.”
Other attack scenarios include using exposed information on users’ musical preferences to craft a spearphishing email sent to the email address linked to the streaming account.
Trend Micro also warned that attackers could monitor wireless access points (WAPs) the device tries to access to locate a user and work out when they might be asleep or out of the house, in order to carry out a robbery.
Another option would be to use the exposed info to disrupt a user’s device and then send a malware-laden email disguised as a ‘manufacturer update’.
“While IoT devices are connected to the internet, they should never be exposed. In the case of the test device, manufacturers should make sure that ports connecting to the devices cannot be accessed directly from the internet,” said Hilt. “Manufacturers should also secure data that’s being stored or compiled by these IoT devices and conduct security audits — including regularly reading public forums discussing their products.”
Users and IT administrators should also do their bit by limiting access to smart devices, enabling strong password protection, keeping firmware up-to-date and scanning networks for any open ports, he added.
Although the number of affected devices was only a small percentage of the total out there, Sonos swiftly patched the issues identified by Trend Micro, while Bose had yet to respond at the time the blog was published.