Security researchers have discovered that some models of Sonos and Bose speakers can be remotely hijacked by hackers to play creepy and unnerving ghostly sounds. Researchers at Trend Micro discovered a strange vulnerability that affects a small percentage of speakers by the two firms, including the Sonos Play:1, Sonos One, and Bose SoundTouch systems, Wired first reported.
The affected internet-connected models can be discovered by hackers or pranksters using simple internet scans like NMap and Shodan and remotely accessed to play an audio clip of their choosing, researchers said. Depending on the time of the scan, between 2000 and 5000 Sonos devices and about 400 to 500 Bose devices were spotted online and potentially vulnerable to hacking.
These impacted devices allowed any device on the same WiFi network to access the APIs used to talk to apps such as Spotify or Pandora and play music without any user authentication. Hackers, however, could potentially target that API and tell the speaker to play an audio file hosted at a specific URL.
Trend Micro also warned that the exploit could be used to trigger and talk nearby smart speakers such as Amazon Echo and Google Home and control other smart home features such as smart locks, temperature controls or the lighting.
Hackers could also possibly gather information such as IP addresses and the IDs of other connected devices that could be used to deliver exploits or even craft targeted spear-phishing attacks to gather more details.
"If an attacker finds out what type of music or even an artist the user liked, it may provide an avenue for an attack. For example, the attacker could craft a spear-phishing email leveraging social engineering, or promising tickets to an upcoming gig of the target's favorite artist," Trend Micro said.
Given the elaborate nature of these attacks, researchers said they could be unlikely which makes audio pranks the more likely scenario. One woman reported earlier this year that her Sonos speaker began playing breaking glass, creaking door and crying baby sounds loudly in the middle of the night.
"It was really loud!" the user going by the name "Chryssy" wrote in a Sonos community forum. "It's starting to freak me out and I don't know how to stop it."
Trend Micro has notified Sonos and Bose regarding the security vulnerabilities.
"We're looking into this more, but what you are referencing is a misconfiguration of a user's network that impacts a very small number of customers that may have exposed their device to a public network," Sonos said in an email to TechCrunch. "We do not recommend this type of set-up for our customers. In the near term, anyone concerned about this issue should ensure their Sonos system is set-up on their secured internal network."
The company has also issued a patch to fix the issue as well. Bose has yet to publicly comment on the issue.
"With the popularity of IoT devices growing every day, it is very important to be knowledgeable of the built-in security of these devices that ultimately could affect the owner and make them a target of an attack," Trend Micro said. "While these devices are never supposed to be exposed on the internet, we have shown that they can and will find their way directly on the internet."